OpenSSL: Difference between revisions

From Lolly's Wiki
Jump to navigationJump to search
 
(One intermediate revision by the same user not shown)
Line 51: Line 51:
=Beautify chain certificate=
=Beautify chain certificate=
<SyntaxHighlight lang=bash>
<SyntaxHighlight lang=bash>
awk '
$ awk '
BEGIN{
BEGIN{
   count=0;
   openssl="openssl x509 -subject -issuer";
}
}
{
/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/ {
  if      ($0 == "-----BEGIN CERTIFICATE-----") { pem[count]=$0"\n"; cert[count]=""; }
   print $0 | openssl;
  else if ($0 == "-----END CERTIFICATE-----")  { pem[count++]=pem[count]$0; }
   if(/-----END CERTIFICATE-----/) {
   else                                          { pem[count]=pem[count]$0"\n"; cert[count]=cert[count]$0;}
     close(openssl); # end pipe to send this part to openssl command
}
END{
   for(i=0;i<count;i++){
    command=sprintf("openssl x509 -noout -inform PEM -subject -issuer <<EOF\n%s\nEOF\n",pem[i]);
    while( command | getline subject) { print subject; }
     close(command);
    print pem[i];
   }
   }
}' < cert.pem
}' cert.pem
</SyntaxHighlight>
</SyntaxHighlight>

Latest revision as of 09:07, 27 June 2024

Verify

# openssl verify -CAfile /srv/www/htdocs/pub/RHN-ORG-TRUSTED-SSL-CERT /etc/pki/spacewalk/jabberd/server.pem
# openssl crl2pkcs7 -nocrl -certfile /srv/www/htdocs/pub/RHN-ORG-TRUSTED-SSL-CERT | openssl pkcs7 -print_certs -noout -print_certs


CSR

Create key and CSR

$ subject_without_cn='/C=DE/ST=Hamburg/L=Hamburg/O=Organisation/OU=Team'
$ emailAddress='webadmin@server.de'
$ declare -a hosts=( "name1.server.de" "name2.server.de" )
$ openssl req -newkey rsa:4096 -sha256 -keyout ${hosts[0]}-key.pem -out ${hosts[0]}-csr.pem -batch -subj "${subject_without_cn}/CN=${hosts[0]}/emailAddress=${emailAddress}" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:${hosts[0]}${hosts[1]:+,DNS:${hosts[1]}}${hosts[2]:+,DNS:${hosts[2]}}${hosts[3]:+,DNS:${hosts[3]}}${hosts[4]:+,DNS:${hosts[4]}}"))

Verify your CSR

$ openssl req -text -noout -verify -in ${hosts[0]}-csr.pem

Print validity for certificate file

#!/bin/bash

for i in ${*}
do
  certfile=${i}
  enddate="$(openssl x509 -enddate -noout -in ${certfile} | sed -e 's#^.*=##g')"
  declare -i valid_seconds=$(( $(date --date="${enddate}" '+%s') - $(date '+%s') ))
  declare -i seconds=${valid_seconds}

  declare -i days=$(( ${seconds} / ( 24 * 60 * 60 ) ))
  seconds=$(( ${seconds} % ( 24 * 60 * 60 ) ))

  declare -i hours=$(( ${seconds} / ( 60 * 60 ) ))
  seconds=$(( ${seconds} % ( 60 * 60 ) ))

  declare -i minutes=$(( ${seconds} / 60 ))
  seconds=$(( ${seconds} %  60 ))
  
  printf "%s: %s (%d days %d hours %d seconds left)\n" "${certfile}" "$(date --date "${enddate}")" ${days} ${hours} ${seconds}
done

Beautify chain certificate

$ awk '
BEGIN{
  openssl="openssl x509 -subject -issuer";
}
/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/ {
  print $0 | openssl;
  if(/-----END CERTIFICATE-----/) {
    close(openssl); # end pipe to send this part to openssl command
  }
}' cert.pem