Short and sweet. This command will give you a list of revoked serial numbers: openssl crl -inform DER -text -noout -in mycrl.crl Most CRLs are DER encoded, but you can use -inform PEM if your CRL is not binary. If you’re unsure if it is DER or PEM open it with a text editor. If [...]

As internationalized domain names (IDN) proliferate more people need to test with, and ultimately purchase, IDN certificates. If you need to generate a CSR or even a self-signed certificate for an internationalized domain follow these steps: Take the UTF-8 characters and paste them into a punycode converter (also known as ASCII compatible encoding, or ACE). [...]

If you have a list of keys and SSL certs and don’t know which cert belongs with which key, here’s a script for you. It’s not efficient (nested for loop!), but it gets the job done quickly.1 #!/bin/bash for i in `ls *.key` do key_mod=`openssl rsa -noout -in $i -modulus` for j in `ls *.cer` [...]

We are fast approaching the date where NIST has recommended that end entities stop utilizing 1024-bit private keys. OpenSSL, however, currently defaults to creating 1024-bit keypairs. To create a 2048-bit private key and corresponding CSR (which you can send to a certificate authority to obtain your SSL certificate): openssl req -new -nodes -newkey rsa:2048 -keyout [...]

Check if an SSL certificate and private key match in two simple commands. The OpenSSL commands below will require you to replace <file> with your file’s name. For your SSL certificate:1 openssl x509 -noout -modulus -in <file> | md5sum For your RSA private key: openssl rsa -noout -modulus -in <file> | md5sum The output of [...]

Recently I needed to do some performance testing of an SSL instance on a VM. I considered using JMeter, but decided to use OpenSSL to get a rudimentary picture instead. To obtain a basic result, we connect to the server and pull the /index.php file. You can specify whatever file you’d like to download, or [...]