Squoggle
Mac's tech blog
Monthly Archives: September 2019
Extract data from a Certificate
Posted by on September 16, 2019
Get Info from a Cert:
Using the -text option will give you the full breadth of information:
$ openssl x509 -text -in [cert-file.crt]
This will show a long list of what’s contained in a cert. You can pipe to less if needed.
Extract what cert issued the cert:
$ openssl x509 -noout -in [cert-file.crt] -issuer
Who the certificate was issue to:
$ openssl x509 -noout -in [cert-file.crt] -subject
For what dates is it valid:
$ openssl x509 -noout -in [cert-file.crt] -dates
Expiration date:
$ openssl x509 -noout -in [cert-file.crt] -enddate
Get Serial Number from a Cert:
$ openssl x509 -noout -in [cert-file.crt] -serial
All of the above at once:
$ openssl x509 -noout -in [cert-file.crt] -issuer -subject -dates -serial
Get Signature Algorithm:
$ openssl x509 -text -in [cert-file.crt] | grep 'Signature Algorithm'
Get hash value:
$ openssl x509 -noout -in [cert-file.crt] -hash
Get MD5 fingerprint:
$ openssl x509 -noout -in [cert-file.crt] -fingerprint
Get Modulus of Cert (1024 or 2048):
$ openssl x509 -text -in [cert-file.crt] | grep Modulus
Get SANs from a Cert:
$ openssl x509 -text -in [cert-file.crt] | grep -A 1 Alternative
Verifying Certs, Keys & CSRs – MD5 Sum
Posted by on September 14, 2019
Sometimes you will need to verify that a Cert or a CSR belong to a Key. You can do that by checking the MD5 sum of each file.
Get the MD5 sum from the Key:
$ openssl rsa -noout -modulus -in [key-file.key] | openssl md5
Get the MD5 sum from a CSR:
$ openssl req -noout -modulus -in [CSR-file.csr] | openssl md5
Get the MD5 sum from a Cert:
openssl x509 -noout -modulus -in [certificate-file.crt] | openssl md5
Compare the resulting numbers. If they match then your files belong to each other. If they don’t match then there has been a mixup in the files somehow.
OpenSSL Keys & CSRs
Posted by on September 14, 2019
An in depth read on OpenSSL for perusal.
https://wiki.nikhef.nl/grid/How_to_handle_OpenSSL_and_not_get_hurt_using_the_CLI
Create an Encrypted Key:
For Linux:
$ openssl genrsa -aes256 -out [encrypted.key] 2048 Generating RSA private key, 2048 bit long modulus ......+++ .......................+++ e is 65537 (0x10001) Enter pass phrase for [encrypted.key]: Verifying - Enter pass phrase for [encrypted.key]:
Enter the passphrase and verify.
You should end up with the key file in the format of [encrypted.key]
The above encrypts the key with aes256 cipher.
Create an un-encrypted key:
Optionally you can create an un-encrypted or insecure key:
$ openssl genrsa -out [un-encrypted.key] 2048
You should end up with the key file in the format of [un-encrypted.key] but the key is not encrypted.
Decrypt an encrypted key:
If you have an encrypted key and need to decrypt it:
$ openssl rsa -in [encrypted.key] -out [un-encrypted.key] Enter pass phrase for [encrypted.key]: writing RSA key
Enter the passphrase.
You should end up with a new file in the format of [un-encrypted.key]. This new file will contain the un-encrypted key.
Encrypt an un-encrypted key:
If you have an un-encrypted key and you want to encrypt it:
$ openssl rsa -aes256 -in [un-encrypted.key] -out [encrypted.key]
Enter the passphrase and verify.
You should end up with the key file in the format of [encrypted.key]
The above encrypts the key with aes256 cipher.
Check a key to see if it is encrypted:
If you’re not sure if the key is encrypted you can simply assume it is encrypted and attempt to decrypt it with no out file:
$ openssl rsa -text -noout -in [encrypted.key]
If it is encrypted it will ask for the password.
