The OpenSSL commands may seem daunting at first, but there are a lot of useful commands in the OpenSSL toolbox for viewing and managing X.509 certificates and private keys. This recipe will show how to use a few of those commands.
Set up the easy-rsa
certificate environment using the first recipe from Chapter 2, Client-server IP-only Networks, by sourcing the vars
file. This recipe was performed on a computer running Fedora 22 Linux but it can easily be run on Windows or MacOS.
For this recipe, we need to perform the following steps:
$ cd /etc/openvpn/cookbook/keys $ openssl x509 -subject -enddate -noout -in client1.crt subject= /C=US/O=Cookbook 2.4/CN=client1 notAfter=Oct 13 17:54:30 2018 GMT
PKCS12
format:$ openssl pkcs12 -export -in client1.crt -inkey client1.key -out client1.p12 Enter Export Password:[Choose a strong password] Verifying - Enter Export Password:[Type the password again] $ chmod 600 client1.p12
Note that the chmod 600
ensures that the PKCS12 file is readable only by the user.
$ openssl verify -purpose sslclient -CAfile ca.crt client1.crt client1.crt: OK
sslclient
versus sslserver
):$ openssl verify -purpose sslclient -CAfile ca.crt server.crt server.crt: C = US, O = Cookbook 2.4, CN = openvpnserver error 26 at 0 depth lookup:unsupported certificate purpose OK
$ openssl rsa -in client2.key -aes256 -out newclient.key Enter pass phrase for client2.key:[old password] writing RSA key Enter PEM pass phrase:[new password] Verifying - Enter PEM pass phrase:[new password]
The OpenSSL toolkit consists of a wide range of commands to generate, manipulate, and view X.509 certificates and their corresponding private keys. The commands in this chapter are but a small subset of the available commands. On Linux and UNIX systems, you can use openssl -h
and the manual pages for x509
, pkcs12
, and req
for more details. The manual pages are also available online at http://www.openssl.org/docs/apps/openssl.html.
Click on the OpenSSL commands lower down in the list of all commands for direct pointers.
18.118.26.249