Skip to content

Instantly share code, notes, and snippets.

@lucamartellucci

lucamartellucci/OpenSSL_Tips.md

Last active March 23, 2020 17:59
Show Gist options
  • Save lucamartellucci/f04e3b6199bad07eb64fd8a0c5ffe401 to your computer and use it in GitHub Desktop.
Save lucamartellucci/f04e3b6199bad07eb64fd8a0c5ffe401 to your computer and use it in GitHub Desktop.
Download ZIP
OpenSSL Tips
Raw
OpenSSL_Tips.md

OpenSSL Tips

Show certificate content

$ openssl x509 -in cert.pem -noout -text | more

Build trustchain

$ openssl crl2pkcs7 -nocrl -certfile cacert.pem -out chain.p7b -outform DER

Ocsp request

$ openssl ocsp -text -sha256 -issuer cacert.pem -cert ee.pem -url http://host/ejbca/publicweb/status/ocsp -CAfile bundle.pem -VAfile ocsp_cert.pem

Where

  • cacert.pem is the Root CA certificate (eg. Root CA or Sub CA certificate)
  • ee.pem is the certificate to be validated
  • bundle.pem contains the trust chain (eg. Sub CA certificate and the Root CA)
  • ocsp_cert.pem is the certificate of the ocsp responder

Parse QcStatement

$ openssl asn1parse -in certificate.pem
737:d=4  hl=3 l= 229 cons: SEQUENCE          
740:d=5  hl=2 l=   8 prim: OBJECT            :qcStatements
750:d=5  hl=3 l= 216 prim: OCTET STRING      [HEX DUMP]:3081D53008060604008E460101300B060604008E4601030201143008060604008E4601043081B1060604008E4601053081A63051164B68747470733A2F2F7777772E616374616C69732E69742F646F63756D656E74692D69742F7473615F646973636C6F737572655F73746174656D656E745F616374616C69735F69742E706466130269743051164B68747470733A2F2F7777772E616374616C69732E69742F646F63756D656E74692D656E2F7473615F646973636C6F737572655F73746174656D656E745F616374616C69735F656E2E7064661302656E
969:d=4  hl=4 l= 398 cons: SEQUENCE          
973:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Certificate Policies


$ echo "3081D53008060604008E460101300B060604008E4601030201143008060604008E4601043081B1060604008E4601053081A63051164B68747470733A2F2F7777772E616374616C69732E69742F646F63756D656E74692D69742F7473615F646973636C6F737572655F73746174656D656E745F616374616C69735F69742E706466130269743051164B68747470733A2F2F7777772E616374616C69732E69742F646F63756D656E74692D656E2F7473615F646973636C6F737572655F73746174656D656E745F616374616C69735F656E2E7064661302656E" > qc.hex

$ cat qc.hex | xxd -r -p | base64 > qc.pem

$ openssl asn1parse -in qc.pem
0:d=0  hl=3 l= 213 cons: SEQUENCE          
3:d=1  hl=2 l=   8 cons: SEQUENCE          
5:d=2  hl=2 l=   6 prim: OBJECT            :0.4.0.1862.1.1
13:d=1  hl=2 l=  11 cons: SEQUENCE          
15:d=2  hl=2 l=   6 prim: OBJECT            :0.4.0.1862.1.3
23:d=2  hl=2 l=   1 prim: INTEGER           :14
26:d=1  hl=2 l=   8 cons: SEQUENCE          
28:d=2  hl=2 l=   6 prim: OBJECT            :0.4.0.1862.1.4
36:d=1  hl=3 l= 177 cons: SEQUENCE          
39:d=2  hl=2 l=   6 prim: OBJECT            :0.4.0.1862.1.5
47:d=2  hl=3 l= 166 cons: SEQUENCE          
50:d=3  hl=2 l=  81 cons: SEQUENCE          
52:d=4  hl=2 l=  75 prim: IA5STRING         :https://www.actalis.it/documenti-it/tsa_disclosure_statement_actalis_it.pdf
129:d=4  hl=2 l=   2 prim: PRINTABLESTRING   :it
133:d=3  hl=2 l=  81 cons: SEQUENCE          
135:d=4  hl=2 l=  75 prim: IA5STRING         :https://www.actalis.it/documenti-en/tsa_disclosure_statement_actalis_en.pdf
212:d=4  hl=2 l=   2 prim: PRINTABLESTRING   :en
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment