Thursday 8 August 2019

Openssl commands




 Some Useful Openssl Commands





http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip9_0cli/BIG_IP9_0XCLIGuide2-5-1.html



Read content of a cert:



openssl x509 -text -in server.crt



Read content of a CSR:

openssl req -in server.csr -noout –text



Check a key to see if a key has a password:

openssl rsa -in keyfile.key    [if it prompts for a password, the key was created with a password]



Check if a cert and key match:

The md5sum from both the below commands should be same for them to be a pair



openssl x500 -noout -modulus -in server.crt | openssl md5

openssl rsa -noout -modulus -in keyfile.key | openssl md5



Creating a self signed ssl certificates:

Create a private key:

openssl genrsa -des3 -out server.key  2048   [we can chose to use a password or not while creating key, 

                                                      if password  is not required, just click enter and don’t input any password]





Generating  a certificate signing request (CSR):                         

openssl req -new -key server.key -out server.csr

              

It prompts for the following:

Country Name (2 letter code) [GB]:

State or Province Name (full name) [Berkshire]:

Locality Name (eg, city) [Newbury]:

Organization Name (eg, company) [My Company Ltd]:

Organizational Unit Name (eg, section) []:

Common Name (eg, application’s name or your server's hostname) []:

Email Address []:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:



Creating the certificate:

openssl x509 -req -days <no.of days> -in server.csr -signkey server.key -out server.crt



Example:  If a certificate valid for one year is needed the relevant command would be as under:

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt



Testing an SSL connection with openssl:

If there is a VIP or a server ip configured on a port with ssl certifcates attached to it, telnet cannot be used to test content on it (for checking ECV monitors) like normal http VIPs/server IPs. In these cases openssl can be used, thus:

openssl s_client –connect <ip>:<port>

This will open an SSL connection to the client reading the certificate in it. At the prompt we can input the GET string, HOST string etc., to test the content on the VIP/server ip.



 --------------------------------------------------------------------------------------------------------------------------



Getting the certificate dates



echo | openssl s_client -connect remotedeposit-cit2.bankofamerica.com:443 2>/dev/null | openssl x509 -noout -dates

or 



curl -kv https://abc.example.com 2>&1 | grep expire




No comments:

Post a Comment

iRule

  iRule: -- o iRule is a powerful and flexible feature within the BIG-IP local traffic management (LTM). o IRule is a powerful & flexibl...