OpenSSL
November 25, 2016 — 21:26

Author: silver  Category: encryption linux  Comments: Off

List deleted open files (after update):

lsof | grep -i libssl | grep DEL | awk '{print $1}' | sort | uniq

Generate CSR, self signed cert:

openssl genrsa -out rootCA.key 2048
openssl genrsa -des3 -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 3650 -out rootCA.pem
openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.crt -days 3650 -sha256

View CSR

openssl req -in file.csr -noout -text

View cert fingerprint

openssl x509 -fingerprint -noout -in file.crt -sha256
openssl x509 -fingerprint -noout -in file.crt -sha1
openssl x509 -fingerprint -noout -in file.crt -md5

View ciphers:

openssl ciphers -v 'TLSv1' | sort

Test ciphers:

openssl s_client -connect google.com:443 -cipher "EDH"
openssl s_client -connect google.com:443 -cipher "RC4"
openssl s_client -connect google.com:443 -tls1
openssl s_client -connect google.com:443 -tls1_1
openssl s_client -connect google.com:443 -tls1_2
echo -n | openssl s_client -connect google.com:443
nmap --script ssl-enum-ciphers -p 443

Get fingerprint from live SSL cert (IRC):

echo | openssl s_client -connect efnet.port80.se:6697 |& openssl x509 -fingerprint -noout -sha256
echo | gnutls-cli -p 6697 irc.underworld.no --print-cert | sed -n '/-----BEGIN CERT/,/-----END CERT/p' |& openssl x509 -fingerprint -noout -sha256

Show fingerprint:

openssl x509 -in cert.pem -fingerprint -noout

To change the password of your private key:

openssl rsa -des3 -in ca.key -out ca_new.key
mv ca_new.key ca.key

Verifying that a Private Key Matches a Certificate

$ openssl x509 -noout -modulus -in server.pem | openssl md5 ;\
openssl rsa -noout -modulus -in server.key | openssl md5

Get the MD5 fingerprint of a certificate using OpenSSL

openssl dgst -md5 certificate.der

Get the MD5 fingerprint of a CSR using OpenSSL

openssl dgst -md5 csr.der

Debug SMTP/STARTTLS:

openssl s_client -debug -starttls smtp -crlf -connect localhost:25