Table of Contents
OpenSSL
Nützliche Befehle
update-ca-certificates --fresh # CA-Zertifikate aktualisieren openssl x509 -in mail.example.com.pem -noout -text # Check contents of cert file openssl s_client -connect mail.example.com:587 -starttls smtp # SMTP START-TLS Zertifikat überprüfen openssl s_client -connect mail.example.com:465 # SMTP SSL-Zertifikat überprüfen openssl s_client -connect mail.example.com:443 | openssl x509 -noout -dates # SMTP SSL-Zertifikat Ablaufdatum überprüfen
CSR erstellen
Singledomain/ Wildcard
CSR mit OpenSSL erstellen:
openssl req -utf8 -nodes -new -newkey rsa:2048 -sha256 -keyout example.com.key -out example.com.csr # new private key openssl req -utf8 -new -key example.com.key -out example.com.csr # existing private key
Multidomain (SAN)
csr.conf File erstellen
vi /etc/ssl/csr.conf
Inhalt:
[req] distinguished_name = req_distinguished_name req_extensions = v3_req prompt = no [req_distinguished_name] C = DE ST = BW L = Karlsruhe O = XYZ IT GmbH OU = IT CN = www.xyz-it.de [v3_req] keyUsage = keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = abc.xyz-it.de DNS.2 = www.xyz-it.de DNS.3 = xyz.de DNS.4 = mail.xyz.de
Private Key erstellen
openssl genrsa -out xyz-it.de.key 2048
CSR erstellen
openssl req -new -out xyz-it.de.csr -key xyz-it.key.2015 -config /etc/ssl/csr.conf
Private Key erstellen
openssl genrsa -out mail-smime.key 4096
CSR Erstellen
openssl req -utf8 -new -key mail-smime.key -out mail-smime.csr
Zertifikate konvertieren
Reihenfolge einer Chain
Optimal:
-----BEGIN CERTIFICATE----- [Server Certificate] -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- [Intermediate certificate L1] -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- [Intermediate certificate L2] -----END CERTIFICATE-----
Unnötig da Root in Browser/OS Cert store bereits enthalten:
-----BEGIN CERTIFICATE----- [Server Certificate] -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- [Intermediate certificate L1] -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- [Intermediate certificate L2] -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- [Root Certificate] -----END CERTIFICATE-----
https://success.qualys.com/support/s/article/000005824
https://success.qualys.com/support/s/article/000003197
Befehle
P12 == PFX
PEM vs CRT
openssl pkcs12 -export -in cert_bundle.pem -inkey privkey.key -out cert_bundle.p12 #pem in p12 cat cert.pem intermediate.pem > chain.pem #cert+intermediate als bundle cat root.pem intermediate.pem > ocsp-chain.pem #ocsp chain (cert+intermediate) als bundle openssl pkcs12 -in cert_bundle.p12 -chain -nokeys -out cert_bundle.pem #p12 in pem with complete chain openssl pkcs12 -in cert_bundle.p12 -cacerts -nokeys -out cert_cacerts.pem #p12 in pem only ca certs openssl pkcs12 -in cert_bundle.p12 -clcerts -nokeys -out cert.pem #p12 in pem without ca certs openssl pkcs12 -in cert_bundle.p12 -nocerts -out privkey_encr.key #private key extrahieren openssl rsa -in privkey_encr.key -out privkey.key #private key entschlüsseln openssl x509 -inform der -in certificate.cer -out certificate.pem #der in pem openssl pkcs7 -inform der -in cacert.p7b -out cacert.pem #p7p in pem
Permissions
chmod 700 private #private key folder chmod 600 private.key #private key chmod 755 certs #public certs folder chmod 644 cert.pem #public key file
Zusammenfassung eines Zertifikats anzeigen / bundle erzeugen
openssl crl2pkcs7 -nocrl -certfile cert_bundle.crt | openssl pkcs7 -print_certs -out bundle-certs.crt openssl crl2pkcs7 -nocrl -certfile cert_bundle.crt | openssl pkcs7 -print_certs -noout
Zertifikat erstellen
openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes -out default.crt -keyout default.key #self signed ssl openssl dhparam -out /etc/nginx/certs/dhparam.pem 2048 #diffie-hellmann key