Archiv der Kategorie: SSL

OpenSSL Zertifikate / Schlüssel validieren

Um zu validieren, ob ein Schlüssel und ein Zertifikat miteinander matchen, muss man einfach den Inhalt von Zertifikat und Schlüssel miteinander vergleichen:

openssl x509 -in file.pem -noout -text

openssl rsa -in file.key -noout -text

Hier gibt es bei beidem eine Sektion „Modulus“. Wenn diese identisch ist, passen Zertifikat und Schlüssel zueinander, ansonsten nicht.

Beispiel:

Cert1

openssl genrsa -out test1.key 2048
openssl req -x509 -new -nodes -key test1.key -sha256 -days 365 -out test1.pem

Cert2

openssl genrsa -out test2.key 2048
openssl req -x509 -new -nodes -key test1.key -sha256 -days 365 -out test2.pem
Vergleich:

Wenn man nun die Modulus Sektion von Key1 und Cert1 vergleicht:

openssl x509 -in test1.pem -noout -text
openssl rsa -in test1.key -noout -text

sollte dies übereinstimmen, das selbe wäre auch bei Key2 und Cert2 der Fall.

Key1 und Cert2 sowie umgekehrt Key2 und Cert1 sollten aber ungleiche Modulus Sektionen aufweisen:

openssl x509 -in test1.pem -noout -text
openssl rsa -in test2.key -noout -text

Self Cert Cheatsheet

CA

1. Generate CA Key and Certificate

Generate RSA Key

openssl genrsa -des3 -out myCA.key 4096

Generate CA Certificate

openssl req -x509 -new -nodes -key myCA.key -sha512 -days 3650 -out myCA.pem

2. Generate CSR File for your website

Generate an CSR, here in the example for domain.example.com

Generate RSA Key

openssl genrsa -out domain.example.com.key 4096

Generate CSR

openssl req -new -key domain.example.com.key -out domain.example.com.csr

Answer some Questions

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :DE
State or Province Name (full name) :Saarland
Locality Name (eg, city) :Homburg
Organization Name (eg, company) :Homelab
Organizational Unit Name (eg, section) : Homelab Chris
Common Name (e.g. server FQDN or YOUR name) []:domain.example.com
Email Address :

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password :
An optional company name :

3. Create SSL Certificate with CSR File and CA File

You will also need and plaintext .ext file for additional information (DNS Settings etc.

Create .ext File

File Named domain.example.com.ext

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[shortnames]
DNS.1 = domain.example.com

Create the Certificate

openssl x509 -req -in domain.example.com.csr -CA myCA.pem -CAkey myCA.key \ -CAcreateserial -out domain.example.com.crt -days 3650 -sha512 -extfile domain.example.com.ext

The 2 Files domain.example.com.csr (Certificate) and domain.example.com.key (Key) can now be used for secure SSL Encryption with HTTPS