Or simply look at the first few lines of the key file to see if it is encrypted:
$ head www.jimmysbarandgrill.com.key -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-256-CBC,08C9A49D5267E47563D31DCE27429389 yJj1gFqTrRuc8VBX9Rx7LZYlmLV0+WutvYhrMBjTU+8ZDBIsmeEDxW44durw/BjS i07biVOwAIMwW7hE9oAYOiJy5JqgYuMtVT/hMwEvP9t/8ME4FUCZ1MUxGR25hg5H
Create a CSR (Certificate Signing Request) from a Key:
The key can be an encrypted key or an un-encrypted key. If it is encrypted you will be asked for the key password.
Example:
$ openssl req -new -key www.jimmysbarandgrill.com.key -out www.jimmysbarandgrill.com.csr Enter pass phrase for www.jimmysbarandgrill.com.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Idaho Locality Name (eg, city) []:Pocatello Organization Name (eg, company) [Internet Widgits Pty Ltd]:Jimmy's Bar and Grill Organizational Unit Name (eg, section) []:Dishwashing Common Name (e.g. server FQDN or YOUR name) []:www.jimmysbarandgrill.com Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
Keep in mind that the State must not be abbreviated. You should not use a challenge password. You should not use an optional company name.
Create a CSR from a Key with one liner command:
You can create the CSR from an existing Key with a one liner command or non-interactively with something like this:
openssl req -new -key www.jimmysbarandgrill.com.key -out www.jimmysbarandgrill.com.csr -subj "/C=US/ST=Idaho/L=Pocatello/O=Jimmy's Bar and Grill/OU=Dishwashing/CN=www.jimmysbarandgrill.com"
The above command assumes you already have a key created with the key name listed in the command.
Create an Un-encrypted Key & CSR with one liner command:
You can create the Un-encrypted Key and CSR with one command like this:
Example:
$ openssl req -new -newkey rsa:2048 -nodes -sha256 -out www.jimmysbarandgrill.com.csr -keyout www.jimmysbarandgrill.com.key -subj "/C=US/ST=Idaho/L=Pocatello/O=Jimmy's Bar & Grill/OU=Dishwashing/CN=www.jimmysbarandgrill.com"
The above command uses the -nodes flag to turn off encryption of the key.
Create an Encrypted Key & CSR with one liner command:
You can create an Encrypted Key with accompanying CSR with one command like this:
Example:
$ openssl req -new -newkey rsa:2048 -sha256 -out www.jimmysbarandgrill.com.csr -keyout www.jimmysbarandgrill.com.key -subj "/C=US/ST=Idaho/L=Pocatello/O=Jimmy's Bar & Grill/OU=Dishwashing/CN=www.jimmysbarandgrill.com"
Essentially you just remove the -nodes flag. This does not seem to give the opportunity of specifying the cipher to use on encrypting the key. This may or may not matter depending on the security posture. If it is important I’ve come up with a workaround hack one liner that seems to work:
$ openssl req -new -newkey rsa:2048 -nodes -sha256 -out www.jimmysbarandgrill.com.csr -keyout www.jimmysbarandgrill.com.key -subj "/C=US/ST=Idaho/L=Pocatello/O=Jimmy's Bar & Grill/OU=Dishwashing/CN=www.jimmysbarandgrill.com" && openssl rsa -aes256 -in www.jimmysbarandgrill.com.key -out www.jimmysbarandgrill.com.key
The above example creates an un-encrypted key, creates the CSR from it, then encrypts the key. This command will result in an encrypted key file named www.jimmysbarandgrill.com.key and a CSR file named www.jimmysbarandgrill.com.csr.
Now all I need to do is figure out how to remove the automatic hyperlinks on these file names above.
