Differences

This shows you the differences between two versions of the page.

--- linux:verschluesselung:openssl [2023/06/18 16:46] – [Singledomain/ Wildcard] gsys
+++ linux:verschluesselung:openssl [2025/05/06 11:48] (current) – gsys
@@ Line 1: / Line 1: @@
 ====== OpenSSL ======
 ===== Nützliche Befehle =====
 <code>
-update-ca-certificates --fresh            # CA-Zertifikate aktualisieren
+update-ca-certificates --fresh                                                # CA-Zertifikate aktualisieren
+openssl x509 -in mail.example.com.pem -noout -text                            # Check contents of cert file
+openssl s_client -connect mail.example.com:587 -starttls smtp                 # SMTP START-TLS Zertifikat überprüfen
+openssl s_client -connect mail.example.com:465                                # SMTP SSL-Zertifikat überprüfen
+openssl s_client -connect mail.example.com:443 | openssl x509 -noout -dates   # SMTP SSL-Zertifikat Ablaufdatum überprüfen
 </code>
 ===== CSR erstellen =====
@@ Line 8: / Line 15: @@
 CSR mit OpenSSL erstellen:
 <code>
-openssl req -nodes -new -newkey rsa:2048 -sha256 -keyout example.com.key -out example.com.csr
+openssl req -utf8 -nodes -new -newkey rsa:2048 -sha256 -keyout example.com.key -out example.com.csr      # new private key
+openssl req -utf8 -new -key example.com.key -out example.com.csr                                         # existing private key
 </code>
@@ Line 64: / Line 72: @@
 ===== Zertifikate konvertieren =====
+==== Reihenfolge einer Chain ====
+Optimal:
+<code>
+-----BEGIN CERTIFICATE-----
+[Server Certificate]
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+[Intermediate certificate L1]
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+[Intermediate certificate L2]
+-----END CERTIFICATE-----
+</code>
+Unnötig da Root in Browser/OS Cert store bereits enthalten:
+<code>
+-----BEGIN CERTIFICATE-----
+[Server Certificate]
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+[Intermediate certificate L1]
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+[Intermediate certificate L2]
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+[Root Certificate]
+-----END CERTIFICATE-----
+</code>
+https://success.qualys.com/support/s/article/000005824 \\
+https://success.qualys.com/support/s/article/000003197
+==== Befehle ====
+''P12 == PFX'' \\
+FIXME PEM vs CRT
 <code>
 openssl pkcs12 -export -in cert_bundle.pem -inkey privkey.key -out cert_bundle.p12 #pem in p12
 cat cert.pem intermediate.pem > chain.pem                                          #cert+intermediate als bundle
 cat root.pem intermediate.pem > ocsp-chain.pem                                     #ocsp chain (cert+intermediate) als bundle
-openssl pkcs12 -in cert_bundle.p12 -clcerts -nokeys -out cert_bundle.pem           #p12 in pem
+openssl pkcs12 -in cert_bundle.p12 -chain -nokeys -out cert_bundle.pem             #p12 in pem with complete chain
+openssl pkcs12 -in cert_bundle.p12 -cacerts -nokeys -out cert_cacerts.pem          #p12 in pem only ca certs
+openssl pkcs12 -in cert_bundle.p12 -clcerts -nokeys -out cert.pem                  #p12 in pem without ca certs
 openssl pkcs12 -in cert_bundle.p12 -nocerts -out privkey_encr.key                  #private key extrahieren
 openssl rsa -in privkey_encr.key -out privkey.key                                  #private key entschlüsseln
 openssl x509 -inform der -in certificate.cer -out certificate.pem                  #der in pem
 openssl pkcs7 -inform der -in cacert.p7b -out cacert.pem                           #p7p in pem
+</code>
+Permissions
+<code>
+chmod 700 private                                                                  #private key folder
+chmod 600 private.key                                                              #private key
+chmod 755 certs                                                                    #public certs folder
+chmod 644 cert.pem                                                                 #public key file
 </code>