====== OpenSSL ======
===== Nützliche Befehle =====
update-ca-certificates --fresh # CA-Zertifikate aktualisieren
openssl x509 -in mail.example.com.pem -noout -text # Check contents of cert file
openssl s_client -connect mail.example.com:587 -starttls smtp # SMTP START-TLS Zertifikat überprüfen
openssl s_client -connect mail.example.com:465 # SMTP SSL-Zertifikat überprüfen
openssl s_client -connect mail.example.com:443 | openssl x509 -noout -dates # SMTP SSL-Zertifikat Ablaufdatum überprüfen
===== CSR erstellen =====
==== Singledomain/ Wildcard ====
CSR mit OpenSSL erstellen:
openssl req -utf8 -nodes -new -newkey rsa:2048 -sha256 -keyout example.com.key -out example.com.csr # new private key
openssl req -utf8 -new -key example.com.key -out example.com.csr # existing private key
==== Multidomain (SAN) =====
csr.conf File erstellen
vi /etc/ssl/csr.conf
Inhalt:
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = DE
ST = BW
L = Karlsruhe
O = XYZ IT GmbH
OU = IT
CN = www.xyz-it.de
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = abc.xyz-it.de
DNS.2 = www.xyz-it.de
DNS.3 = xyz.de
DNS.4 = mail.xyz.de
Private Key erstellen
openssl genrsa -out xyz-it.de.key 2048
CSR erstellen
openssl req -new -out xyz-it.de.csr -key xyz-it.key.2015 -config /etc/ssl/csr.conf
==== E-Mail ====
Private Key erstellen
openssl genrsa -out mail-smime.key 4096
CSR Erstellen
openssl req -utf8 -new -key mail-smime.key -out mail-smime.csr
===== Zertifikate konvertieren =====
==== Reihenfolge einer Chain ====
Optimal:
-----BEGIN CERTIFICATE-----
[Server Certificate]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[Intermediate certificate L1]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[Intermediate certificate L2]
-----END CERTIFICATE-----
Unnötig da Root in Browser/OS Cert store bereits enthalten:
-----BEGIN CERTIFICATE-----
[Server Certificate]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[Intermediate certificate L1]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[Intermediate certificate L2]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[Root Certificate]
-----END CERTIFICATE-----
https://success.qualys.com/support/s/article/000005824 \\
https://success.qualys.com/support/s/article/000003197
==== Befehle ====
''P12 == PFX'' \\
FIXME PEM vs CRT
openssl pkcs12 -export -in cert_bundle.pem -inkey privkey.key -out cert_bundle.p12 #pem in p12
cat cert.pem intermediate.pem > chain.pem #cert+intermediate als bundle
cat root.pem intermediate.pem > ocsp-chain.pem #ocsp chain (cert+intermediate) als bundle
openssl pkcs12 -in cert_bundle.p12 -chain -nokeys -out cert_bundle.pem #p12 in pem with complete chain
openssl pkcs12 -in cert_bundle.p12 -cacerts -nokeys -out cert_cacerts.pem #p12 in pem only ca certs
openssl pkcs12 -in cert_bundle.p12 -clcerts -nokeys -out cert.pem #p12 in pem without ca certs
openssl pkcs12 -in cert_bundle.p12 -nocerts -out privkey_encr.key #private key extrahieren
openssl rsa -in privkey_encr.key -out privkey.key #private key entschlüsseln
openssl x509 -inform der -in certificate.cer -out certificate.pem #der in pem
openssl pkcs7 -inform der -in cacert.p7b -out cacert.pem #p7p in pem
Permissions
chmod 700 private #private key folder
chmod 600 private.key #private key
chmod 755 certs #public certs folder
chmod 644 cert.pem #public key file
Zusammenfassung eines Zertifikats anzeigen / bundle erzeugen
openssl crl2pkcs7 -nocrl -certfile cert_bundle.crt | openssl pkcs7 -print_certs -out bundle-certs.crt
openssl crl2pkcs7 -nocrl -certfile cert_bundle.crt | openssl pkcs7 -print_certs -noout
===== Zertifikat erstellen =====
openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes -out default.crt -keyout default.key #self signed ssl
openssl dhparam -out /etc/nginx/certs/dhparam.pem 2048 #diffie-hellmann key