OpenSSL

https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs

How can we inspect remote SMTP server's TLS certificate?

If you have to check the certificate with STARTTLS, then just do:

openssl s_client -connect mail.example.com:25 -starttls smtp

For a standard secure smtp port, use:

openssl s_client -connect mail.example.com:465

How can I download the public certificate from the AD server?

openssl s_client -connect 192.168.240.10:636 -showcerts > output.txt

Open up the output.txt file. Copy everything from the start delimiter and the end delimiter (including the delimiters) into a text file and save it with a .crt extension. There may be multiple public certificate in the output.txt file. We have to put each certificate into a separate file. I am not sure if it is possible to get the public certificate of the root CA this way (probably not).

How can we create a self-signed certificate for testing (without encrypting the private key file)?

openssl req -new -x509 -nodes -out server.crt -keyout server.key

How can we encrypt the private key file?

openssl rsa -des3 -in server.key -out server.key.new && mv server.key.new server.key

How can we create a private key (Triple-DES encrypted and PEM formatted)?

openssl genrsa -des3 -out server.key 1024

How can we create a private key (PEM formatted, but not encrypted)?

openssl genrsa -out server.key 1024

How can we see the details of the private key?

openssl rsa -noout -text -in server.key

How can we create a decrypted PEM version (remove passphrase, not recommended) of the private key?

openssl rsa -in server.key -out server.key.unsecure

How can we create a CSR (certificate signing request, PEM formatted)?

openssl req -new -key server.key -out server.csr

How can we see the details of a CSR?

openssl req -noout -text -in server.csr

How can we setup your own Certificate Authority (CA)?

1. Create a directory on appropriate partition (depends on the number of certificates that you will need to issue, should be outside of your home directory)
2. Within this directory create these directories and files:
   mkdir certs crl newcerts private && echo "01" > serial && touch index.txt
3. Edit the openssl.cnf (usually /usr/share/ssl/openssl.cnf) to set the dir variable.
4. Create a private key as explained above
5. Create a CA certificate:  openssl req -new -x509 -nodes -sha1 -days 3650 -key cakey.pem -out cacert.crt
6. Put the created CA certificate and key files to appropriate place according to the openssl.cnf file.
7. Edit policy setting (inside openssl.cnf) from policy_match to policy_anything
8. Edit the req_distinguished_name section to allow multiple Common Name (CN) and subjectAltName:
   0.commonName = "First Common Name"
   0.commonName_default = "www.domain.com"
   0.commonName_max = 64
   1.commonName = "Second Common Name"
   1.commonName_default = "www.domain.com"
   1.commonName_max = 64
   0.subjectAltName = dNSName:domain.com
   1.subjectAltName = dNSName:*.domain.com
   2.subjectAltName = dNSName:*.*.domain.com
   3.subjectAltName = DNS:example.com
   4.subjectAltName = DNS:www.example.com

How can we sign a CSR?

openssl ca -out server.crt -infiles server.csr

How can we view the detail of a certificate?

openssl x509 -noout -text -in server.crt

Example of openssl.cnf:

HOME            = .
RANDFILE        = $ENV::HOME/.rnd

# Extra OBJECT IDENTIFIER info:
#oid_file        = $ENV::HOME/.oid
oid_section        = new_oids

# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions        = 
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)

[ new_oids ]

# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6

####################################################################
[ ca ]
default_ca    = CA_default        # The default ca section

####################################################################
[ CA_default ]

dir        = /root/certificates        # Where everything is kept
certs        = $dir/certs        # Where the issued certs are kept
crl_dir        = $dir/crl        # Where the issued crl are kept
database    = $dir/index.txt    # database index file.
new_certs_dir    = $dir/newcerts        # default place for new certs.

certificate    = $dir/cacert.pem     # The CA certificate
serial        = $dir/serial         # The current serial number
crl        = $dir/crl.pem         # The current CRL
private_key    = $dir/private/cakey.pem# The private key
RANDFILE    = $dir/private/.rand    # private random number file

x509_extensions    = usr_cert        # The extentions to add to the cert

# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt     = ca_default        # Subject Name options
cert_opt     = ca_default        # Certificate field options

# Extension copying option: use with caution.
# copy_extensions = copy

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crl_extensions    = crl_ext

default_days    = 365            # how long to certify for
default_crl_days= 30            # how long before next CRL
default_md    = md5            # which md to use.
preserve    = no            # keep passed DN ordering

policy        = policy_anything

[ policy_match ]
countryName        = match
stateOrProvinceName    = match
organizationName    = match
organizationalUnitName    = optional
commonName        = supplied
emailAddress        = optional

[ policy_anything ]
countryName        = optional
stateOrProvinceName    = optional
localityName        = optional
organizationName    = optional
organizationalUnitName    = optional
commonName        = supplied
emailAddress        = optional

####################################################################
[ req ]
default_bits        = 1024
default_keyfile     = privkey.pem
distinguished_name    = req_distinguished_name
attributes        = req_attributes
x509_extensions    = v3_ca    # The extentions to add to the self signed cert
string_mask = nombstr
req_extensions = v3_req # The extensions to add to a certificate request

[ req_distinguished_name ]
countryName            = Country Name (2 letter code)
countryName_default        = US
countryName_min            = 2
countryName_max            = 2

stateOrProvinceName        = State or Province Name (full name)
stateOrProvinceName_default    = California

localityName            = Locality Name (eg, city)
localityName_default        = San Mateo

0.organizationName        = Organization Name (eg, company)
0.organizationName_default    = Genius.com Inc

organizationalUnitName        = Organizational Unit Name (eg, section)
organizationalUnitName_default    = NetOps

commonName            = Common Name (eg, your name or your server\'s hostname)
commonName_max            = 64

emailAddress            = Email Address
emailAddress_max        = 64

[ req_attributes ]
challengePassword        = A challenge password
challengePassword_min        = 4
challengePassword_max        = 20
unstructuredName        = An optional company name

[ usr_cert ]
basicConstraints=CA:FALSE
nsComment            = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always

subjectAltName = @alt_names
[ alt_names ]
    DNS.1 = *.rsvp1.com
    DNS.2 = *.pxy3.com
    DNS.3 = *.pxy4.com
    DNS.4 = *.netg1.com
    DNS.5 = *.netg4.com
    DNS.6 = *.gsv1.com
    DNS.7 = *.gsv3.com
    DNS.8 = *.rsvp3.com
    DNS.9 = *.rsvp4.com
    DNS.10 = *.rsvp5.com
    DNS.11 = *.gns5.com
    DNS.12 = *.genius-network.com
    DNS.13 = *.genius-network2.com
    DNS.14 = *.gotgenie.com
    DNS.15 = *.rsvpgenius.com
    DNS.16 = *.gotgenius.com
    DNS.17 = *.salesgenius.com
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true

[ crl_ext ]
authorityKeyIdentifier=keyid:always,issuer:always

https://docs.indymedia.org/view/Sysadmin/CaCertSsl#HTTP_multiple_domain_names
http://wiki.cacert.org/wiki/VhostsApache
http://wiki.cacert.org/wiki/VhostTaskForce#head-5868dc7fb125370f7ae8931cd77f03aeb966ad53

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License