Pascal Maugeri

OpenSSL cookbook - certificates manipulations

Blog Post created by Pascal Maugeri Employee on Jul 23, 2015

This post describes several HOWTOs I find useful to use efficiently OpenSSL when assessing certificates, CSR or associated CAs.

 

How to output readable data from a CRT .pem file ?

$ openssl x509 -in [file.pem] -text -noout


How to output readable data from a CSR .pem file ?

$ openssl req -in [file.pem] -text -noout

How to convert binary certificate to .pem format?

$ openssl x509 -inform DER -in sd.crt -out sd.pem


How to get the chain of certificates?

$ echo | openssl s_client -showcerts -connect "<hostname>":"443" 2>/dev/null


How to get the SHA1 fingerprint of a certificate?

$ echo | openssl s_client -connect <hostname>:443 2>/dev/null | openssl x509 -noout -fingerprint | sed 's/://g' | awk '{print tolower($0)}'



echo | openssl s_client -connect <hostname>:443 2>/dev/null | openssl x509 -noout -fingerprint | sed 's/://g' | awk '{print tolower($0)}'


How to get the SHA1 fingerprint from a pem file?

$ openssl x509 -in ca.pem -noout -fingerprint | sed 's/://g'


How to get the CA of a given certificate out of a .pem file?

1/ Show the certificate in readable format:


$ openssl x509 -in cert.pem -text -noout


2/ Locate the “CA Issuers” URI :


[...]


            X509v3 Extended Key Usage:

                TLS Web Server Authentication, TLS Web Client Authentication

            X509v3 Authority Key Identifier:

                keyid:0D:44:5C:16:53:44:C1:82:7E:1D:20:AB:25:F4:01:63:D8:BE:79:A5


            Authority Information Access:

                OCSP - URI:http://sd.symcd.com

                CA Issuers - URI:http://sd.symcb.com/sd.crt


    Signature Algorithm: sha1WithRSAEncryption

        1a:7e:2d:6d:9f:89:16:bb:aa:cc:e9:e3:7f:48:39:91:a9:6d:

        7a:91:d2:da:66:aa:87:d7:c3:32:92:d0:ba:2b:fa:f7:19:c4:

        ec:e3:18:26:1d:d4:b1:08:19:8b:f2:58:09:da:46:38:4e:01:

        3b:19:49:f3:5c:db:bf:27:d6:71:8a:d4:ba:d3:ed:c6:c6:ab:

        38:ac:93:3d:86:f9:40:b4:ba:11:5d:d3:ef:43:21:e2:66:ce:

        ed:90:ab:2e:d6:52:df:ce:ed:71:51:e2:8f:ea:cf:81:ce:a6:

        f1:01:ea:a4:92:0e:59:3c:0e:f [...]


3/ Get the CA certificate:

$ curl -s -S http://sd.symcb.com/sd.crt -o sd.crt

4/ Convert it in .pem format:

$ openssl x509 -inform DER -in sd.crt -out sd.pem

5/ Shows the CA certificate:

$ openssl x509 -in sd.pem -text -noout



Outcomes