OpenSSL: Difference between revisions
From Lolly's Wiki
Jump to navigationJump to search
m (Text replacement - "<source" to "<syntaxhighlight") |
m (Text replacement - "</source" to "</syntaxhighlight") |
||
| Line 3: | Line 3: | ||
<syntaxhighlight lang=bash> | <syntaxhighlight lang=bash> | ||
# openssl verify -CAfile /srv/www/htdocs/pub/RHN-ORG-TRUSTED-SSL-CERT /etc/pki/spacewalk/jabberd/server.pem | # openssl verify -CAfile /srv/www/htdocs/pub/RHN-ORG-TRUSTED-SSL-CERT /etc/pki/spacewalk/jabberd/server.pem | ||
</ | </syntaxhighlight> | ||
<syntaxhighlight lang=bash> | <syntaxhighlight lang=bash> | ||
# openssl crl2pkcs7 -nocrl -certfile /srv/www/htdocs/pub/RHN-ORG-TRUSTED-SSL-CERT | openssl pkcs7 -print_certs -noout -print_certs | # openssl crl2pkcs7 -nocrl -certfile /srv/www/htdocs/pub/RHN-ORG-TRUSTED-SSL-CERT | openssl pkcs7 -print_certs -noout -print_certs | ||
</ | </syntaxhighlight> | ||
| Line 17: | Line 17: | ||
$ declare -a hosts=( "name1.server.de" "name2.server.de" ) | $ declare -a hosts=( "name1.server.de" "name2.server.de" ) | ||
$ openssl req -newkey rsa:4096 -sha256 -keyout ${hosts[0]}-key.pem -out ${hosts[0]}-csr.pem -batch -subj "${subject_without_cn}/CN=${hosts[0]}/emailAddress=${emailAddress}" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:${hosts[0]}${hosts[1]:+,DNS:${hosts[1]}}${hosts[2]:+,DNS:${hosts[2]}}${hosts[3]:+,DNS:${hosts[3]}}${hosts[4]:+,DNS:${hosts[4]}}")) | $ openssl req -newkey rsa:4096 -sha256 -keyout ${hosts[0]}-key.pem -out ${hosts[0]}-csr.pem -batch -subj "${subject_without_cn}/CN=${hosts[0]}/emailAddress=${emailAddress}" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:${hosts[0]}${hosts[1]:+,DNS:${hosts[1]}}${hosts[2]:+,DNS:${hosts[2]}}${hosts[3]:+,DNS:${hosts[3]}}${hosts[4]:+,DNS:${hosts[4]}}")) | ||
</ | </syntaxhighlight> | ||
== Verify your CSR== | == Verify your CSR== | ||
<syntaxhighlight lang=bash> | <syntaxhighlight lang=bash> | ||
$ openssl req -text -noout -verify -in ${hosts[0]}-csr.pem | $ openssl req -text -noout -verify -in ${hosts[0]}-csr.pem | ||
</ | </syntaxhighlight> | ||
Revision as of 17:02, 25 November 2021
Verify
# openssl verify -CAfile /srv/www/htdocs/pub/RHN-ORG-TRUSTED-SSL-CERT /etc/pki/spacewalk/jabberd/server.pem
# openssl crl2pkcs7 -nocrl -certfile /srv/www/htdocs/pub/RHN-ORG-TRUSTED-SSL-CERT | openssl pkcs7 -print_certs -noout -print_certs
CSR
Create key and CSR
$ subject_without_cn='/C=DE/ST=Hamburg/L=Hamburg/O=Organisation/OU=Team'
$ emailAddress='webadmin@server.de'
$ declare -a hosts=( "name1.server.de" "name2.server.de" )
$ openssl req -newkey rsa:4096 -sha256 -keyout ${hosts[0]}-key.pem -out ${hosts[0]}-csr.pem -batch -subj "${subject_without_cn}/CN=${hosts[0]}/emailAddress=${emailAddress}" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:${hosts[0]}${hosts[1]:+,DNS:${hosts[1]}}${hosts[2]:+,DNS:${hosts[2]}}${hosts[3]:+,DNS:${hosts[3]}}${hosts[4]:+,DNS:${hosts[4]}}"))
Verify your CSR
$ openssl req -text -noout -verify -in ${hosts[0]}-csr.pem
