SSL Certificates

Show certificate details:

openssl x509 -noout -text -fingerprint -in ssl.crt

Show certificate request details:

openssl req -noout -text -reqopt no_header,no_signame,no_sigdump,no_pubkey -in ssl.csr

New certificate request:

openssl req -sha256 -out ssl.csr -new -newkey rsa:4096 -nodes -keyout ssl.key

New certificate request with configuration file:

openssl req -sha256 -out ssl.csr -new -nodes -config ../../../openssl.cnf

New certificate request from existing private key:

openssl req -sha256 -out ssl.csr -key ssl.key -new

New certificate request from existing private key with configuration file:

openssl req -sha256 -out ssl.csr -key ssl.key -new -config ../../../openssl.cnf

New DH:

openssl dhparam -out dh1024.pem 1024

Decrypt private key:

openssl rsa -in <encrypted key> -out ssl.key

Read CRL:

openssl crl -inform DER -text -in  cacrl.crl

Create PKCS12:

openssl pkcs12 -export -in ssl.crt -inkey ssl.key -certfile cacert.crt -name "[friendly name]" -out ssl.p12

Check OCSP status:

openssl ocsp -no_nonce -header Host ocsp.startssl.com -issuer ../../sub.class2.server.ca.pem -cert ssl.crt -url http://ocsp.startssl.com/sub/class2/server/ca -CAfile ../../sub.class2.server.ca.pem

File signed with attached signature:

openssl smime -sign -in <unsigned file> -out <signed file> -signer <signing certificate> -inkey <signing key> -certfile <signing CA> -outform der -nodetach
Earlier versions generate a PKCS#1 RSAPrivateKey format as denoted by
-----BEGIN RSA PRIVATE KEY-----

and the later versions generate a PKCS#8 PrivateKeyInfo format as denoted by

-----BEGIN PRIVATE KEY-----

It's possible to convert from PKCS#1 to PKCS#8 using openssl rsa

Check TLS configuration:

nmap --script +ssl-enum-ciphers -p 587 smtp.alt.tf -Pn -6
  • sysadmin/ssl_certificates.txt
  • Last modified: 2017/02/26 22:42
  • by Benjamin Collet