OpenSSL Cheat Sheet

title: OpenSSL date: 2020-11-25 18:28:43 icon: icon-style background: bg-indigo-600 tags: categories: - Linux Command intro: | This is a reference of commands to use to interact with electronic certificates plugins: - copyCode

Private Key {.cols-2}

Print out the private key details

openssl rsa -check -text -in privateKey.key

Print out the hashes of the private key

openssl rsa -noout -modulus -in privateKey.key | openssl md5
openssl rsa -noout -modulus -in privateKey.key | openssl sha1
openssl rsa -noout -modulus -in privateKey.key | openssl sha256
openssl rsa -noout -modulus -in privateKey.key | openssl sha512

Change password

openssl rsa -aes256 -in privateKey.key -out newPrivateKey.key

List available elliptic curves

openssl ecparam -list_curves

Create elliptic curve private key with a specific curve

openssl ecparam -name secp521r1 -genkey -noout -out privateKey.key

Certificate {.cols-2}

Print out the hashes of the certificate

openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl x509 -noout -modulus -in certificate.crt | openssl sha1
openssl x509 -noout -modulus -in certificate.crt | openssl sha256
openssl x509 -noout -modulus -in certificate.crt | openssl sha512

Or, alternatively:

openssl x509 -noout -fingerprint -in certificate.crt
openssl x509 -noout -fingerprint -sha256 -in certificate.crt

Print out the content of the certificates

openssl x509 -in certificate.crt -noout -text|more

Print out specific fields of the certificates

openssl x509 -noout -subject certificate.crt
openssl x509 -noout -issuer certificate.crt
openssl x509 -noout -dates certificate.crt

Inspect server certificates

echo | openssl s_client -servername www.openssl.org -connect \
www.openssl.org:443 2>/dev/null | openssl x509 -noout -text|more
echo | openssl s_client -servername imap.arcor.de -connect \
imap.arcor.de:993 2>/dev/null | openssl x509 -noout -text|more

Verify certificates

openssl verify -verbose -x509_strict -CAfile \
issuer.crt Test\ Haeschen\ 1.crt

Result:

Test Haeschen 1.crt: OK

Corrupted (for example)

openssl verify -verbose -x509_strict -CAfile \
issuer.crt Test\ Haeschen\ 1_corrupted.crt

Result:

C = DE, ST = Thueringen, L = Rudolstadt, O = Damaschkestr. 11, OU = Arbeitszimmer, CN = Test Haeschen 1
error 7 at 0 depth lookup: certificate signature failure
error Test Haeschen 1_corrupted.crt: verification failed
40270500477F0000:error:0200008A:rsa routines:RSA_padding_check_PKCS1_type_1:invalid padding:../crypto/rsa/rsa_pk1.c:75:
40270500477F0000:error:02000072:rsa routines:rsa_ossl_public_decrypt:padding check failed:../crypto/rsa/rsa_ossl.c:598:
40270500477F0000:error:1C880004:Provider routines:rsa_verify:RSA lib:../providers/implementations/signature/rsa_sig.c:774:
40270500477F0000:error:06880006:asn1 encoding routines:ASN1_item_verify_ctx:EVP lib:../crypto/asn1/a_verify.c:217:

S/Mime {.cols-2}

create signature

openssl smime -sign -in msg.txt -text -out msg.p7s \
-signer certificate.crt -inkey privateKey.key

Verify signature

openssl smime -verify -in msg.p7s -CAfile chain.pem

CRL {.cols-2}

Print out the contents of the CRL

openssl crl -inform DER -noout -text  -in crl/cacrl.der
openssl crl -inform PEM -noout -text  -in crl/cacrl.pem

PKCS#12 {.cols-2}

Display contents

openssl pkcs12 -info -in  digitalIdentity.p12

Create from certificate and private key

openssl pkcs12 -export -in certificate.cert \
-inkey privateKey.key -out digitalIdentity.p12

Extract private key

openssl pkcs12 -in digitalIdentity.p12 -out privateKey.key

Convert to PEM

openssl pkcs12 -in digitalIdentity.p12 -out digitalIdentity.pem

TSA {.cols-2}

Display query

openssl ts -query -in query.tsq -text

Display reply

openssl ts -reply -in reply.tsr -text

Verify reply

openssl ts -verify -in reply.tsr -data data.dat -CAfile chain.pem

Extract token from reply

openssl ts -reply -in reply.tsr -token_out -out token.tk

Extract certificates from token

openssl pkcs7 -inform DER -in token.tk -print_certs -noout -text

CSR {.cols-2}

Create from existing key

openssl req -new -key privateKey.key -out my.csr

This can of course be a RSA key or one based on an elliptic curve. Available curves can be listed using

openssl ecparam -list_curves

Afterwards you chose one of the curves and create a private key like so:

openssl ecparam -name secp521r1 -genkey -noout \
-out privateKey.key

Display

openssl req -in my.csr -noout -text

HTTPS {.cols-2}

Dump Certificates PEM encoded

openssl s_client -showcerts -connect www.example.com:443

STARTTLS {.cols-2}

Dump Certificates PEM encoded

openssl s_client -showcerts -starttls imap \
-connect mail.domain.com:139

S/MIME verification {.cols-2}

Possible outcomes

Message was tampered with (return code 4):

