OpenSSL
File format
PEM (Privacy-Enhanced Mail)
Use to store
- X509 certificate (
.crt
.pem
) - Public / private key (
.key
.pem
) - Certificate signing request (
.csr
.pem
)
PKCS #12 (.p12
)
Bundle X509 full chain certificate, private key
Convert .pem
to .p12
openssl pkcs12 -export
-in <cert.{crt|pem}>
[-certfile <ca.crt>]
-inkey <private-key.pem>
-out <file.p12>
[-passout "pass:<password>"]
[-name "<name>"]
Certificate signature
Certificate content
- Owner DN
- Owner public key
- CA DN
- Certificate extensions
- CA signature (Append after signed)
// Pseudo code
// Content exclude signature
CASignature = encrypt(hash(Content), CAPrivateKey)
Verify signature
// Pseudo code
// Content exclude signature
decrypt(CASignature, CAPublicKey) == hash(Content)
Option
Option | Description |
---|---|
-noout | Prevents output encoded data |
-text | Print the data in text form |
-modulus | Print the modulus of public key |
Version
openssl version
Test SSL/TLS connection
Protocol | Port |
---|---|
HTTPS | 443 |
IMAPS | 993 |
IMAP STARTTLS | 143 |
POP3S | 995 |
SMTPS | 465 |
SMTP STARTTLS | 587 |
Option | Description |
---|---|
-showcerts | Show full chain certificate |
openssl s_client [-showcerts] -connect <host>:<port>
Show SSL certificate
openssl s_client -connect <host>:<port> | openssl x509 [-noout] [-text]
Test SMTP / IMAP StartTLS
openssl s_client -starttls { smtp | imap | pop3 } -showcerts -connect <host>:<port> -servername <domain>
Env
OPENSSL_CONF=<openssl.cnf>
Same as
openssl ... -config <openssl.cnf>
Show version
openssl version