Monday, October 1, 2012

SSL certificates commands and tips


Verify a SSL certificate

  1. By SSL verification web site: https://www.ssllabs.com/ssltest/index.html
  2. By openssl:
$ openssl s_client -showcerts -connect test.domain.net:443

How to create pfx file that includes private key, certificate and certification chain?

$openssl pkcs12 -export -out test.domain.net_2012.pfx -inkey test.domain.net_2012.key -in test.domain.net_2012.crt -certfile thawtesecca.crt -certfile thawteprimca.crt

]How to see information inside CSR?

Normaly CSR looks like:
$cat test.domain.net_2012.csr
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIC6TCCAdECAQAwgaMxCzAJBgNVBAYTAkNBMQ8wDQYDVQQIEwZRdWViZWMxETAP
BgNVBAcTCE1vbnRyZWFsMSIwIAYDVQQKExlSYWRpYWxwb2ludCBTYWZlQ2FyZSBJ
bmMuMQwwCgYDVQQLEwNOT0MxGjAYBgNVBAMUESoucmFkaWFscG9pbnQubmV0MSIw
IAYJKoZIhvcNAQkBFhNub2NAcmFkaWFscG9pbnQuY29tMIIBIjANBgkqhkiG9w0B
OZrroiuiouorpro[pooooo[orrjjjggoipoioZY2toSHheDDEtHga35cPDJUfl1W
ITBFs9G+fji+i0GrS1WmRYUGCeI1+5+48k6rIGim2WwcxYfBofVgZUSaFTydf1nH
icCM8aMi39jWtNCLxlWfBKNNLkNj0zPEPgXmYJIQRE0dUXfCBi68o+7s2pRyCJ7V
H9D8wV9OaBugaOMuPGM8vFtVTGRuC/waFuH/0Avr8SKs4U3Io6ZiViikopgfipii
dCeW6KZzJnAlBmrEuzv0POty5NDvnr2iZYUct15dNN8CheG36pXXrjFgqF6siBXs
lVBU023hBFsCu6foF3pflEmq9zVoVdUBruoepVbaIGziYyXes85C4Iokha9Ym8hE
YG0C/Nd4vp1ICB1gXBf88JoT7c2bgJWFSWpLVHU=
-----END NEW CERTIFICATE REQUEST-----
But if you do the trick:
$ openssl req -in test.domain.net_2012.csr -noout -text

Certificate Request:
   Data:
       Version: 0 (0x0)
       Subject: C=CA, ST=Quebec, L=Montreal, O=USer Inc., OU=SOC, CN=test.domain.net/emailAddress=soc@test.domain.com
       Subject Public Key Info:
           Public Key Algorithm: rsaEncryption
               Public-Key: (2048 bit)
               Modulus:
                   00:a5:83:4e:65:96:36:b6:84:87:85:e0:c3:12:d1:
                   47:21:30:45:b3:d1:be:7e:38:be:8b:41:ab:4b:55:
                   a6:45:85:06:09:e2:35:fb:9f:b8:f2:4e:ab:20:68:
                   a6:d9:6c:1c:c5:87:c1:a1:f5:60:65:44:9a:15:3c:
                   
                   8b:53:3f:6b:64:7e:2e:50:ec:35:1c:71:0f:42:4e:
                   bd:dd
               Exponent: 65537 (0x10001)
       Attributes:
           a0:00
   Signature Algorithm: sha1WithRSAEncryption
       7a:90:48:34:cb:70:47:af:54:a2:c2:f4:5e:5a:4c:57:a3:44:
       9b:6d:04:ec:b8:11:59:fb:32:c9:86:f4:a4:2f:5c:ad:df:cb:

       9d:48:08:1d:60:5c:17:fc:f0:9a:13:ed:cd:9b:80:95:85:49:
       6a:4b:54:75
You can get whole information about CSR you going to send for signature

Check CSR if certificate corresponds to private key

$ diff <(openssl rsa -in test.domain.net_2012.key -modulus -noout) <(openssl req -in test.domain.net_2012.csr -noout -modulus) 
if you get nothing, everything is OK.

Check what inside certificate you got from CA (certificate authority)

$ openssl x509 -in test.domain.net_2012.crt -noout -text

Certificate:
   Data:
       Version: 3 (0x2)
       Serial Number:
           73:68:b7:62:11:51
       Signature Algorithm: sha1WithRSAEncryption
       Issuer: C=US, O=Thawte, Inc., CN=Thawte SSL CA
       Validity
           Not Before: Aug 20 00:00:00 2012 GMT
           Not After : Oct 19 23:59:59 2014 GMT
       Subject: C=CA, ST=Quebec, L=Montreal, O=User Inc., CN=test.domain.net
       Subject Public Key Info:
           Public Key Algorithm: rsaEncryption
               Public-Key: (2048 bit)
               Modulus:
                   00:a5:83:4e:65:96:36:b6:84:87:85:e0:c3:12:d1:
                   47:21:30:45:b3:d1:be:7e:38:be:8b:41:ab:4b:55:
                   a6:45:85:06:09:e2:35:fb:9f:b8:f2:4e:ab:20:68:
                   a6:d9:6c:1c:c5:87:c1:a1:f5:60:65:44:9a:15:3c:

                   8b:53:3f:6b:64:7e:2e:50:ec:35:1c:71:0f:42:4e:
                   bd:dd
               Exponent: 65537 (0x10001)
       X509v3 extensions:
           X509v3 Subject Alternative Name: 
               DNS test.domain.net
           X509v3 Basic Constraints: 
               CA:FALSE
           X509v3 Certificate Policies: 
               Policy: 2.16.840.1.113733.1.7.54
                 CPS: https://www.thawte.com/cps/
           X509v3 Key Usage: critical
               Digital Signature, Key Encipherment
           X509v3 Authority Key Identifier: 
               keyid:A7:A2:83:BB:34:45:40:3D:A1:01:9F:F6:DB
           X509v3 CRL Distribution Points: 
               Full Name:
                 URI:http://svr-ov-crl.thawte.com/ThawteOV.crl
           X509v3 Extended Key Usage: 
               TLS Web Server Authentication, TLS Web Client Authentication
           Authority Information Access: 
               OCSP - URI:http://ocsp.thawte.com
               CA Issuers - URI:http://svr-ov-aia.thawte.com/ThawteOV.cer
   Signature Algorithm: sha1WithRSAEncryption
       34:3f:66:4f:7b:3e:44:f6:88:d8:de:62:3f:93:34:55:fd:7e:

       20:94:60:f8:6e:99:88:73:8f:86:6b:55:38:31:a1:0a:e2:c0:
       f9:22:0f:e7

Verify if certificate you got corresponds to correct private key

diff <(openssl rsa -in test.domain.net_2012.key -modulus -noout) <(openssl x509 -in test.domain.net_2012.crt -noout -modulus) 
if you get nothing, everything is OK.