I want to summarize some examples of using openssl as tool to manage certificates. If you are interested in a good introduction about cryptography you can check this link gpgtools.
Let’s start with some basic uses:
Create our own Certificate Authority (CA)
$ openssl genrsa -des3 -out root-ca.key 2048
$ openssl req -new -x509 -days 3650 -subj "/C=ES/ST=Zaragoza/O=Home/CN=localhost.local" -key root-ca.key -out root-ca.crt
Check a CA certificate
$ openssl x509 -noout -text -in root-ca.crt
Custom CA certificate
You may want to change /etc/ssl/openssl.conf file to point the new CA certificate:
[ ca ]
default_ca = CA_custom
[ CA_custom ]
...
certificate = $dir/root-ca.crt # The CA certificate
private_key = $dir/private/root-ca.key # The private key
Self-signed certificate
Create a self-signed certificate using one command, remember if your are creating a server certificate Common Name line has to match with server FQDN.
# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/server-selfsigned.key -out /etc/ssl/certs/server-selfsigned.crt
Generate a private key
– Generate private key with AES128 algorithm, this key is not signed by anybody:
$ openssl genrsa -aes128 2048 > foo.key
Create Certificate Signing Request (CSR)
Creating a Certificate Signing Request (CSR) from a private key:
$ openssl req -new -key foo.key -out foo_key.csr
Review CSR content
$ openssl req -in foo_key.csr -noout -text
Signing a CSR
To sign our CSR with our CA:
$ openssl ca -in foo_key.csr -out foo.crt
Get server certificates
To get certificates from a server, this command could be useful (found here):
$ openssl s_client -showcerts -connect shipit.ubuntu.com:443 ("level" c ".crt")}
/---END CERTIFICATE-----/{inc=0}'
Check information about certificates
Viewing information about downloaded certificates:
$ for i in level?.crt; do openssl x509 -noout -serial -subject -issuer -in "$i"; echo; done
Create a Diffie-Hellman group
Let’s create a strong Diffie-Hellman group, to negotiate Perfect Forward Secrecy with clients:
# openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
Nginx webserver: install a certificate
– Installing server certificate in Nginx using the following configuration file /etc/nginx/snippets/selfsigned.conf:
ssl_certificate /etc/ssl/certs/server-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/server-selfsigned.key;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
Customizing Nginx configuration
To setup a more secure (strong encryption) settings check the following link out. Also take a look to this link HSTS:
/etc/nginx/sites-available/default
...
server {
# SSL configuration
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
include snippets/self-signed.conf;
# nginx -t
# systemctl restart nginx
Webserver Apache2: Configuring a certificate
The SSL settings in server certificate in Apache2 are located in this file:
/etc/apache2/sites-available/default-ssl.conf
SSLEngine on
SSLCertificateFile /usr/local/apache/conf/ssl.crt/server-selfsigned.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server-selfsigned.key
SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"
Customizing Apache2 SSL settings
To enforce a stronger encryption settings to Apache2 check this link.
Export PKCS12 format from PEM
Exporting as PKCS12 certificate from PEM format, in case you would need this format:
$ cat foo.key foo_key.csr > foo.pem
$ openssl pkcs12 -export -in foo.pem -out foo.p12 -name foo
Export certificate to DER format from PEM
Exporting certificate in DER format:
$ openssl x509 -in foo.pem -outform DER -out foo.der
Create a simple OSCP server
To start simple OSCP server check link for more information but we could us this:
$ openssl ocsp -index index.txt -CA root-ca.key -rsigner root-ca.key -rkey root-ca.key -port 3456
Waiting for OCSP client connections...
Let’s Hash
Calculating Message Digests with SHA algorithm:
$ openssl dgst -sha1 foo
SHA1(foo)= 9f43d756fa00e241dd614728f5e13461bfc8dde1
Encode text using base64
$ openssl base64 -in foo
bGFsYWxhbAo=
I hope you find useful this collection of use case to work with such great tool as openssl is.
—
“If you know the enemy and know yourself, you need not fear the result of a hundred battles.”
— Sun Tzu, (Art of War)