RSS
RSS / Subscribe
This is not really an article but a dump of different tools and commands that are useful when dealing with HTTPS and certificates.
openssl genrsa 2048 > private_key.pem
openssl req -x509 -new -key private_key.pem -out public_cert.pem
openssl pkcs12 -export -in public_cert.pem -inkey private_key.pem -out cert_packaged.pfx
You can use this to completely generate a new self-signed certificate. Or if you skip step #1 and #2, you can just package a certificate in seperate certificate and private key files into a .pfx container.
Note: .pem files are same as .cer files.
openssl pkcs12 -export -in certificate.pem -out certificate.pfx
This assumes that the .pem has the public certificate and private key in the file, that is cat certificate.pem:
-----BEGIN PRIVATE KEY-----
[...base64 private key...]
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
[...base64 certificate...]
-----END CERTIFICATE-----
openssl x509 -in public_cert.pem -noout -text
openssl pkcs12 -in certificate.pfx -nodes
You will be prompted for password. This will output to console your private key as well as certificate WITHOUT the protection of a password phrase. You can then use this file to run an HTTPS server.
openssl pkcs12 -in certificate.pfx -nodes -passin pass:CERTIFICATE_PASSWORD |openssl x509 -noout -fingerprint
openssl pkcs12 -in certificate.pfx -nocerts -out privateKey.pem -nodes
openssl pkcs12 -in yourP12File.pfx -clcerts -nokeys -out publicCert.pem
openssl x509 -pubkey -noout -in publicCert.pem
Your certificate may be DER-encoded. It should end with .der, but sometimes .cer is still used. .cer certificates are plaintext and contains delimiters such as BEGIN CERTIFICATE. If opening the certificate in a text editor shows binary data, try to open the ceritficate as DER-encoded.
View:
openssl x509 -in certificate.der -inform der -text -noout
Convert crt to der:
openssl x509 -in cert.crt -outform der -out cert.der
Convert der to pem:
openssl x509 -in cert.crt -inform der -outform pem -out cert.pem
curl https://www.yahoo.com -v -k --trace-ascii https_trace.txt
Amongst other things, you get certificate info:
<= Recv SSL data, 16 bytes (0x10)
0000: ......A.R...0...
== Info: SSL connection using ECDHE-RSA-AES128-GCM-SHA256
== Info: Server certificate:
== Info: subject: C=US; ST=California; L=Sunnyvale; O=Yahoo Inc.; OU=Information Technology; CN=yahoo.com
== Info: start date: 2015-08-25 00:00:00 GMT
== Info: expire date: 2016-08-24 23:59:59 GMT
== Info: issuer: C=US; O=Symantec Corporation; OU=Symantec Trust Network; CN=Symantec Class 3 Secure Server CA - G4
== Info: SSL certificate verify ok.
$ openssl s_client -connect yahoo.com:443
CONNECTED(00000003)
---
Certificate chain
0 s:/C=US/ST=California/L=Sunnyvale/O=Yahoo Inc./OU=Information Technology/CN=yahoo.com
i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
[...removed...]
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Sunnyvale/O=Yahoo Inc./OU=Information Technology/CN=yahoo.com
issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
---
No client certificate CA names sent
---
SSL handshake has read 5568 bytes and written 421 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 2435C556CDF779DF3B927BE46A8607FF20C8CB7F88889F126C85509F1CFE0DFA
Session-ID-ctx:
Master-Key: 7D15FB5F02F5666A87CEEE3FF130E93DFC6140E8E61CF698439FD2A529830A781EA7AB2E87BACBBBF55876D0AD3AB261
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 100800 (seconds)
TLS session ticket:
0000 - 66 72 6f 6e 74 70 61 67-65 61 61 61 61 61 61 61 frontpageaaaaaaa
0010 - 2b 86 4a 02 a7 d5 8c 1f-e7 2c 6d a2 19 ef f3 74 +.J......,m....t
0020 - ff 22 a1 9e 35 52 68 0c-94 1f 60 9b de 93 1a d4 ."..5Rh...`.....
0030 - 18 5c 30 d6 09 83 58 70-72 b4 9d eb 0f d1 66 1e .\0...Xpr.....f.
0040 - 87 ef 85 b3 5a 9b 8f fe-1a df e0 da 75 c1 97 ad ....Z.......u...
0050 - 53 d5 3f 7d 69 1d 08 75-b7 ee 3e 25 cc 0f cb 3e S.?}i..u..>%...>
0060 - 3c ab 97 2e a6 d7 d7 39-94 2a 0e e7 7b 00 bb 31 <......9.*..{..1
0070 - 3e a4 f9 83 4f 9f f7 29-59 92 88 22 6c 71 00 d2 >...O..)Y.."lq..
0080 - ee 77 15 66 65 7d df 30-8d ac 32 6f b9 37 54 e3 .w.fe}.0..2o.7T.
0090 - 95 6b 58 4d 5a ad 26 a8-33 c9 36 15 42 3d 60 32 .kXMZ.&.3.6.B=`2
Start Time: 1442166537
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
$ openssl s_client -connect yahoo.com:443 | openssl x509 -noout -fingerprint
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify error:num=20:unable to get local issuer certificate
verify return:0
SHA1 Fingerprint=16:6D:BC:76:12:ED:72:A7:B6:67:87:10:39:E4:4C:1B:76:6A:4E:F6
using System.Net;
using System.Net.Http;
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;
class Certs
{
private static bool ValidateServerCertficate(
object sender,
X509Certificate cert,
X509Chain chain,
SslPolicyErrors sslPolicyErrors)
{
System.Console.WriteLine(cert.GetCertHashString());
return true;
}
static void Main(string[] args)
{
HttpClient httpClient = new HttpClient();
ServicePointManager.ServerCertificateValidationCallback = ValidateServerCertficate;
HttpRequestMessage http = new HttpRequestMessage(HttpMethod.Get, "https://www.yahoo.com");
httpClient.SendAsync(http).Wait();
}
}
tag::review Put this in a file that is inserted instead of directly in. Should I merge this article with 'HTTPSCryptographyAndCertificates'? Or at least link in introduction?
Basic POST:
curl -X POST -d '{}' https://localhost:8080/sub/abc
Verbose (-v) and ignore certificate errors (-k):
curl -k -v -X POST -d '{}' https://localhost:8080/sub/abc
openssl s_client -showcerts -connect bing.com:443 </dev/null 2>/dev/null|openssl x509 -outform PEM > bing.pem
If you need a .pfx of that (public -- no private key inside) certificate:
openssl pkcs12 -export -nokeys -in bing.pem -out bing.pfx