OpenSSL tricks - x509, pkcs12, verify output

The OpenSSL commands may seem daunting at first, but there are a lot of useful commands in the OpenSSL toolbox for viewing and managing X.509 certificates and private keys. This recipe will show how to use a few of those commands.

Getting ready

Set up the easy-rsa certificate environment using the first recipe from Chapter 2Client-server IP-only Networks, by sourcing the vars file. This recipe was performed on a computer running Fedora 22 Linux but it can easily be run on Windows or MacOS.

How to do it...

For this recipe, we need to perform the following steps:

  1. To view the subject and expiry date of a given certificate, type:
    $ cd /etc/openvpn/cookbook/keys
    $ openssl x509 -subject -enddate -noout -in client1.crt
          subject= /C=US/O=Cookbook 2.4/CN=client1
    notAfter=Oct 13 17:54:30 2018 GMT
    
  2. To export a certificate and private key in PKCS12 format:
    $ openssl pkcs12 -export -in client1.crt 
      -inkey client1.key -out client1.p12
       Enter Export Password:[Choose a strong password]
       Verifying - Enter Export Password:[Type the password again]
    $ chmod 600 client1.p12
    

    Note that the chmod 600 ensures that the PKCS12 file is readable only by the user.

  3. Verify the purpose of a given certificate:
    $ openssl verify -purpose sslclient -CAfile ca.crt client1.crt
     client1.crt: OK
    
  4. Notice the error if we select the wrong purpose (sslclient versus sslserver):
    $ openssl verify -purpose sslclient -CAfile ca.crt server.crt
      server.crt: C = US, O = Cookbook 2.4, CN = openvpnserver
      error 26 at 0 depth lookup:unsupported certificate purpose
      OK
    
  5. Change the password (passphrase) of a certificate:
    $ openssl rsa -in client2.key -aes256 -out newclient.key
      Enter pass phrase for client2.key:[old password]
      writing RSA key
      Enter PEM pass phrase:[new password]
      Verifying - Enter PEM pass phrase:[new password]
    

How it works...

The OpenSSL toolkit consists of a wide range of commands to generate, manipulate, and view X.509 certificates and their corresponding private keys. The commands in this chapter are but a small subset of the available commands. On Linux and UNIX systems, you can use openssl -h and the manual pages for x509pkcs12, and req for more details. The manual pages are also available online at http://www.openssl.org/docs/apps/openssl.html.

Click on the OpenSSL commands lower down in the list of all commands for direct pointers.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.118.26.249