fullstack

OpenSSL

This is a reference of commands to use to interact with electronic certificates

#Private Key

openssl rsa -check -text -in privateKey.key

openssl rsa -noout -modulus -in privateKey.key | openssl md5
openssl rsa -noout -modulus -in privateKey.key | openssl sha1
openssl rsa -noout -modulus -in privateKey.key | openssl sha256
openssl rsa -noout -modulus -in privateKey.key | openssl sha512

#Change password

openssl rsa -aes256 -in privateKey.key -out newPrivateKey.key

#List available elliptic curves

openssl ecparam -list_curves

#Create elliptic curve private key with a specific curve

openssl ecparam -name secp521r1 -genkey -noout -out privateKey.key

#Certificate

openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl x509 -noout -modulus -in certificate.crt | openssl sha1
openssl x509 -noout -modulus -in certificate.crt | openssl sha256
openssl x509 -noout -modulus -in certificate.crt | openssl sha512

Or, alternatively:

openssl x509 -noout -fingerprint -in certificate.crt
openssl x509 -noout -fingerprint -sha256 -in certificate.crt

#Print out the content of the certificates

openssl x509 -in certificate.crt -noout -text|more

openssl x509 -noout -subject certificate.crt
openssl x509 -noout -issuer certificate.crt
openssl x509 -noout -dates certificate.crt

#Inspect server certificates

echo | openssl s_client -servername www.openssl.org -connect \
www.openssl.org:443 2>/dev/null | openssl x509 -noout -text|more
echo | openssl s_client -servername imap.arcor.de -connect \
imap.arcor.de:993 2>/dev/null | openssl x509 -noout -text|more

#Verify certificates

OK

openssl verify -verbose -x509_strict -CAfile \
issuer.crt Test\ Haeschen\ 1.crt

Result:

Test Haeschen 1.crt: OK

Corrupted (for example)

openssl verify -verbose -x509_strict -CAfile \
issuer.crt Test\ Haeschen\ 1_corrupted.crt

Result:

C = DE, ST = Thueringen, L = Rudolstadt, O = Damaschkestr. 11, OU = Arbeitszimmer, CN = Test Haeschen 1
error 7 at 0 depth lookup: certificate signature failure
error Test Haeschen 1_corrupted.crt: verification failed
40270500477F0000:error:0200008A:rsa routines:RSA_padding_check_PKCS1_type_1:invalid padding:../crypto/rsa/rsa_pk1.c:75:
40270500477F0000:error:02000072:rsa routines:rsa_ossl_public_decrypt:padding check failed:../crypto/rsa/rsa_ossl.c:598:
40270500477F0000:error:1C880004:Provider routines:rsa_verify:RSA lib:../providers/implementations/signature/rsa_sig.c:774:
40270500477F0000:error:06880006:asn1 encoding routines:ASN1_item_verify_ctx:EVP lib:../crypto/asn1/a_verify.c:217:

#S/Mime

#create signature

openssl smime -sign -in msg.txt -text -out msg.p7s \
-signer certificate.crt -inkey privateKey.key

#Verify signature

openssl smime -verify -in msg.p7s -CAfile chain.pem

#CRL

openssl crl -inform DER -noout -text  -in crl/cacrl.der
openssl crl -inform PEM -noout -text  -in crl/cacrl.pem

#PKCS#12

#Display contents

openssl pkcs12 -info -in  digitalIdentity.p12

#Create from certificate and private key

openssl pkcs12 -export -in certificate.cert \
-inkey privateKey.key -out digitalIdentity.p12

#Extract private key

openssl pkcs12 -in digitalIdentity.p12 -out privateKey.key

#Convert to PEM

openssl pkcs12 -in digitalIdentity.p12 -out digitalIdentity.pem

#TSA

#Display query

openssl ts -query -in query.tsq -text

#Display reply

openssl ts -reply -in reply.tsr -text

#Verify reply

openssl ts -verify -in reply.tsr -data data.dat -CAfile chain.pem

#Extract token from reply

openssl ts -reply -in reply.tsr -token_out -out token.tk

#Extract certificates from token

openssl pkcs7 -inform DER -in token.tk -print_certs -noout -text

#CSR

#Create from existing key

openssl req -new -key privateKey.key -out my.csr

This can of course be a RSA key or one based on an elliptic curve. Available curves can be listed using

openssl ecparam -list_curves

Afterwards you chose one of the curves and create a private key like so:

openssl ecparam -name secp521r1 -genkey -noout \
-out privateKey.key

#Display

openssl req -in my.csr -noout -text

#HTTPS

#Dump Certificates PEM encoded

openssl s_client -showcerts -connect www.example.com:443

#STARTTLS

#Dump Certificates PEM encoded

openssl s_client -showcerts -starttls imap \
-connect mail.domain.com:139

#S/MIME verification

#Possible outcomes

Message was tampered with (return code 4):

Verification failure
140485684135232:error:2E09A09E:CMS routines:CMS_SignerInfo_verify_content:verification failure:../crypto/cms/cms_sd.c:847:
140485684135232:error:2E09D06D:CMS routines:CMS_verify:content verify error:../crypto/cms/cms_smime.c:393:

Message signature not trusted (return code 4):

Verification failure
140146111432000:error:2E099064:CMS routines:cms_signerinfo_verify_cert:certificate verify error:../crypto/cms/cms_smime.c:252:Verify error:unable to get local issuer certificate

Message not signed (return code 2):

Error reading S/MIME message
140701208487232:error:0D0D40CD:asn1 encoding routines:SMIME_read_ASN1:invalid mime type:../crypto/asn1/asn_mime.c:469:type: multipart/alternative

Validation successful (return code 0):

Verification successful

#Verify the validity of an email message

openssl cms -verify -in some_email_message.eml

#Verify the validity of an email message explicitly specifying trust

openssl cms -verify -in some_email_message \
-CAfile trust_anchor-crt

#Signed and encrypted messages need to be decrypted first:

Note: the P12 file holding the digital identity must be pem-encoded! (see above)

openssl cms -decrypt -out decrypted_email_message \
-inkey p12.pem -in some_encrypted_email_message

#Raw

#See the raw structure of an ASN.1 file (only for DER encoded files)

openssl asn1parse -in mysterious_file.pem

#With a bit more detail

openssl asn1parse -dump -strictpem -in mysterious_file.pem

#Some resources with useful OpenSSL commands