MAC OS X, Linux, Windows and other IT Tips and Tricks

19 Dec 13 Some tools for SSL certificates

Checking that a certificate is paired to the key

openssl rsa -noout -modulus -in mycert.key |openssl md5

openssl x509 -noout -modulus -in mycert.crt |openssl md5

Both results should be the same

Generating a certificate for VSFTP

openssl req -x509 -nodes -days 3650 -newkey rsa:1024 -keyout /etc/ssl/certs/vsftpd.pem -out /etc/ssl/certs/vsftpd.pem

Creating a self signed certificate for Apache

openssl genrsa -des3 -passout pass:changeme -out /www/apache/conf/certs/server.key2 1024
openssl req -new -passin pass:changeme -passout pass:changeme -key /www/apache/conf/certs/server.key2 -out /root/ispconfig/httpd/conf/ssl.csr/server.csr -days 365
openssl req -x509 -passin pass:changeme -passout pass:changeme -key /www/apache/conf/certs/server.key2 -in /root/ispconfig/httpd/conf/ssl.csr/server.csr -out /root/ispconfig/httpd/conf/ssl.crt/server.crt -days 365
openssl rsa -passin pass:changeme -in /www/apache/conf/certs/server.key2 -out /www/apache/conf/certs/server.key
chmod 400 /www/apache/conf/certs/server.key

Checking the validity of certificates

To verify the validity period of a server SSL certificate
Note: The ‘echo “”‘ makes sure the program exits otherwise it hangs after outputting its information. This allows to include this command in a script without interaction from user.
echo "" | openssl s_client -connect 2>/dev/null \
| openssl x509 -noout -startdate -enddate

This command will give the content of the certificate.
openssl x509 -subject -in server.crt
Check the validity of the certificate which will list out validity period.
openssl x509 -noout -text -in server.crt
Check whether ssl configuration works fine using the command prompt.
openssl s_client -connect host.domain:sslport
Verify the validity period of a server SSL certificate via internet
echo QUIT |openssl s_client -verify 2 -connect 2>/dev/null| openssl x509 -noout -text | egrep 'Not (Before|After)'

Extracting (in .pem format) the CRT, CA and private KEY from a PCS#12 (.pfx or .p12)

+---> usercrt.pem CRT (Certificate)
user.pfx -------+---> cacrt.pem CA (humm...CA!)
user.p12 |
+---> userkey.pem KEY (Private key)

Extract the user certificate contained within the PKCS#12 file:
openssl pkcs12 -in user.pfx -nokeys -clcerts -out usercrt.pem
Extract the CA certificate(s) contained within the PKCS#12 file:
Note: If the PKCS#12 file is a .pfx exported from MSIE Browser then the resulting file might be empty.:-(
openssl pkcs12 -in user.pfx -nokeys -cacerts -out cacrt.pem
Extract the private key contained within the PKCS#12 file.
Warning: the resulting file userkey.pem is not encrypted!
Don’t keep it around for longer than strictly needed!).
openssl pkcs12 -in user.pfx -nocerts -nodes -out userkey.pem

At this stage I assume you have three PEM files called:
usercrt.pem (the user certificate)
cacrt.pem (the CA certificate(s))
userkey.pem (private key)

To check the certificate info run the following command:
openssl x509 -in usercrt.pem -noout -text

To check any certificate on SSL ports(443/993/995/etc):
openssl s_client -showcerts -servername -connect

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: