90
votes
How to extract the Root CA and Subordinate CA from a certificate chain in Linux?
tl;dr - one liner bash magic to dump all certs in the chain
openssl s_client -showcerts -verify 5 -connect wikipedia.org:443 < /dev/null |
awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/{ if(/BEGIN ...
- 1,103
89
votes
Accepted
How to export CA certificate chain from PFX in PEM format without bag attributes
The solution I finally came to was to pipe it through sed.
openssl pkcs12 -in <filename.pfx> -nocerts -nodes | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > <clientcert.key>
...
- 2,287
88
votes
Accepted
Using `openssl` to display all certificates of a PEM file
The openssl command (specifically, its openssl x509 subcommand, among others) is polite with its data stream: once it reads data, it doesn't read more than it needs.
This allows to chain multiple ...
- 39.5k
31
votes
Accepted
How to grep for unicode � in a bash script
grep is the wrong tool for the job.
You see the � U+FFFD REPLACEMENT CHARACTER not because it’s literally in the file content, but because you looked at a binary file with a tool that is supposed to ...
- 529
30
votes
Accepted
OpenSSL 1.1.1b warning: Using -iter or -pbkdf2 would be better while decrypting a file encrypted using OpenSSL 1.1.0g
Comparing the Synopsys of the two main and recent versions of OpenSSL, let me quote the man pages.
OpenSSL 1.1.0
openssl enc -ciphername [-help] [-ciphers] [-in filename] [-out filename] [-pass arg] [...
- 31.1k
28
votes
Accepted
How to extract serial from SSL certificate
Try:
openssl x509 -noout -serial -in cert.pem | cut -d'=' -f2 | sed 's/../&:/g;s/:$//'
openssl x509 -noout -serial -in cert.pem will output the serial number of the certificate, but in the format ...
- 35k
27
votes
How to export CA certificate chain from PFX in PEM format without bag attributes
Another solution without sed:
openssl pkcs12 -in <filename.pfx> -nocerts -nodes | openssl pkcs8 -nocrypt -out <clientcert.key>
openssl pkcs12 -in <filename.pfx> -clcerts -nokeys | ...
- 431
24
votes
Using `openssl` to display all certificates of a PEM file
Seems like PEM format is not handled very well with more than one certificate. Based on this answer:
openssl crl2pkcs7 -nocrl -certfile cert.pem | openssl pkcs7 -print_certs -text -noout
it first ...
- 19.5k
21
votes
Why am I getting 400 Bad Request?
Make sure you do not have illegal characters in your virtual hosts' ServerName.
I ran into this issue while migrating "sub_domain.test.com" from Apache 2.2 to 2.4.
The underscore in "sub_domain" ...
- 311
21
votes
Accepted
Why is the output of "openssl passwd" different each time?
> openssl passwd -1 "a"
$1$OKgLCmVl$d02jECa4DXn/oXX0R.MoQ/
This is the extended Unix-style crypt(3) password hash syntax, specifically the MD5 version of it.
The first $1$ identifies the hash type,...
- 114k
16
votes
Generating duplicate certificates with OpenSSL CA
In the same folder as your database (the index.txt file) create a file index.txt.attr and add the following:
unique_subject = no
If you're unsure where your database file is located, check the ...
- 35k
12
votes
openssl generating SHA-256
-hmac takes the key as an argument (see manual), so your command asks for an HMAC using the key -hex. hexkey:... is taken as a filename, since it doesn't start with a dash, and openssl doesn't take ...
- 148k
12
votes
Accepted
CA certificates location in Ubuntu 18.04
Should be /etc/ssl/certs/ or /etc/ssl/certs/ca-certificates.crt.
http://manpages.ubuntu.com/manpages/bionic/man8/update-ca-certificates.8.html
Note this store is not necessarily used consistently by ...
- 53.5k
12
votes
OpenSSL 1.1.1b warning: Using -iter or -pbkdf2 would be better while decrypting a file encrypted using OpenSSL 1.1.0g
Recently I have installed the latest version of cygwin.
"openssl" started to give a warning:
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
So now I use the ...
