Search This Blog

Tuesday, May 21, 2013

Openssl cheat sheet

  • How to extract certificates
Usual certificate files have not only the certificate itself but include the chain as well.

# example chain cert file

-----BEGIN CERTIFICATE-----
687f687asfafaufyaufasfyfyasifyayfafvG74WlTANBgkqhkiG9w0BAQUFADBm
678fa6auyasfyasf8a7fa9f7a9sfiauy987safasffQgSW5jMRkwFwYDVQQLExB3
....
UW9iatnbVzOcOdJJaBK7obGALVFBAQ==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
76af5at7fat8f7astfuyasftuftauftaufasfasfOzANBgkqhkiG9w0BAQUFADBs
....
tfiuytaiutauisftiaustfiuasftuiastfasf2oWGU4K8K2Eyl2Us1p292E=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
tfuastfuiatfutfuiatfiuatsifuastifuayrkYldzANBgkqhkiG9w0BAQUFADBs
....
tuaftiautfuaftiuatfiuastfuastfiuastfiastfuatsifutafutafutasuftap
+OkuE6N36B9K
-----END CERTIFICATE-----

To extract each certificate and save it in a separate file you can use this little tick.
 
root@server:~# csplit -k cert.txt '%-----BEGIN CERTIFICATE-----%' '/-----END CERTIFICATE-----/+1' {9}
2362
2260
1367
csplit: `/-----END CERTIFICATE-----/+1': match not found on repetition 3
1

root@server:~# ll 
-rw-r--r-- 1 root root 2362 May 21 16:50 cert.txt
-rw-r--r-- 1 root root 2362 May 21 16:50 xx00
-rw-r--r-- 1 root root 2260 May 21 16:50 xx01
-rw-r--r-- 1 root root 1367 May 21 16:50 xx02
-rw-r--r-- 1 root root    1 May 21 16:50 xx03

# because it is irrelevant
root@server:~# rm xx03 
  • How to verify that the certificate and key belong together
$ openssl x509 -noout -modulus -in server.crt | openssl md5
$ openssl rsa -noout -modulus -in server.key | openssl md5
  • How to verify what certificate and what certificate chain does a https server sends
$ openssl s_client -connect :443 -showcerts

Without the -showcerts option the openssl shows only a site certificate (a top certificate in the chain), hiding the remaining certs received in server hello handshaking message. Please be aware that in the regular output you can still see there were intermediate certs although:.

Certificate chain
 0 s:/1.3.6.1.4.1.311.60.2.1.3=GB/2.5.4.15=Private Organization/serialNumber=04168207/C=GB/ST=Greater Manchester/L=Manchester/O=Party Delights Limited/OU=Web Development/CN=www.example.com
   i:/C=US/O=thawte, Inc./OU=Terms of use at https://www.thawte.com/cps (c)06/CN=thawte Extended Validation SSL CA

 1 s:/C=US/O=thawte, Inc./OU=Terms of use at https://www.thawte.com/cps (c)06/CN=thawte Extended Validation SSL CA
   i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA

 2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
   i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA

References
  1. https://kb.wisc.edu/middleware/page.php?id=4064


No comments:

Post a Comment