An RSA key is a private key based on RSA algorithm, used for authentication and an symmetric key exchange during establishment of an SSL/TLS session.
The RSA private key in PEM format (the most common format for X.509 certificates, CSRs and cryptographic keys) can be generated from the command line using the openssl genpkey utility. (more…)
What is a self-signed SSL certificate? A self-signed certificate is a certificate that is not signed by a trusted authority.
Nevertheless, the self-signed certificate provides the same level of encryption as a $100500 certificate signed by a trusted authority.
In this article i will show how to create a self-signed certificate that can be used for non-production or internal applications. (more…)
When you are dealing with lots of different SSL Certificates, it is quite easy to forget which certificate goes with which Private Key.
Or, for example, which CSR has been generated using which Private Key.
From the Linux command line, you can easily check whether an SSL Certificate or a CSR match a Private Key using the OpenSSL utility.
To make sure that the files are compatible, you can print and compare the values of the SSL Certificate modulus, the Private Key modulus and the CSR modulus. (more…)
In this article you’ll find how to generate CSR (Certificate Signing Request) using OpenSSL from the Linux command line, without being prompted for values which go in the certificate’s subject field.
Below you’ll find two examples of creating CSR using OpenSSL.
In the first example, i’ll show how to create both CSR and the new private key in one command.
And in the second example, you’ll find how to generate CSR from the existing key (if you already have the private key and want to keep it).
Both examples show how to create CSR using OpenSSL non-interactively (without being prompted for subject), so you can use them in any shell scripts.
Use the following command to create a new private key 2048 bits in size example.key and generate CSR example.csr from it:
$ openssl req -nodes -newkey rsa:2048 -keyout example.key -out example.csr -subj "/C=GB/ST=London/L=London/O=Global Security/OU=IT Department/CN=example.com"
| Option | Description |
|---|---|
| openssl req | certificate request generating utility |
| -nodes | if a private key is created it will not be encrypted |
| -newkey | creates a new certificate request and a new private key |
| rsa:2048 | generates an RSA key 2048 bits in size |
| -keyout | the filename to write the newly created private key to |
| -out | specifies the output filename |
| -subj | sets certificate subject |
Use the following command to generate CSR example.csr from the private key example.key:
$ openssl req -new -key example.key -out example.csr -subj "/C=GB/ST=London/L=London/O=Global Security/OU=IT Department/CN=example.com"
| Option | Description |
|---|---|
| openssl req | certificate request generating utility |
| -new | generates a new certificate request |
| -key | specifies the file to read the private key from |
| -out | specifies the output filename |
| -subj | sets certificate subject |
The magic of CSR generation without being prompted for values which go in the certificate’s subject field, is in the -subj option.
| -subj arg | Replaces subject field of input request with specified data and outputs modified request. The arg must be formatted as /type0=value0/type1=value1/type2=…, characters may be escaped by \ (backslash), no spaces are skipped. |
The fields, required in CSR are listed below:
| Field | Meaning | Example |
|---|---|---|
| /C= | Country | GB |
| /ST= | State | London |
| /L= | Location | London |
| /O= | Organization | Global Security |
| /OU= | Organizational Unit | IT Department |
| /CN= | Common Name | example.com |
You’ve created encoded file with certificate signing request.
Now you can decode CSR to verify that it contains the correct information.
From this article you will learn how to connect to a website over HTTPS and check its SSL certificate expiration date from the Linux command-line.
Besides of validity dates, i’ll show how to view who has issued an SSL certificate, whom is it issued to, its SHA1 fingerprint and the other useful information.
Linux users can easily check an SSL certificate from the Linux command-line, using the openssl utility, that can connect to a remote website over HTTPS, decode an SSL certificate and retrieve the all required data. (more…)
From the following article you’ll learn how to find out a key length of an SSL Certificate from the Linux command line, using OpenSSL utility.
The information about the key size can be retrieved from the several sources.
We can get the information about key length from the file with a private key, from the SSL certificate file or we can determine it directly from the https website.