- 129
12
votes
Accepted
grep -q with openssl not working
grep is accepting the pipe input, there is no option to reject it.
What happens here is that grep -q will close the input pipe as soon it finds the pattern. The messages are from openssl because it ...
- 9,239
12
votes
Accepted
Probably a nit: "openssl x509" displays the serial number sometimes as octet string, sometimes as integer
It's just a stylistic choice in how openssl x509 -text prints serial numbers. The logic in the source code is:
If the serial number is small, then print it in as a number decimal and hexadecimal, ...
11
votes
how to make Gnu/Linux trust a certificate that's trusted by Windows out-of-the-box?
The real fix for this is to ensure that your server presents all certificates in the chain and not just the end-entity (server) certificate.
Point your server administrator to RFC 5246 Section 7.4.2 ...
- 35k
11
votes
Accepted
Where are the intermediate CA certificates?
You misunderstand how certificates are used.
The ones you see are the trust-anchors. These are the root CAs which you (or your OS, or your OS's developers) trust.
When you use connect to a remote ...
- 35k
10
votes
How can I verify SSL certificates on the command line?
I recently used this tool https://github.com/drwetter/testssl.sh and it provides a comprehensive report related to SSL.
Example output:
Testing protocols via sockets except NPN+ALPN
SSLv2 not ...
- 211
10
votes
Debian 9 / old version of openssl
As others have mentioned, if you can use OpenSSL 1.1 instead, that would be best.
However, if you really do need OpenSSL 1.0, the answer depends on your exact requirement. If you only need the ...
- 481k
9
votes
Converting SSH2 RSA Private Key to .pem using openssl
ssh-keygen -p can convert between SSH2 and PEM formats:
-m key_format
Specify a key format for key generation, the -i (import),
-e (export) conversion options, and the -p change
...
- 1,615
9
votes
script to check if SSL certificate is valid
If you need to check expiry date, thanks to this blog post, found a way to find this information with other relevant information with a single call:
echo | openssl s_client -servername unix....
- 191
9
votes
Accepted
OpenSSL, basic configuration, new_certs_dir, certs
As shown in the documentation
https://www.openssl.org/docs/man1.1.0/apps/ca.html
new_certs_dir is used by the CA to output newly generated certs.
certs is not used here. However its referenced in ...
- 5,257
9
votes
bad magic number on decrypt
If you encrypted with OpenSSL <=1.0.2 and you are decrypting with OpenSSL 1.1.0 then it is probably this:
https://www.openssl.org/docs/faq.html#USER3
The default hash used to generate the key ...
- 331
9
votes
Accepted
openssl 'genpkey -algorithm RSA' vs. 'genrsa'
The genpkey command can create other types of private keys - DSA, DH, EC and maybe GOST - whereas the genrsa, as it's name implies, only generates RSA keys. There are equivalent gendh and gendsa ...
- 35k
9
votes
Accepted
OpenSSL fetches different SSL certificate than the one obtained via a browser
Why is OpenSSL fetching a different certificate?
s_client by default does not send SNI (Server Name Indication) data but a browser does. The server may choose to respond with a different certificate ...
- 331
9
votes
Accepted
Extract ssh key algorithm
You can use next command to get the type of the key (RSA, DSA, etc):
# ssh-keygen -l -f .ssh/id_rsa
2048 SHA256:4+Na0ttfBkspSFSYnRjwbwja8/b708lRxzqjPBzLJMw ........ (RSA)
# ssh-keygen -l -f .ssh/...
- 19.5k
8
votes
How to encrypt a file with private key
You can encrypt with a private key and decrypt with its public key:
To encrypt
$ TEXT="proof that private key can encrypt and public key can decrypt"
$ echo "$TEXT" | openssl ...
- 181
8
votes
Apache SSL: server cert does not include ID which matches server name
In my case I have resolved this by replaced in my apache ssl config file for each concerned domain :
ServerName mydomain.com
ServerAlias www.mydomain.com
by :
ServerName www.mydomain.com
ServerAlias ...
- 191
Only top scored, non community-wiki answers of a minimum length are eligible