Fun hacks, WP plugins, photography, and PKI junk. Languishing since 2008.
Posts tagged openssl
Parsing A CRL With OpenSSL
Jan 10th
Short and sweet. This command will give you a list of revoked serial numbers:
openssl crl -inform DER -text -noout -in mycrl.crl
Most CRLs are DER encoded, but you can use -inform PEM if your CRL is not binary. If you’re unsure if it is DER or PEM open it with a text editor. If you see —–BEGIN X509 CRL—– then it’s PEM and if you see strange binary-looking garbage characters it’s DER.
OpenSSL and IDN Certificates
Jan 3rd
As internationalized domain names (IDN) proliferate more people need to test with, and ultimately purchase, IDN certificates. If you need to generate a CSR or even a self-signed certificate for an internationalized domain follow these steps:
- Take the UTF-8 characters and paste them into a punycode converter (also known as ASCII compatible encoding, or ACE).
- The resulting converted text will be a fairly long string that starts with “xn--”. Copy the entire thing.
- Now run this command.
For CSR generation1:
openssl req -new -nodes -out mycsr.csr -keyout mykey.pem -newkey rsa:2048
For self-signed certificate generation2:
openssl req -new -nodes -x509 -days 3650 -out mycert.cer -keyout mykey.pem -newkey rsa:2048
Either way, follow the prompts and when you reach Common Name paste the text you copied from the punycode converter. Now you can submit your CSR to a certification authority or install the self-signed certificate for testing.
- We are generating a 2048-bit CSR ↩
- This will generate a 10 year self-signed certificate. ↩
Find A Matching Certificate And Key Pair
Nov 8th
If you have a list of keys and SSL certs and don’t know which cert belongs with which key, here’s a script for you. It’s not efficient (nested for loop!), but it gets the job done quickly.1
#!/bin/bash for i in `ls *.key` do key_mod=`openssl rsa -noout -in $i -modulus` for j in `ls *.cer` do x509_mod=`openssl x509 -noout -in $j -modulus` if [ "$x509_mod" == "$key_mod" ]; then echo "$j matches $i" fi done done
- If bash allowed multidimensional or associative arrays this would be trivial to optimize. ↩
Create A 2048-bit Key Via OpenSSL
Oct 31st
We are fast approaching the date where NIST has recommended that end entities stop utilizing 1024-bit private keys. OpenSSL, however, currently defaults to creating 1024-bit keypairs. To create a 2048-bit private key and corresponding CSR (which you can send to a certificate authority to obtain your SSL certificate):
openssl req -new -nodes -newkey rsa:2048 -keyout mydomain.key -out mydomain.csr
This command will make a 2048-bit key, run the interactive prompt to populate the fields of the certificate signing request, and leave the private key unencrypted (-nodes). You can remove -nodes if you wish, but encrypting the private key will require you to type the password every time you start an application (like apache) that uses it.
Check If A Certificate & Private Key Match
Oct 5th
Check if an SSL certificate and private key match in two simple commands. The OpenSSL commands below will require you to replace <file> with your file’s name.
For your SSL certificate:1
openssl x509 -noout -modulus -in <file> | md5sum
For your RSA private key:
openssl rsa -noout -modulus -in <file> | md5sum
The output of these commands should be identical. If it isn’t, your keys do not match.
- The pipe to md5sum is solely to make the output shorter and easier to visually compare ↩
Using OpenSSL s_time
Mar 28th
Recently I needed to do some performance testing of an SSL instance on a VM. I considered using JMeter, but decided to use OpenSSL to get a rudimentary picture instead.
To obtain a basic result, we connect to the server and pull the /index.php file. You can specify whatever file you’d like to download, or none at all if you simply want to test connections.1
openssl s_time -www /index.php -new -connect www.trustwave.com:443
Your result will look something like this:
No CIPHER specified Collecting connection statistics for 30 seconds ttttttttttttttttttttttttttttttttttttttttttttttttttttttttt 159 connections in 5.82s; 27.32 connections/user sec, bytes read 62328 159 connections in 31 real seconds, 392 bytes read per connection
If you’d like to get more specific with performance testing you can even use the -ciphers parameter to explicitly choose the negotiated cipher. You can obtain a list of available ciphers with “openssl ciphers”.
- If you would prefer to reuse connections rather than create a new one for each request replace -new with -reuse. ↩