Use the following OpenSSL commands from the Linux command line to get a key length:
Linux command that retrieves a key size from a file with the private key (secret.key):
$ openssl rsa -in secret.key -text -noout | grep "Private-Key" Private-Key: (2048 bit)
Find out a key size from a file with the certificate (certificate.crt), using OpenSSL:
$ openssl x509 -in certificate.crt -text -noout | grep "Public-Key" RSA Public-Key: (2048 bit)
Find out a key size from an https website, lets say google.com:
$ echo | openssl s_client -connect google.com:443 2>/dev/null | openssl x509 -text -noout | grep "Public-Key" Public-Key: (2048 bit)
This procedure will help you to move or copy your SSL certificate, installed on an IIS server to an Apache server.
Export the private key file from the .PFX file.
$ openssl pkcs12 -in filename.pfx -nocerts -out key.pem
Export the certificate file from the .PFX file.
$ openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem
This command removes the passphrase from the private key so Apache won’t prompt you for your passphase when it starts.
$ openssl rsa -in key.pem -out server.key
Make sure that the following lines are present in your apache virtual host configuration file and they are correct:
SSLEngine on SSLOptions +StrictRequire SSLCertificateFile /path/to/certificate/cert.pem SSLCertificateKeyFile /patch/to/key/server.key
Don’t forget to restart apache at the end.
A Certificate Authority will use a CSR to create your SSL certificate.
What is a CSR? A CSR or ‘Certificate Signing Request’ is a block of encrypted text, that is generated on the server that the certificate will be used on.
It contains information that will be included in your certificate, such as your organization name, common name (domain name), locality, and country. It also contains the public key that will be included in your certificate.
Run these OpenSSL commands, to decode your Certificate Signing Request, and verify that it contains the correct information.
$ openssl req -in shellhacks.com.csr -text -noout
$ openssl req -in shellhacks.com.csr -noout -verify
$ openssl req -in shellhacks.com.csr -noout -subject
$ openssl req -in shellhacks.com.csr -noout -pubkey
Waht is an SSL Certificate? SSL Certificate provides security for your website by encrypting communications between the server and the person visiting the website.
It contains information about your Organization and Certificate Authority. It also contains the public key.
Run these OpenSSL commands, to decode your SSL Certificate, and verify that it contains the correct information.
$ openssl x509 -in shellhacks.com.crt -text
Who issued the cert?
$ openssl x509 -in shellhacks.com.crt -noout -issuer
To whom was it issued?
$ openssl x509 -in shellhacks.com.crt -noout -subject
For what dates is it valid?
$ openssl x509 -in shellhacks.com.crt -noout -dates
The above, all at once
$ openssl x509 -in shellhacks.com.crt -issuer -noout -subject -dates
What is its hash value?
$ openssl x509 -in shellhacks.com.crt -noout -hash
What is its MD5 fingerprint?
$ openssl x509 -in shellhacks.com.crt -noout -fingerprint
A Certificate Authority will use a CSR to create your SSL certificate.
What is a CSR? A CSR or ‘Certificate Signing Request’ is a block of encrypted text, that is generated on the server that the certificate will be used on.
It contains information that will be included in your certificate, such as your organization name, common name (domain name), locality, and country. It also contains the public key that will be included in your certificate.
Run these OpenSSL commands, to generate your Certificate Signing Request.
$ openssl genrsa -out shellhacks.com.key 2048
If you need just to renew existence certificate and you already have the private key, you can skip this step and use it, instead of generating new one.
The number 2048 is the size of the key, in bits. Today, 2048 or higher is recommended for RSA keys, as fewer amount of bits is consider insecure or to be insecure pretty soon.
$ openssl req -new -key shellhacks.com.key -out shellhacks.com.csr
The fields, required in a Certificate Signing Request, are listed below with explanations and examples :
| Distinguished Name Field | Explanation | Example |
|---|---|---|
| Common Name | The fully qualified domain name (FQDN) for your web server. This must be an exact match. | If you intend to secure the URL https://www.shellhacks.com/, then your CSR’s common name must be: www.shellhacks.com |
| Organisation | The exact legal name of your organisation. Do not abbreviate your organisation name. | ShellHacks Ltd. |
| Organisation Unit | Section of the organisation, can be left empty if this does not apply to your case. | Development department |
| City/Locality | The city where your organisation is legally located. | Balham |
| State/County/Region | The state/county/region where your organisation is legally located. Must not be abbreviated. | London |
| Country | The two-letter ISO abbreviation for your country. | GB |
| Email address | The email address used to contact your organisation. | info@shellhacks.com |