Manipulating Certificates with OpenSSL
When working with certificates, you may need to perform various operations such as creating, signing, verifying, encrypting, or decrypting certificates. OpenSSL is a powerful tool that allows you to manipulate certificates and perform these operations from the command line.
Prerequisites
Before you begin, make sure you have access to the openssl command-line tool. You can install OpenSSL on various operating systems, including Linux, macOS, and Windows. You can also use a pre-installed version of OpenSSL that comes with your operating system.
Creating a Private Key
The private key is a crucial component of a certificate that is used for encryption, decryption, signing, and verification. To create a private key using OpenSSL, you can use the following command:
1
openssl genrsa -out private.key 4096
This command generates a 4096-bit RSA private key and saves it to a file named private.key.
Generating a Private Key with a Passphrase
If you want to protect your private key with a passphrase, you can use the following command:
1
openssl genrsa -des3 -out private.key 4096
This command generates a 4096-bit RSA private key and encrypts it with the Triple DES algorithm using a passphrase. You will be prompted to enter and confirm the passphrase when running this command.
Creating a Certificate Signing Request (CSR)
A Certificate Signing Request (CSR) is a request sent to a Certificate Authority (CA) to apply for a digital certificate. To create a CSR using OpenSSL, you can use the following command:
1
openssl req -new -key private.key -out csr.pem
This command generates a CSR using the private key stored in private.key and saves the CSR to a file named csr.pem.
Creating a CSR and the private key in one step
You can also create a CSR and the private key, while also specifying the key size, subject, and other details in one step. To do this, you can use the following command:
1
openssl req -new -newkey rsa:4096 -nodes -keyout private.key -out csr.pem -subj "/C=FR/ST=Lyon/L=Lyon/O=Example/CN=example.com"
This command generates a 4096-bit RSA private key and a CSR with the specified subject details and saves them to private.key and csr.pem, respectively.
The parameters -nodes and -newkey rsa:4096 are used to generate a private key without encryption and specify the key size, respectively. The -subj parameter is used to specify the subject details of the certificate.
Creating a Self-Signed Certificate
A self-signed certificate is a certificate that is signed by the same entity that issued it. To create a self-signed certificate using OpenSSL, you can use the following command:
1
openssl req -x509 -newkey rsa:4096 -keyout private.key -out certificate.crt -days 365
This command generates a 4096-bit RSA private key and a self-signed certificate with a validity period of 365 days. The private key is stored in private.key, and the certificate is stored in certificate.crt.
It can be used as a root certificate for testing purposes, but it is not recommended for production use.
Creating a PKCS#12 File
A PKCS#12 file is a binary format that can store a private key, a certificate, and other certificates in a single file. To create a PKCS#12 file using OpenSSL, you can use the following command:
1
openssl pkcs12 -export -in certificate.crt -inkey private.key -out certificate.p12
This command creates a PKCS#12 file named certificate.p12 containing the certificate stored in certificate.crt and the private key stored in private.key.
Viewing Certificate Information
To view the information contained in a certificate, you can use the following command:
1
openssl x509 -in certificate.crt -text -noout
This command displays detailed information about the certificate stored in certificate.crt.
Or if you want to view the information in a PKCS#12 file, you can use the following command:
1
openssl pkcs12 -info -in certificate.p12
The parameters -text and -noout are used to display the text output and suppress the certificate itself, for easier readability.
Read a certificate from a remote server
To read a certificate from a remote server, you can use the following command:
1
openssl s_client -connect example.com:443 -showcerts
This command connects to the server example.com on port 443 and retrieves the certificate chain. The -showcerts option displays the certificates in the chain.
You can view the certificate digest on the line “Peer signing digest: SHA256” and the key length on the line “Server public key is XXX bit”.
Determining the type of a file
Files generated by the OpenSSL command line tool can be in various formats, such as PEM, DER, or PKCS#12. To determine the type of a file, you can use the following command:
You can determine the type by looking at the first few characters of the file.
If the file starts with -----BEGIN CERTIFICATE-----, it is a PEM file containing a certificate.
If the file starts with -----BEGIN PRIVATE KEY-----, it is a PEM file containing a non-encrypted private key.
If the file starts with -----BEGIN ENCRYPTED PRIVATE KEY-----, it is a PEM file containing an encrypted private key, you need a passphrase to decrypt it.