Some Useful Openssl Commands
http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip9_0cli/BIG_IP9_0XCLIGuide2-5-1.html
Read content of a cert:
openssl x509 -text -in server.crt
Read content of a CSR:
openssl req -in server.csr -noout –text
Check a key to see if a key has a password:
openssl rsa -in keyfile.key [if it prompts for a password, the key was created with a password]
Check if a cert and key match:
The md5sum from both the below commands should be same for them to be a pair
openssl x500 -noout -modulus -in server.crt | openssl md5
openssl rsa -noout -modulus -in keyfile.key | openssl md5
Creating a self signed ssl certificates:
Create a private key:
openssl genrsa -des3 -out server.key 2048 [we can chose to use a password or not while creating key,
if password is not required, just click enter and don’t input any password]
Generating a certificate signing request (CSR):
openssl req -new -key server.key -out server.csr
It prompts for the following:
Country Name (2 letter code) [GB]:
State or Province Name (full name) [Berkshire]:
Locality Name (eg, city) [Newbury]:
Organization Name (eg, company) [My Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, application’s name or your server's hostname) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Creating the certificate:
openssl x509 -req -days <no.of days> -in server.csr -signkey server.key -out server.crt
Example: If a certificate valid for one year is needed the relevant command would be as under:
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Testing an SSL connection with openssl:
If there is a VIP or a server ip configured on a port with ssl certifcates attached to it, telnet cannot be used to test content on it (for checking ECV monitors) like normal http VIPs/server IPs. In these cases openssl can be used, thus:
openssl s_client –connect <ip>:<port>
This will open an SSL connection to the client reading the certificate in it. At the prompt we can input the GET string, HOST string etc., to test the content on the VIP/server ip.
--------------------------------------------------------------------------------------------------------------------------
Getting the certificate dates
echo | openssl s_client -connect remotedeposit-cit2.bankofamerica.com:443 2>/dev/null | openssl x509 -noout -dates
or
curl -kv https://abc.example.com 2>&1 | grep expire
No comments:
Post a Comment