Cheatsheets - openssl
Steps to generate a cert
# generate a private key foo.key
openssl genrsa -out foo.key 2048
# show content of the private key
openssl rsa -text -in foo.key -noout
# extract public key (the private key file contains both the private key and the public key).
openssl rsa -in foo.key -pubout -out foo_public.key
# create csr; public key will be included in.
openssl req -new -key foo.key -out foo.csr
# verify csr
openssl req -text -in foo.csr -noout -verify
# (send csr to CA and get the cert)
# view cert
openssl x509 -text -in foo.crt -noout
Generate a hash of each file's public key, they should match:
openssl pkey -pubout -in foo.key | openssl sha256
openssl req -pubkey -in foo.csr -noout | openssl sha256
openssl x509 -pubkey -in foo.crt -noout | openssl sha256
Check Kubernetes Certs
Kubernetes stores config files in /etc/kubernetes, to check the cert content (e.g. of the kube-scheduler):
$ cat /etc/kubernetes/scheduler.conf | yq .users[].user.client-certificate-data | base64 -d | openssl x509 -text
# Result:
Issuer: CN = kubernetes
...
Subject: CN = system:kube-scheduler
Conversions
By default, OpenSSL generates keys and CSRs using the PEM format.
Between PEM and PKCS#12:
# PEM to PKCS#12
openssl pkcs12 -export -name "foo-digicert-(expiration date)" \
-out foo.pfx -inkey foo.key -in foo.crt
# PKCS#12 to PEM; PKCS#12 format contains both the certificate and private key
# extract private key
openssl pkcs12 -in foo.pfx -nocerts -out foo.key -nodes
# extract cert
openssl pkcs12 -in foo.pfx -nokeys -clcerts -out foo.crt
Between PEM and DER: The DER format uses ASN.1 encoding to store certificate or key information. Similar to the PEM format, DER stores key and certificate information in two separate files. The file extension .der was used in the below examples for clarity.
# convert a PEM encoded certificate into a DER encoded certificate:
openssl x509 -inform PEM -in foo.crt -outform DER -out foo.der
# convert a PEM encoded private key into a DER encoded private key:
openssl rsa -inform PEM -in foo.key -outform DER -out foo_key.der
# convert a DER encoded certificate into a PEM encoded certificate:
openssl x509 -inform DER -in foo.der -outform PEM -out foo.crt
# convert a DER encoded private key into a PEM encoded private key:
openssl rsa -inform DER -in foo_key.der -outform PEM -out foo.key
# Check a PEM certificate (`.crt` or `.pem`)
openssl x509 -text -noout -in cert.pem
# Check a Certificate Signing Request (CSR)
openssl req -text -noout -verify -in CSR.csr
# Check a private key
openssl rsa -check -in cert.key
cat << EOF > csr.cnf
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
CN = example.com
[v3_req]
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = example.com
DNS.2 = www.example.com
EOF
openssl req -newkey rsa:2048 -out csr.pem -keyout key.pem -config csr.cnf
Key Verification
To verify that a private key corresponds to the public key from a certificate or a CSR, print out their modulus and compare the resulting hash-values.
For an ECDSA key pair/certificate:
openssl req -in ${CSR_FILE} -noout -pubkey | openssl dgst -sha256
openssl ec -in ${KEY_FILE} -pubout | openssl dgst -sha256
openssl x509 -in ${CERT_FILE} -noout -pubkey | openssl dgst -sha256
For a RSA key pair/certificate:
openssl req -noout -modulus -in ${CSR_FILE} | openssl sha256
openssl rsa -noout -modulus -in ${KEY_FILE} | openssl sha256
openssl x509 -noout -modulus -in ${CERT_FILE} | openssl sha256
openssl x509 -in /path/to/cert -text -noout
-infilename-textprint out full detailed-issuerprint the issuer name-nooutdo not print anything NOT specified
Generate random strings:
$ openssl rand -base64 10
129udXpYaQJZeg==
Find openssl config dir
$ openssl version -d
OPENSSLDIR: "/usr/lib/ssl"
Check if TLS is used
check if an endpoint you are connecting to or listening at uses TLS by running the following command:
$ openssl s_client -connect HOST:PORT
It shows Certificate chain, server certificate, etc
The s_client command implements a generic SSL/TLS client which connects to a remote host using SSL/TLS.
Verify if a certificate is self-signed
Check if the subject and the issuer are the same entity.
$ openssl x509 -in <file> -noout -subject -issuer
Verify if is CA
Check if CA:TRUE is included in the X509v3 Basic Constraints.
# A CA certificate can be identified by running:
$ openssl x509 -in <file> -noout -text
Or verif by cert-manager. If you are issuing a certificate using cert-manager, and the issuer only has the SelfSigned stanza in the spec (selfSigned: {}), then you are using an arbitrary CA.
OpenSSL vs BoringSSL
BoringSSL is a much lighter-weight version of OpenSSL with no guarantees of API or ABI stability since Google requires far less legacy application support.
Files
Private key
openssl genrsa -out foo.key 4096
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
Private key => Certificate
openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=yourdomain.com" \
-key foo.key \
-out foo.crt
Generated cert:
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
A certificate verifies that an entity is the owner of a particular public key.
A certificate is a trusted document that contains a public key and other data of the respective private key owner.
certificate = public key + extra info (cert issuer, owner of the key, valid time period)
self-signed certificate = the owner and the issuer are the same.
CA signs the certificate with its private key.
The root CA has a self-signed certificate. Each subordinate CA has a certificate that is signed by the next highest CA in the hierarchy. A certificate chain is the certificate of a particular CA, plus the certificates of any higher CAs up through the root CA.
openssl configurations
/etc/ssl/openssl.cnf