Verification failure
140485684135232:error:2E09A09E:CMS routines:CMS_SignerInfo_verify_content:verification failure:../crypto/cms/cms_sd.c:847:
140485684135232:error:2E09D06D:CMS routines:CMS_verify:content verify error:../crypto/cms/cms_smime.c:393:

Message signature not trusted (return code 4):

Verification failure
140146111432000:error:2E099064:CMS routines:cms_signerinfo_verify_cert:certificate verify error:../crypto/cms/cms_smime.c:252:Verify error:unable to get local issuer certificate

Message not signed (return code 2):

Error reading S/MIME message
140701208487232:error:0D0D40CD:asn1 encoding routines:SMIME_read_ASN1:invalid mime type:../crypto/asn1/asn_mime.c:469:type: multipart/alternative

Validation successful (return code 0):

Verification successful

Verify the validity of an email message

openssl cms -verify -in some_email_message.eml

Verify the validity of an email message explicitly specifying trust

openssl cms -verify -in some_email_message \
-CAfile trust_anchor-crt

Signed and encrypted messages need to be decrypted first:

Note: the P12 file holding the digital identity must be pem-encoded! (see above)

openssl cms -decrypt -out decrypted_email_message \
-inkey p12.pem -in some_encrypted_email_message

Raw {.cols-2}

See the raw structure of an ASN.1 file (only for DER encoded files)

openssl asn1parse -in mysterious_file.pem

With a bit more detail

openssl asn1parse -dump -strictpem -in mysterious_file.pem

Some resources with useful OpenSSL commands

Private Key

Print out the private key details

BASH

滚动查看更多

openssl rsa -check -text -in privateKey.key

Print out the hashes of the private key

BASH

滚动查看更多

openssl rsa -noout -modulus -in privateKey.key | openssl md5
openssl rsa -noout -modulus -in privateKey.key | openssl sha1
openssl rsa -noout -modulus -in privateKey.key | openssl sha256
openssl rsa -noout -modulus -in privateKey.key | openssl sha512

Change password

BASH

滚动查看更多

openssl rsa -aes256 -in privateKey.key -out newPrivateKey.key

List available elliptic curves

BASH

滚动查看更多

openssl ecparam -list_curves

Create elliptic curve private key with a specific curve

BASH

滚动查看更多

openssl ecparam -name secp521r1 -genkey -noout -out privateKey.key

Certificate

Print out the hashes of the certificate

BASH

滚动查看更多

openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl x509 -noout -modulus -in certificate.crt | openssl sha1
openssl x509 -noout -modulus -in certificate.crt | openssl sha256
openssl x509 -noout -modulus -in certificate.crt | openssl sha512

Or, alternatively:

BASH

滚动查看更多

openssl x509 -noout -fingerprint -in certificate.crt
openssl x509 -noout -fingerprint -sha256 -in certificate.crt

Print out the content of the certificates

BASH

滚动查看更多

openssl x509 -in certificate.crt -noout -text|more

Print out specific fields of the certificates

BASH

滚动查看更多

openssl x509 -noout -subject certificate.crt
openssl x509 -noout -issuer certificate.crt
openssl x509 -noout -dates certificate.crt

Inspect server certificates

BASH

滚动查看更多

echo | openssl s_client -servername www.openssl.org -connect \
www.openssl.org:443 2>/dev/null | openssl x509 -noout -text|more
echo | openssl s_client -servername imap.arcor.de -connect \
imap.arcor.de:993 2>/dev/null | openssl x509 -noout -text|more

Verify certificates

BASH

滚动查看更多

openssl verify -verbose -x509_strict -CAfile \
issuer.crt Test\ Haeschen\ 1.crt

Result:

BASH

滚动查看更多

Test Haeschen 1.crt: OK

Corrupted (for example)

BASH

滚动查看更多

openssl verify -verbose -x509_strict -CAfile \
issuer.crt Test\ Haeschen\ 1_corrupted.crt

Result:

BASH

滚动查看更多

C = DE, ST = Thueringen, L = Rudolstadt, O = Damaschkestr. 11, OU = Arbeitszimmer, CN = Test Haeschen 1
error 7 at 0 depth lookup: certificate signature failure
error Test Haeschen 1_corrupted.crt: verification failed
40270500477F0000:error:0200008A:rsa routines:RSA_padding_check_PKCS1_type_1:invalid padding:../crypto/rsa/rsa_pk1.c:75:
40270500477F0000:error:02000072:rsa routines:rsa_ossl_public_decrypt:padding check failed:../crypto/rsa/rsa_ossl.c:598:
40270500477F0000:error:1C880004:Provider routines:rsa_verify:RSA lib:../providers/implementations/signature/rsa_sig.c:774:
40270500477F0000:error:06880006:asn1 encoding routines:ASN1_item_verify_ctx:EVP lib:../crypto/asn1/a_verify.c:217:

