meta data for this page
  •  

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
ssl:openssl [2016/04/05 10:02] – linux:openssl renamed to ssl:openssl niziakssl:openssl [2026/04/24 12:28] (current) niziak
Line 1: Line 1:
-== CA Bundle ==+====== OpenSSL ====== 
 + 
 +====== RSA keys ====== 
 +<code bash>openssl genrsa -des3 -out private.pem 2048</code> 
 +<code>openssl rsa -in private.pem -outform PEM -pubout -out public.pem</code> 
 +Export private key (unencrypted!) 
 +<code>openssl rsa -in private.pem -out private_unencrypted.pem -outform PEM</code> 
 +Export pub key in OpenSSH format: 
 +<code>ssh-keygen -y -f private.pem</code> 
 + 
 +==== CA Bundle ==== 
 === Extract CAs form Mozilla === === Extract CAs form Mozilla ===
 Direct download link [[https://curl.haxx.se/ca/cacert.pem|cacert.pem]] \\ Direct download link [[https://curl.haxx.se/ca/cacert.pem|cacert.pem]] \\
Line 29: Line 40:
 openssl rsa -noout -modulus -in privateKey.key | openssl md5 openssl rsa -noout -modulus -in privateKey.key | openssl md5
 openssl req -noout -modulus -in CSR.csr | openssl md5 openssl req -noout -modulus -in CSR.csr | openssl md5
 +</code>
 +
 +More strict verify:
 +
 +<code bash>
 +c=mysite.crt 
 +k=mysite.key 
 +cmp <(echo Key is valid; openssl x509 -pubkey -in $c -noout) <(openssl pkey --check -pubout -in $k -outform PEM)
 </code> </code>
  
 === Generate key === === Generate key ===
 +
 <code> <code>
 openssl dhparam -dsaparam -out dh2048.pem 2048 openssl dhparam -dsaparam -out dh2048.pem 2048
Line 46: Line 66:
  
 === Server certificate chain === === Server certificate chain ===
 +
 +[[https://www.rfc-editor.org/rfc/rfc4346#section-7.4.2|RFC 4346]]
 +<code>
 +  certificate_list
 +    This is a sequence (chain) of X.509v3 certificates.  The sender's
 +    certificate must come first in the list.  Each following
 +    certificate must directly certify the one preceding it.  Because
 +    certificate validation requires that root keys be distributed
 +    independently, the self-signed certificate that specifies the root
 +    certificate authority may optionally be omitted from the chain,
 +    under the assumption that the remote end must already possess it
 +    in order to validate it in any case.
 +</code>
 +
 +
 It is required to put not only site certificate in your web server configuration, but also provide intermediate certificate chain. It is required to put not only site certificate in your web server configuration, but also provide intermediate certificate chain.
 If your server certificate is in PEM format (text), additional certificates can be simply concatenated. If your server certificate is in PEM format (text), additional certificates can be simply concatenated.