openssl – HuyBao

check Zeritikat

openssl x509 -in certificatfile.crt -text -noout

Check  DER Certifikat

openssl x509 -in certificat.der -noout -text -inform DER

Check  PEM Certifikat

openssl x509 -in certificat.pem -noout -text -inform PEM

Check CSR 

openssl req -in certificat.csr  -noout -text
 
 
Ckeck TLS Connection with Client Certifikat
openssl s_client -cert certificatefile.pem  -connect server:443 -tls1 -verify 9 -CApath /cert/rootcerts/

Check certifikat Chain (with client cert)(trusted):

openssl s_client -cert certificat.pem  -connect server.443 -tls1 -verify 9 -CApath /cert/rootcerts/ -showcerts
verify depth is 9
CONNECTED(00000003)
depth=3 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
verify return:1
depth=2 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
verify return:1
depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 International Server CA - G3
verify return:1
depth=0 /C=JP/ST=Tokyo/L=Minato/O=Company XXXX/OU=IT Planning and Control Department/CN=www.huybao.de
verify return:1
Check certifikat Chain (with client cert)(untrusted)

openssl s_client  -connect google.de:443 -tls1 -verify 9  -showcerts
verify depth is 9
CONNECTED(00000003)
depth=1 C = US, O = Google Inc, CN = Google Internet Authority
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 C = US, O = Google Inc, CN = Google Internet Authority
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = US, ST = California, O = Google Inc, CN = google.com
verify return:1
---
 
encrypte data with openssl
 
openssl smime -encrypt -in /etc/hosts -out /tmp/baotest -nodetach -binary -des3 -outform DER -engine padlock certificat.pem
 
decrypt data with openssl (certfile.pem must contain public and privat key)
 
openssl smime -decrypt -out /tmp/baooout -in /tmp/baotest  -inform DER -binary -des3 -engine padlock -recip certfile.pem
 
Convert DER to PEM
openssl x509 -in certtificat.crt -inform DER -out certificat.pem -outform PEM
 
 
Generate RSA privat key
openssl genrsa -des3 -out certficate.csr.key 2048


Generate CSR

openssl req -new -key certficate.csr.key-out certificate.csr
 
Remove password from private kay
openssl rsa -in certficate.csr.key -out certficate.csr.key.withoupwd
 
check if private key matches with pulic key
 
check privare key
openssl rsa -modulus -noout -text -in privatkey.key | grep Modulus=| openssl md5
 
check public key
openssl x509 -modulus -noout -text -in certifcate.cert | grep Modulus=| openssl md5
 
check crl 
openssl crl -in portal_crl.pem -text