Check a CSR:
Now that you have the CSR you should check it to ensure it is valid. Here’s a command to display the contents of the CSR:
$ openssl req -noout -text -in [CSR-File.csr]
Using the example of the CSR that was just created it would look something like this:
$ openssl req -noout -text -in www.jimyysbarandgrill.com.csr
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=US, ST=Idaho, L=Pocatello, O=Jimmy's Bar & Grill, OU=Dishwashing, CN=www.jimyysbarandgrill.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:bc:f0:e5:f5:c6:97:01:0b:ba:59:fd:2a:97:09:
4f:42:05:4c:53:bc:c3:8b:75:e6:e3:2b:e2:f7:1f:
8b:90:38:16:73:40:5e:f3:2a:ad:04:73:06:12:6e:
40:ff:4d:1a:b9:e4:41:07:d6:db:96:d4:fa:61:9a:
5f:03:fa:f9:92:d7:a0:19:56:1c:64:e7:4d:d6:cf:
ea:27:0e:b6:09:cd:22:e2:99:c3:66:8f:f2:ef:96:
aa:cc:6f:c7:a9:2c:79:28:20:91:6d:b8:2a:96:40:
bd:b2:60:b7:2f:59:1b:04:30:5d:1f:85:26:81:6b:
61:9e:8c:be:a5:bd:d3:3d:39:b7:86:d6:9a:30:74:
fe:59:a1:d6:39:7a:8b:f2:26:62:e2:3d:c6:a9:fe:
66:dd:9d:21:07:c4:c9:5b:12:93:21:22:7c:f2:d5:
21:0b:a8:89:bc:b3:b0:99:6d:d9:3c:d0:1d:6a:a7:
8c:90:64:e2:12:2a:ea:a7:49:e2:80:01:91:c9:da:
32:b5:41:6d:ae:ad:f2:77:a2:48:f4:66:6e:f1:35:
5f:47:f2:c9:4e:99:0b:9c:77:ff:71:19:43:b8:0b:
fe:74:0d:a4:bd:9c:e0:b0:ae:71:0b:4f:db:09:0d:
9b:91:46:e8:dc:db:ea:42:27:b8:ba:10:56:d0:6b:
0a:17
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha256WithRSAEncryption
5b:38:5f:10:f4:0a:73:05:b7:e3:21:f8:d2:3b:ee:e7:dd:4b:
65:d0:f8:bc:47:7d:0d:d4:fa:9b:28:6d:6c:52:be:74:de:62:
e1:ae:99:fc:85:e6:99:65:a2:c8:b7:56:5a:0f:aa:49:ff:f8:
68:ed:9d:6f:48:75:49:78:8e:67:95:39:ee:96:bc:f3:20:8f:
a3:31:7a:a8:49:30:80:7a:f4:27:41:ba:91:ba:ad:63:84:06:
95:70:86:2b:be:e2:0f:9a:26:d4:21:34:61:c2:21:d2:75:51:
3f:39:fa:ed:f1:92:d5:ff:12:03:cb:1a:56:f8:c9:e5:6d:00:
78:61:c3:12:90:69:80:a0:c9:71:7e:42:ff:ce:f1:35:a1:08:
9e:fd:62:d8:77:8d:5d:74:4b:6d:41:1f:a4:f8:d6:14:c6:ca:
1f:bd:9a:8a:43:ac:da:bb:d6:4d:f9:d2:15:a1:5f:59:b0:da:
82:78:64:67:39:d9:49:49:1a:e6:7d:9e:bf:5d:11:0b:fb:57:
3d:f0:c5:64:da:15:a7:d7:28:63:4e:5d:7f:0c:2e:e6:7d:2e:
f5:8c:43:36:1e:3b:15:52:cc:5a:cc:82:50:23:09:c8:fa:63:
ff:19:30:6a:1a:ed:63:b5:5d:c0:be:20:67:3d:01:8b:b0:4d:
0d:01:8e:af
Get Public Key from a Private Key
You can get the Public Key from a Private Key with something like this:
$ openssl pkey -in [private.key] -pubout -out [public.key]
Squoggle 
Recent Comments