PKCS#12

Display contents

BASH

滚动查看更多

openssl pkcs12 -info -in  digitalIdentity.p12

Create from certificate and private key

BASH

滚动查看更多

openssl pkcs12 -export -in certificate.cert \
-inkey privateKey.key -out digitalIdentity.p12

Extract private key

BASH

滚动查看更多

openssl pkcs12 -in digitalIdentity.p12 -out privateKey.key

Convert to PEM

BASH

滚动查看更多

openssl pkcs12 -in digitalIdentity.p12 -out digitalIdentity.pem

TSA

Display query

BASH

滚动查看更多

openssl ts -query -in query.tsq -text

Display reply

BASH

滚动查看更多

openssl ts -reply -in reply.tsr -text

Verify reply

BASH

滚动查看更多

openssl ts -verify -in reply.tsr -data data.dat -CAfile chain.pem

Extract token from reply

BASH

滚动查看更多

openssl ts -reply -in reply.tsr -token_out -out token.tk

Extract certificates from token

BASH

滚动查看更多

openssl pkcs7 -inform DER -in token.tk -print_certs -noout -text

CSR

Create from existing key

BASH

滚动查看更多

openssl req -new -key privateKey.key -out my.csr

This can of course be a RSA key or one based on an elliptic curve. Available curves can be listed using

BASH

滚动查看更多

openssl ecparam -list_curves

Afterwards you chose one of the curves and create a private key like so:

BASH

滚动查看更多

openssl ecparam -name secp521r1 -genkey -noout \
-out privateKey.key

Display

BASH

滚动查看更多

openssl req -in my.csr -noout -text

S/MIME verification

Possible outcomes

Message was tampered with (return code 4):

BASH

滚动查看更多

Verification failure
140485684135232:error:2E09A09E:CMS routines:CMS_SignerInfo_verify_content:verification failure:../crypto/cms/cms_sd.c:847:
140485684135232:error:2E09D06D:CMS routines:CMS_verify:content verify error:../crypto/cms/cms_smime.c:393:

Message signature not trusted (return code 4):

BASH

滚动查看更多

Verification failure
140146111432000:error:2E099064:CMS routines:cms_signerinfo_verify_cert:certificate verify error:../crypto/cms/cms_smime.c:252:Verify error:unable to get local issuer certificate

Message not signed (return code 2):

BASH

滚动查看更多

Error reading S/MIME message
140701208487232:error:0D0D40CD:asn1 encoding routines:SMIME_read_ASN1:invalid mime type:../crypto/asn1/asn_mime.c:469:type: multipart/alternative

Validation successful (return code 0):

BASH

滚动查看更多

Verification successful

Verify the validity of an email message

BASH

滚动查看更多

openssl cms -verify -in some_email_message.eml

Verify the validity of an email message explicitly specifying trust

BASH

滚动查看更多

openssl cms -verify -in some_email_message \
-CAfile trust_anchor-crt

Signed and encrypted messages need to be decrypted first:

Note: the P12 file holding the digital identity must be pem-encoded! (see above)

BASH

滚动查看更多

openssl cms -decrypt -out decrypted_email_message \
-inkey p12.pem -in some_encrypted_email_message

OpenSSL Cheat Sheet

title: OpenSSL date: 2020-11-25 18:28:43 icon: icon-style background: bg-indigo-600 tags: categories: - Linux Command intro: | This is a reference of commands to use to interact with electronic certificates plugins: - copyCode

Private Key {.cols-2}

Print out the private key details

Print out the hashes of the private key

Change password

List available elliptic curves

Create elliptic curve private key with a specific curve

Certificate {.cols-2}

Print out the hashes of the certificate

Print out the content of the certificates

Print out specific fields of the certificates

Inspect server certificates

Verify certificates

S/Mime {.cols-2}

create signature

Verify signature

CRL {.cols-2}

Print out the contents of the CRL

PKCS#12 {.cols-2}

Display contents

Create from certificate and private key

Extract private key

Convert to PEM

TSA {.cols-2}

Display query

Display reply

Verify reply

Extract token from reply

Extract certificates from token

CSR {.cols-2}

Create from existing key

Display

HTTPS {.cols-2}

Dump Certificates PEM encoded

STARTTLS {.cols-2}

Dump Certificates PEM encoded

S/MIME verification {.cols-2}

Possible outcomes

Verify the validity of an email message

Verify the validity of an email message explicitly specifying trust

Signed and encrypted messages need to be decrypted first:

Raw {.cols-2}

See the raw structure of an ASN.1 file (only for DER encoded files)

With a bit more detail

Some resources with useful OpenSSL commands

OpenSSL

Private Key

Certificate

S/Mime

CRL

PKCS#12

TSA

CSR

HTTPS

STARTTLS

S/MIME verification

Raw

Some resources with useful OpenSSL commands

相关 Cheat Sheets

Linux

Bash

Curl

SSH

Tmux