Certificates: Difference between revisions

← Older edit

Certificates (view source)

Revision as of 20:24, 16 August 2022

9 bytes removed , 1 year ago

→‎Troubleshooting

Amanjosan2008

Bureaucrats, Administrators

4,400

edits

Revision as of 20:22, 16 August 2022 (view source) Amanjosan2008 (talk \| contribs) No edit summary Tag: Reverted ← Older edit		Latest revision as of 20:24, 16 August 2022 (view source) Amanjosan2008 (talk \| contribs) (→‎Troubleshooting)
(One intermediate revision by the same user not shown)
Line 68: The serial number must be unique for each certificate issued by a specific CA. = ~~Certificates~~OpenSSL = Source: [https://www.sslshopper.com/article-most-common-openssl-commands.html sslshopper.com] == Generate Certificates == Generate a new private key and Certificate Signing Request openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key * Generate a self-signed certificate openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt * Generate a certificate signing request (CSR) for an existing private key openssl req -out CSR.csr -key privateKey.key -new * Generate a certificate signing request based on an existing certificate openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key * Remove a passphrase from a private key openssl rsa -in privateKey.pem -out newPrivateKey.pem == Verifying Certificates == * Check a Certificate Signing Request (CSR) openssl req -text -noout -verify -in CSR.csr * Check a private key openssl rsa -in privateKey.key -check * Check a certificate openssl x509 -in certificate.crt -text -noout * Check a PKCS#12 file (.pfx or .p12) openssl pkcs12 -info -in keyStore.p12 == Debugging == * Check an MD5 hash of the public key to ensure that it matches with what is in a CSR or private key openssl x509 -noout -modulus -in certificate.crt \| openssl md5 openssl rsa -noout -modulus -in privateKey.key \| openssl md5 openssl req -noout -modulus -in CSR.csr \| openssl md5 * Check an SSL connection. All the certificates (including Intermediates) should be displayed openssl s_client -connect www.paypal.com:443 == Converting Format == * Convert a DER file (.crt .cer .der) to PEM openssl x509 -inform der -in certificate.cer -out certificate.pem * Convert a PEM file to DER openssl x509 -outform der -in certificate.pem -out certificate.der * Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes You can add -nocerts to only output the private key or add -nokeys to only output the certificates. * Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12) openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt = Troubleshooting = * Cert tools: https://www.sslshopper.com/ssl-certificate-tools.html = Misc = <pre> A session symmetric key between two parties is used only once. Line 143 ⟶ 208: Digital signatures, in which a message is signed with the sender's private key and can be verified by anyone who has access to the sender's public key. This verification proves that the sender had access to the private key, and therefore is likely to be the person associated with the public key. This also ensures that the message has not been tampered with, as any manipulation of the message will result in changes to the encoded message digest, which otherwise remains unchanged between the sender and receiver. </pre> ~~= OpenSSL =~~ ~~Source: [https://www.sslshopper.com/article-most-common-openssl-commands.html sslshopper.com]~~ ~~== Generate Certificates ==~~ Generate a new private key and Certificate Signing Request ~~openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key~~ * Generate a self-signed certificate ~~openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt~~ * Generate a certificate signing request (CSR) for an existing private key ~~openssl req -out CSR.csr -key privateKey.key -new~~ * Generate a certificate signing request based on an existing certificate ~~openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key~~ * Remove a passphrase from a private key ~~openssl rsa -in privateKey.pem -out newPrivateKey.pem~~ ~~== Verifying Certificates ==~~ * Check a Certificate Signing Request (CSR) ~~openssl req -text -noout -verify -in CSR.csr~~ * Check a private key ~~openssl rsa -in privateKey.key -check~~ * Check a certificate ~~openssl x509 -in certificate.crt -text -noout~~ * Check a PKCS#12 file (.pfx or .p12) ~~openssl pkcs12 -info -in keyStore.p12~~ ~~== Debugging ==~~ * Check an MD5 hash of the public key to ensure that it matches with what is in a CSR or private key ~~openssl x509 -noout -modulus -in certificate.crt \| openssl md5~~ ~~openssl rsa -noout -modulus -in privateKey.key \| openssl md5~~ ~~openssl req -noout -modulus -in CSR.csr \| openssl md5~~ * Check an SSL connection. All the certificates (including Intermediates) should be displayed ~~openssl s_client -connect www.paypal.com:443~~ ~~== Converting Format ==~~ * Convert a DER file (.crt .cer .der) to PEM ~~openssl x509 -inform der -in certificate.cer -out certificate.pem~~ * Convert a PEM file to DER ~~openssl x509 -outform der -in certificate.pem -out certificate.der~~ * Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM ~~openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes~~ ~~You can add -nocerts to only output the private key or add -nokeys to only output the certificates.~~ * Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12) ~~openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt~~ ~~= Troubleshooting =~~ * Cert tools: https://www.sslshopper.com/ssl-certificate-tools.html