Differences

This shows you the differences between two versions of the page.

--- wiki:openssl_commands [2022/10/11 13:25] – add References antisa
+++ wiki:openssl_commands [2023/03/17 16:11] (current) – [Get cert file from site] add info box antisa
@@ Line 14: / Line 14: @@
 ===== Query site for expiration date =====
-   echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -dates -issuer
+  echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -dates -issuer
 ===== Determine a Key Size from  =====
 ==== Private Key ====
@@ Line 36: / Line 35: @@
 ===== Get cert file from site =====
-  openssl s_client -connect example.com:443 -servername example.com:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > public.crt
+  openssl s_client -connect example.com:443 -servername example.com:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -in - -text -noout
+<WRAP center round info 60%>
+-connect can be the IP address of a server and is not necessarily the same as the -servername
+</WRAP>
 ===== Get OCSP stapling info =====
   echo QUIT | openssl s_client -servername www.example.com:443 -connect xx.xxx.xxx.xx:443 -status 2> /dev/null | grep -A 17 'OCSP response:' | grep -B 17 'Next Update'
+===== Check if certificate is valid with private key =====
+If you get an error like
+  Oct 23 17:55:05 hpb01-rp nginx[2837]: nginx: [emerg] SSL_CTX_use_PrivateKey_file("/etc/nginx/ssl/some.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
+Check certificate and private key
+  openssl x509 -in /path/to/yourdomain.crt -noout -modulus | openssl sha1
+  openssl rsa -in /path/to/your.key -noout -modulus | openssl sha1
+You need to get the same sha sum from both commands.
+===== Additional commands that can be used to inspect Certificates =====
+The openssl x509 utility also allows you to extract specific pieces of information from the certificate file instead of the entire content of a certificate in text.
+  openssl x509 -in google.com-cert -noout -serial
+  openssl x509 -in google.com-cert -noout -issuer
+  openssl x509 -in google.com-cert -noout -dates
+  openssl x509 -in google.com-cert -noout -subject
+  openssl x509 -in google.com-cert -noout -pubkey
+  openssl x509 -in google.com-cert -noout -modulus
+  openssl x509 -in google.com-cert -noout -ocsp_uri
+Note: Last command may not work in all versions of OpenSSL
+You can also mix and match arguments from the last step:
+  openssl x509 -in google.com-cert -noout -subject -issuer
+  openssl x509 -in google.com-cert -noout -serial -dates
+You can also request specific extensions from the certificate:
+  openssl x509 -in google.com-cert -noout -ext subjectAltName
+  openssl x509 -in google.com-cert -noout -ext basicConstraints
+  openssl x509 -in google.com-cert -noout -ext crlDistributionPoints
+  openssl x509 -in google.com-cert -noout -ext keyUsage
+  openssl x509 -in google.com-cert -noout -ext extendedKeyUsage
+  openssl x509 -in google.com-cert -noout -ext authorityInfoAccess
+  openssl x509 -in google.com-cert -noout -ext subjectKeyIdentifier
+  openssl x509 -in google.com-cert -noout -ext authorityKeyIdentifier
+====== See also ======
+  * [[wiki:creating_ca_and_signing_server_and_client_certs_with_openssl|Creating CA and signing server and client certs with openssl]]
 ====== References ======
   * https://www.xolphin.com/support/OpenSSL/Frequently_used_OpenSSL_Commands
+  * https://www.namecheap.com/support/knowledgebase/article.aspx/9781/2238/nginx-ssl-error0b080074x509-certificate-routines-x509checkprivatekeykey-values-mismatch