CertOpensslCommand < CF

CF Web>CertMaintenanceCollapsed>CertOpensslCommand (2019-01-09, AdrianPepper) (raw view)
---+ openssl command

_The =openssl= command is available for use by all users._
_The intended audience for this page is system administrators_
_who can submit requests which IST will recognize.__


%TOC%


The _[[http://www.openssl.org/docs/apps/openssl.html][openssl]]_ command is part of the openssl software package,
and allows the user to manipulate components in various ways.
It has a bewildering array of sub-commands and options, but if you learn a certain
subset it will help you to become comfortable with the various components of SSL
as used at the University of Waterloo.

---++ =openssl= examples

You should be able to go to an empty directory and literally cut-and-paste the
following Unix commands to get an idea of SSL key structure.

---+++ Generate a new private key
<verbatim>
    mkdir private
    chmod 700 private
    openssl genrsa -out private/new2048.key 2048
</verbatim>
---+++ View details of that private key
<verbatim>
    openssl rsa < private/new2048.key -text
</verbatim>
---+++ Show the public key corresponding to a private key
<verbatim>
    openssl rsa -in private/new2048.key -pubout
</verbatim>
---+++ View details of that public key (?)
<verbatim>
    openssl rsa -in private/new2048.key -pubout -text
</verbatim>
Actually, it seems =-text= applies to the input private key, and you need...
<verbatim>
    openssl rsa -in private/new2048.key -pubout | openssl rsa -pubin -text
</verbatim>
---+++ Generate a new Certificate Signing Request (CSR)
<verbatim>
    openssl req -new -key private/new2048.key -out new.csr
</verbatim>
(requires answering questions on standard input)

Or:
<verbatim>
    openssl req -new -key private/new2048.key -out new.csr \<br> -subj '/C=CA/ST=Ontario/L=Waterloo/O=University of Waterloo/CN=test.cs.uwaterloo.ca/emailAddress=username@domainname' 
</verbatim>

For =username@domainname= you will often use
%INCLUDE{"CFPrivate.EMailAddressCscfCerts" INDENT="4"}%


---+++ (NEW!) Generate a new private key and use it for a new CSR in one command
<verbatim>
    openssl req -new -newkey rsa:2048 -nodes -keyout private/new2048.key -out new.csr \<br> -subj '/C=CA/ST=Ontario/L=Waterloo/O=University of Waterloo/CN=test.cs.uwaterloo.ca/emailAddress=username@domainname' 
</verbatim>
Note: noDES does not (now?) seem to work in place of -nodes

---+++ See Details of that CSR
<verbatim>
    openssl req < new.csr -text
</verbatim>
(You will see the public key in there in a different format).

---+++ (NEW!) Generate CSR from a config file
<verbatim>
    openssl req -new -out cs-uwaterloo-ca.csr -nodes -key cs-uwaterloo-ca.key -config cs-uwaterloo-ca.cnf
</verbatim>

This is easier to correctly extend than the commandline =-subj= syntax.

---+++ See the Public Key in a CSR in x509ish format
<verbatim>
    openssl req < new.csr -pubkey -noout
</verbatim>

---+++ Generate a self-signed Certificate
This is done like a CSR, but you add an option =-x509=.
<verbatim>
    openssl req -new -key private/new2048.key -x509 -out new.pem \<br> -subj '/C=CA/ST=Ontario/L=Waterloo/O=University of Waterloo/CN=test.cs.uwaterloo.ca/emailAddress=username@domainname' 
</verbatim>

Other options:
   * =-days number= - change lifetime from default of 395 days
   * think about what you want as a subject

---+++ Sample Certificate for Further Examples
You can cut-and-paste the following into a text file =cert.pem= for 
use in the next examples.  (Or quite likely you could find another
x509 certificate to use as an example; the self-signed Certificate
from above works for most demonstrations, although it is a
special case in some respects).
<verbatim>
-----BEGIN CERTIFICATE-----
MIIDIDCCAggCAglVMA0GCSqGSIb3DQEBBAUAMEsxCzAJBgNVBAYTAkNBMRAwDgYD
VQQKDAdXYXRzaWduMRAwDgYDVQQLDAdSb290IENBMRgwFgYDVQQDDA9XYXRzaWdu
IFJvb3QgQ0EwHhcNMTEwMjI4MjAzOTQxWhcNMTIwMjI4MjAzOTQxWjBgMQswCQYD
VQQGEwJDQTEQMA4GA1UECAwHT250YXJpbzEfMB0GA1UECgwWVW5pdmVyc2l0eSBv
ZiBXYXRlcmxvbzEeMBwGA1UEAwwVdGVzdGEuY3MudXdhdGVybG9vLmNhMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArbnhpiXVI5AdC2BOQBugODKdl9Oq
EJLF7go3IERZa19F5ULhOu5JSJMnQaGm/IJR902DZTMEOeXCgkPalO1S7wwmvOEv
WgMFSi3FlcuEYMcAme4kBZLkxIUZzIWLeoRpaxqwvV46mQ6srwV09/txmEazbROr
xFfBPzOCntoMhruycbUMKWEc6lSvymun45pLZKphTnrR9BqshqocB8eLDnmzQEwi
RUgtsIcSPrCWGLtwOfEDaB6eXSp4FHKeuEqMZq6Wi7YLffNLCUj4p1Qmvp6v2ao4
Ku/PAjIOiiDuy4ByiHTh8+oRTBKMOeo+4X/Vt4XXrPdOzdU6ZNJk2f/CiwIDAQAB
MA0GCSqGSIb3DQEBBAUAA4IBAQBz325XpfHxtKV6xEduDkc3fchPx0QLEhryj8tc
phTk8qT8eTy6X/RAupifWJCTrHmyaYSYQmZFlepFqV9h38iMwjvgHBtiz3JgmyuV
emGjLsGk3ZzhimwX4R46M2cJ7RWba9X/Jbg3eo/YoATpakkYW/S8V0vB6Nes6QNh
mxOxa89caoFTsCRbVo3NEb4Mabd8ul4m67OKh9k0Dk73iRbVlx92F/P54JGW8GB0
yrmCdYMHaEUnexGSa6d+n997WJx7t2MnDqH76sIxfljff4QrzL0fXgIMQOkYij0d
Lu5lIrMTL6AcItvgx1goGlc0kLnGdj36kO44v8U+vIEUQKIk
-----END CERTIFICATE-----
</verbatim>
---+++ See Details (Verbose Form) of a certificate
<verbatim>
    openssl x509 < cert.pem -text
</verbatim>
That is the easiest way to check the expiry date, for example.
---+++ Extract public key from a certificate
<verbatim>
    openssl x509 < cert.pem -pubkey -noout
</verbatim>

---+++ View multiple PEM certificates in one file as text

I have shameless stolen the following from
https://serverfault.com/questions/590870/how-to-view-all-ssl-certificates-in-a-bundle

<verbatim>
    openssl crl2pkcs7 -nocrl -certfile BUNDLE.pem | openssl pkcs7 -print_certs -text -noout
</verbatim>

E.g. to get a characterization of the certificates actually in a multi-certifica
te pem file...

<verbatim>
    root@vpn:/etc/apache2/ssl# openssl crl2pkcs7 -nocrl -certfile vpn.cs.uwaterloo.ca.pem | openssl pkcs7 -print_certs -text -noout | egrep 'Subject:|Issuer:|After'
            Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2
                Not After : Feb 17 14:41:02 2020 GMT
            Subject: C=CA, ST=Ontario, L=Waterloo, O=University of Waterloo, CN=vpn.cs.uwaterloo.ca
            Issuer: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA
                Not After : Feb 20 10:00:00 2024 GMT
            Subject: C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2
    root@vpn:/etc/apache2/ssl# 
</verbatim>


---+++ View a .der (binary) certificate
This example requires the *base64* command.  *lynx* is used to fetch
a binary certificate from the web, and *perl* is used to add the
*BEGIN* and *END* lines so that =openssl= will recognize it.

%RED% Unfortunately the indicated .der URL no longer works. %ENDCOLOR%

<verbatim>
bash@ubuntu% lynx -source http://ist.uwaterloo.ca/security/IST-CA/cacert.der | \<br/>   base64 | perl -e 'print "-----BEGIN CERTIFICATE-----\n";
   while (<>) {print;}<br />   print "-----END CERTIFICATE-----\n" '| \<br />   openssl x509 -text
</verbatim>

Using *lynx* like that is a bad habit of mine.  I should really get used to
using *wget* instead.

Furthermore, *openssl* can work with different formats.  As in...

<verbatim>
    lynx -source http://ist.uwaterloo.ca/security/IST-CA/cacert.der | \<br />     openssl x509 -inform der -text
</verbatim>

A note.
<verbatim>
    lynx -source http://ist.uwaterloo.ca/security/IST-CA/cacert.der | \<br />     base64
</verbatim>
defaults to 76 character column wrap.  But it seems to work in the manner
we use it,
and gets reformatted by *openssl* to the standard 64 characters on output.

So arguably we should give *base64* the option *--wrap=64*.  If we ever
really need to convert a *.der* certificate that way.

Anyway, I think I have thoroughly demonstrated that
PEM is the base64 encoding of the DER encoding with header and
           footer lines added.

---+++ Use openssl to test certificate installations
%INCLUDE{IncludeCertTestOpenssl}%

---+++ Personal dsa, rsa, ecdsa and ed25519 keys

In general, =openssl= is not used for manipulating ssh keys.  But =openssl=
is useful because it will show you in readable form things like the number
of bits in the key.

Therefore (even though arguably the following doesn't belong in a page
about the =openssl= command), we give the following which demonstrates
how to take =ssh= keys and convert them to something useable by =openssl=.

---++++ Convert authorized_keys format to openssl recognizable
<verbatim>
        ssh-keygen -f ~/.ssh/id_rsa.pub -e -m pkcs8
        ssh-keygen -f ~/.ssh/id_rsa.pub -e -m pkcs8 | openssl rsa -pubin -pubout -text
        ssh-keygen -f ~/.ssh/id_rsa.pub -e -m pkcs8 | openssl pkey -pubin -pubout -text
</verbatim>

Similarly for the deprecated =id_dsa= algorithm.

<verbatim>
        ssh-keygen -f ~/.ssh/id_dsa.pub -e -m pkcs8
        ssh-keygen -f ~/.ssh/id_dsa.pub -e -m pkcs8 | openssl dsa -pubin -pubout -text
        ssh-keygen -f ~/.ssh/id_dsa.pub -e -m pkcs8 | openssl pkey -pubin -pubout -text
</verbatim>

Note how =pkey= can be used to avoid needing to specify whether you have =dsa= or =rsa=.

Note that the trending =ed25519= keys are not implemented by the =openssl= command.  Nor are they implemented by the =pkcs8= converter.

And, the format recognized by =openssl= is called =pkcs8/pkcs#8=.

The following will convert a =pkcs#8= (in =key.pem= ) to =authorized_keys= format.

<verbatim>
        ssh-keygen -i -m pkcs8 -f key.pem
</verbatim>

And therefore...

<verbatim>
        ssh-keygen -f ~/.ssh/id_rsa.pub -e -m pkcs8 | ssh-keygen -i -m pkcs8 -f /dev/stdin > /tmp/pub
</verbatim>

Produces =/tmp/pub= which is more-or-less a copy of =~/.ssh/id_rsa.pub=.  (Actually, any trailing comment will get lost).

Similarly, although deprecated...

<verbatim>
        ssh-keygen -f ~/.ssh/id_dsa.pub -e -m pkcs8 | ssh-keygen -i -m pkcs8 -f /dev/stdin > /tmp/pub
</verbatim>


%INCLUDE{CF.IncludeCertGetFromFirefox}%

---

-- Main.AdrianPepper - 2013-07-08
Topic revision: r26 - 2019-01-09 - AdrianPepper
Information in this area is meant for use by CSCF staff and is not official documentation, but anybody who is interested is welcome to use it if they find it useful.
Other Webs
My links
- People
- CERAS
- WatForm
- Tetherless lab
- Ubuntu Main.HowTo
- eDocs
- RGG NE notes
- RGG
- CS infrastructure
- Grad images
Edit