Some Useful Openssl
Commands
http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip9_0cli/BIG_IP9_0XCLIGuide2-5-1.html
Read content of a cert:
Read content of a cert:
openssl x509 -text -in server.crt
Read content of a
CSR:
openssl
req -in server.csr -noout –text
Check a key to see
if a key has a password:
openssl
rsa -in keyfile.key [if
it prompts for a password, the key was created with a password]
Check if a cert
and key match:
The md5sum from both
the below commands should be same for them to be a pair
openssl
x500 -noout -modulus -in server.crt | openssl md5
openssl
rsa -noout -modulus -in keyfile.key | openssl md5
Creating a self
signed ssl certificates:
Create a private key:
openssl
genrsa -des3 -out server.key 2048 [we can chose to use a password or
not while creating key,
if password is not required, just click enter and don’t
input any password]
Generating a certificate signing request (CSR):
openssl
req -new -key server.key -out server.csr
It prompts for the
following:
Country Name (2 letter code) [GB]:
State or Province Name (full name) [Berkshire]:
Locality Name (eg, city) [Newbury]:
Organization Name (eg, company) [My Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, application’s name or your server's
hostname) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Creating the
certificate:
openssl
x509 -req -days <no.of days> -in server.csr -signkey server.key -out
server.crt
Example: If a certificate valid for one year is needed
the relevant command would be as under:
openssl x509 -req -days 365
-in server.csr -signkey server.key -out server.crt
Testing an SSL connection with
openssl:
If there is a VIP or a server ip
configured on a port with ssl certifcates attached to it, telnet cannot be used
to test content on it (for checking ECV monitors) like normal http VIPs/server
IPs. In these cases openssl can be used, thus:
openssl
s_client –connect <ip>:<port>
This will open an SSL connection to
the client reading the certificate in it. At the prompt we can input the GET
string, HOST string etc., to test the content on the VIP/server ip.
--------------------------------------------------------------------------------------------------------------------------
Getting the certificate dates
echo | openssl s_client -connect remotedeposit-cit2.bankofamerica.com:443 2>/dev/null | openssl x509 -noout -dates
--------------------------------------------------------------------------------------------------------------------------
Getting the certificate dates
echo | openssl s_client -connect remotedeposit-cit2.bankofamerica.com:443 2>/dev/null | openssl x509 -noout -dates
or
curl -kv https://abc.example.com 2>&1 | grep expire
curl -kv https://abc.example.com 2>&1 | grep expire
No comments:
Post a Comment