antisaWiki

User Tools

Site Tools

Trace:
wiki:openssl_commands

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
wiki:openssl_commands [2021/11/03 10:51] – add Get OCSP stapling info antisawiki:openssl_commands [2025/10/16 08:46] (current) – add CSR check command and fix indent antisa
Line 2: Line 2:
  
 ====== Openssl commands ====== ====== Openssl commands ======
 +===== Check CSR =====
 +  openssl req -text -noout -verify -in google.com.csr
 +  
 ===== Get cert expiration date from cert file ===== ===== Get cert expiration date from cert file =====
  
-   openssl x509 -enddate -noout -in /etc/letsencrypt/live/example.com/cert.pem+  openssl x509 -enddate -noout -in /etc/letsencrypt/live/example.com/cert.pem
  
 ===== Verfiy certs ===== ===== Verfiy certs =====
  
-   openssl verify -CAfile certs/rootCA.crt certs/client.crt+  openssl verify -CAfile certs/rootCA.crt certs/client.crt
  
-   openssl verify -CAfile certs/rootCA.crt certs/server.crt+  openssl verify -CAfile certs/rootCA.crt certs/server.crt
  
 ===== Query site for expiration date ===== ===== Query site for expiration date =====
  
-   echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -dates -issuer +  echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -dates -issuer
 ===== Determine a Key Size from  ===== ===== Determine a Key Size from  =====
 ==== Private Key ==== ==== Private Key ====
Line 36: Line 38:
 ===== Get cert file from site ===== ===== Get cert file from site =====
  
-  openssl s_client -connect example.com:443 -servername example.com:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'public.crt+  openssl s_client -connect example.com:443 -servername example.com < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -text -noout 
 + 
 +<WRAP center round info 60%> 
 +-connect can be the IP address of a server and is not necessarily the same as the -servernameUse -servername when sharing multiple SSL hosts on a single IP address, 
 +</WRAP>
  
 ===== Get OCSP stapling info ===== ===== Get OCSP stapling info =====
Line 42: Line 48:
   echo QUIT | openssl s_client -servername www.example.com:443 -connect xx.xxx.xxx.xx:443 -status 2> /dev/null | grep -A 17 'OCSP response:' | grep -B 17 'Next Update'   echo QUIT | openssl s_client -servername www.example.com:443 -connect xx.xxx.xxx.xx:443 -status 2> /dev/null | grep -A 17 'OCSP response:' | grep -B 17 'Next Update'
  
 +
 +===== Check if certificate is valid with private key =====
 +If you get an error like
 +
 +  Oct 23 17:55:05 hpb01-rp nginx[2837]: nginx: [emerg] SSL_CTX_use_PrivateKey_file("/etc/nginx/ssl/some.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
 +
 +Check certificate and private key
 +
 +  openssl x509 -in /path/to/yourdomain.crt -noout -modulus | openssl sha1
 +
 +  openssl rsa -in /path/to/your.key -noout -modulus | openssl sha1
 +
 +You need to get the same sha sum from both commands.
 +
 +
 +
 +===== Additional commands that can be used to inspect Certificates =====
 + 
 +The openssl x509 utility also allows you to extract specific pieces of information from the certificate file instead of the entire content of a certificate in text.  
 +
 +  openssl x509 -in google.com-cert -noout -serial
 +
 +  openssl x509 -in google.com-cert -noout -issuer
 +
 +  openssl x509 -in google.com-cert -noout -dates
 +
 +  openssl x509 -in google.com-cert -noout -subject
 +
 +  openssl x509 -in google.com-cert -noout -pubkey
 +
 +  openssl x509 -in google.com-cert -noout -modulus
 +
 +  openssl x509 -in google.com-cert -noout -ocsp_uri
 +Note: Last command may not work in all versions of OpenSSL 
 +
 +You can also mix and match arguments from the last step: 
 +
 +  openssl x509 -in google.com-cert -noout -subject -issuer
 +
 +  openssl x509 -in google.com-cert -noout -serial -dates
 +
 +You can also request specific extensions from the certificate: 
 +
 +  openssl x509 -in google.com-cert -noout -ext subjectAltName 
 +
 +  openssl x509 -in google.com-cert -noout -ext basicConstraints
 +
 +  openssl x509 -in google.com-cert -noout -ext crlDistributionPoints
 +
 +  openssl x509 -in google.com-cert -noout -ext keyUsage
 +
 +  openssl x509 -in google.com-cert -noout -ext extendedKeyUsage
 +
 +  openssl x509 -in google.com-cert -noout -ext authorityInfoAccess
 +
 +  openssl x509 -in google.com-cert -noout -ext subjectKeyIdentifier
 +
 +  openssl x509 -in google.com-cert -noout -ext authorityKeyIdentifier
 +
 +
 +====== See also ======
 +  * [[wiki:creating_ca_and_signing_server_and_client_certs_with_openssl|Creating CA and signing server and client certs with openssl]]
 +
 +====== References ======
 +  * https://www.xolphin.com/support/OpenSSL/Frequently_used_OpenSSL_Commands
 +  * https://www.namecheap.com/support/knowledgebase/article.aspx/9781/2238/nginx-ssl-error0b080074x509-certificate-routines-x509checkprivatekeykey-values-mismatch
 +  * https://stackoverflow.com/questions/7885785/using-openssl-to-get-the-certificate-from-a-server
 +  * https://pleasantpasswords.com/info/pleasant-password-server/b-server-configuration/3-installing-a-3rd-party-certificate/openssl-commands
wiki/openssl_commands.1635936687.txt.gz · Last modified: by antisa
Except where otherwise noted, content on this wiki is licensed under the following license: CC0 1.0 Universal
CC0 1.0 Universal Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki