Last active
August 27, 2021 21:22
-
-
Save ragoragino/8f1d13c74e2e592fcf3f08061d58e857 to your computer and use it in GitHub Desktop.
Common OpenSSL commands
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
set -ex | |
touch index.txt | |
touch RANDFILE | |
# Configuration of CA | |
cat <<-EOF > ca.cnf | |
[ ca ] | |
default_ca = CA_default | |
[ CA_default ] | |
dir = . | |
certs = \$dir | |
new_certs_dir = \$dir | |
database = \$dir/index.txt | |
serial = \$dir/serial | |
RANDFILE = \$dir/.rnd | |
unique_subject = no | |
private_key = \$dir/ca.key.pem | |
certificate = \$dir/ca.cert.pem | |
default_crl_days = 30 | |
default_days = 7300 | |
default_md = sha256 | |
policy = policy_match | |
[ policy_match ] | |
countryName = match | |
stateOrProvinceName = match | |
organizationName = match | |
organizationalUnitName = optional | |
commonName = supplied | |
emailAddress = optional | |
[ req ] | |
default_bits = 4096 | |
prompt = no | |
distinguished_name = req_distinguished_name | |
X509_extensions = v3_ca | |
[ v3_ca ] | |
subjectKeyIdentifier = hash | |
authorityKeyIdentifier = keyid:always,issuer | |
basicConstraints = critical, CA:true | |
keyUsage = critical, digitalSignature, cRLSign, keyCertSign | |
[ v3_intermediate_ca ] | |
subjectKeyIdentifier = hash | |
authorityKeyIdentifier = keyid:always,issuer | |
basicConstraints = critical, CA:true, pathlen:0 | |
keyUsage = critical, digitalSignature, keyCertSign | |
[ req_distinguished_name ] | |
countryName = CZ | |
stateOrProvinceName = Prague | |
localityName = Prague | |
organizationName = Example Corp | |
organizationalUnitName = Engineering | |
commonName = Engineering Department - CA Certificate | |
[ usr_cert ] | |
# Extensions for client certificates | |
basicConstraints = CA:FALSE | |
nsCertType = client | |
nsComment = "OpenSSL Generated Client Certificate" | |
subjectKeyIdentifier = hash | |
authorityKeyIdentifier = keyid,issuer | |
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment | |
extendedKeyUsage = clientAuth, emailProtection | |
EOF | |
cat ca.cnf > server.cnf | |
cat <<-EOF >> server.cnf | |
[ server_cert ] | |
basicConstraints = CA:FALSE | |
nsCertType = server | |
nsComment = "OpenSSL Generated Server Certificate" | |
subjectKeyIdentifier = hash | |
authorityKeyIdentifier = keyid,issuer:always | |
keyUsage = critical, digitalSignature, keyEncipherment | |
extendedKeyUsage = serverAuth | |
subjectAltName = \$ENV::SUBJECT_ALT_NAME | |
EOF | |
# Generate self-signed CA | |
openssl req -nodes -new -newkey rsa:2048 -keyout ca.key.pem -out ca.req.pem -config ca.cnf | |
openssl ca -create_serial -batch -extensions v3_ca -out ca.cert.pem -keyfile ca.key.pem -selfsign -config ca.cnf -infiles ca.req.pem | |
# Generate server certificate | |
export SUBJECT_ALT_NAME="DNS:example.com" | |
openssl req -extensions server_cert -nodes -new -newkey rsa:2048 -keyout server.key.pem -out server.csr.pem -config server.cnf \ | |
-subj "/C=CZ/ST=Prague/L=Prague/O=Example Corp/OU=Engineering/CN=example.com" | |
openssl ca -batch -config server.cnf -extensions server_cert -days 3760 -notext -in server.csr.pem -out server.cert.pem | |
unset SUBJECT_ALT_NAME | |
# Generate intermediate CA and server certificate | |
rm -rf intermediate && mkdir -p intermediate | |
( | |
cd intermediate | |
cp ../ca.cnf ca.cnf && cp ../server.cnf server.cnf | |
touch index.txt && touch RANDFILE | |
openssl req -nodes -new -newkey rsa:2048 -keyout ca.key.pem -out ca.req.pem -config ca.cnf \ | |
-subj "/C=CZ/ST=Prague/L=Prague/O=Example Corp/OU=Engineering/CN=Engineering Department - Intermediate CA Certificate" | |
( | |
cd .. | |
openssl ca -batch -extensions v3_intermediate_ca -out intermediate/ca.cert.pem -keyfile ca.key.pem -config ca.cnf -infiles intermediate/ca.req.pem | |
) | |
export SUBJECT_ALT_NAME="DNS:intermediate.example.com" | |
openssl req -extensions server_cert -nodes -new -newkey rsa:2048 -keyout server.key.pem -out server.csr.pem -config server.cnf \ | |
-subj "/C=CZ/ST=Prague/L=Prague/O=Example Corp/OU=Engineering/CN=Engineering Department - Server B Certificate" | |
openssl ca -create_serial -batch -config server.cnf -extensions server_cert -days 3760 -notext -in server.csr.pem -out server.cert.pem | |
unset SUBJECT_ALT_NAME | |
) | |
# Generate CRL | |
openssl ca -gencrl -keyfile ca.key.pem -cert ca.cert.pem -out crl.pem -config ca.cnf | |
# Check CRL | |
openssl crl -in crl.pem -text | |
# Verify certificate info | |
openssl x509 -in server.cert.pem -noout -text | |
# Verify certificate against CA: | |
openssl verify -verbose -CAfile ca.cert.pem server.cert.pem | |
# Verify certificate against CA+CRL: | |
cat ca.cert.pem crl.pem > crl_chain.pem | |
openssl verify -crl_check -CAfile crl_chain.pem server.cert.pem | |
# Verify that private key is consistent and matches a certificate: | |
openssl rsa -check -noout -in server.key.pem | openssl md5 | |
openssl rsa -modulus -noout -in server.key.pem | openssl md5 | |
openssl x509 -modulus -noout -in server.cert.pem | openssl md5 | |
# Revoke server certificate | |
openssl ca -revoke server.cert.pem -keyfile ca.key.pem -cert ca.cert.pem -config ca.cnf | |
openssl ca -gencrl -keyfile ca.key.pem -cert ca.cert.pem -out crl.pem -config ca.cnf | |
# Verify certificate against new CA+CRL: | |
cat ca.cert.pem crl.pem > crl_chain.pem | |
openssl verify -crl_check -CAfile crl_chain.pem server.cert.pem || true | |
# Start a TLS connection | |
openssl s_client -connect www.paypal.com:443 | |
# Show all certs presented by the server | |
echo \n | openssl s_client -showcerts -servername www.paypal.com -connect www.paypal.com:443 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | |
# Some more sources: | |
# https://www.sslshopper.com/article-most-common-openssl-commands.html | |
# https://raymii.org/s/articles/OpenSSL_manually_verify_a_certificate_against_a_CRL.html | |
# https://access.redhat.com/documentation/en-us/red_hat_update_infrastructure/2.1/html/administration_guide/chap-red_hat_update_infrastructure-administration_guide-certification_revocation_list_crl | |
# https://www.phildev.net/ssl/opensslconf.html | |
# https://jamielinux.com/docs/openssl-certificate-authority/appendix/root-configuration-file.html |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment