OpenSSL notes

Links

Website: https://www.openssl.org/
Documentation: https://docs.openssl.org/master/

Get certificates of some server

openssl s_client -showcerts -servername jmm.io -connect jmm.io:443 </dev/null | openssl x509 -text

Pinned pubkey hashes

See my curl notes for how to get the hash of the pubkey of a certificate. I’ve reproduced that command here:

openssl s_client -connect jmm.io:443 -showcerts </dev/null 2>/dev/null | openssl x509 -pubkey -noout | openssl asn1parse -inform PEM -noout -out - | openssl dgst -sha256 -binary | basenc --base64 | (read -r input; echo "sha256//$input")

This outputs “sha256//oeSYWhLYsGSE4dRlJtO7Mgytfe/6v7ssr9tBFHFEKAc=”.

Viewing a pubkey

Here’s how you’d view the information of an elliptic curve (EC) pubkey:

openssl s_client -connect jmm.io:443 -showcerts </dev/null 2>/dev/null | openssl x509 -pubkey -noout | openssl ec -pubin -text -noout - 2>/dev/null

Public-Key: (256 bit)
pub:
    04:c3:16:bb:a2:9f:db:18:07:0d:50:40:02:9e:88:
    bb:95:8b:e7:b8:9d:b1:bc:11:fb:82:da:d0:19:ba:
    ea:9f:20:7f:25:fc:2e:60:b7:6f:b0:be:6e:14:93:
    a2:9f:b9:dc:54:dd:49:7c:2a:44:bc:f1:af:1f:fe:
    17:a6:55:23:35
ASN1 OID: prime256v1
NIST CURVE: P-256

Making a local certificate authority

Here’s how you’d make a local certificate authority (CA) for testing purposes.

##########
# Making a local certificate authority

umask 0077
mkdir -p ~/local-ca/{certs,private,newcerts}
cd ~/local-ca
echo 1000 > serial
touch index.txt

# Generate CA private key (with a passphrase)
openssl genrsa -aes256 -out private/ca.key 4096

# Create a certificate for the CA
openssl req -new -x509 -key private/ca.key -out certs/ca.crt -days 3650 -config <(
cat <<EOF
[req]
distinguished_name = req_distinguished_name
prompt = no

[req_distinguished_name]
C=US
ST=Local
L=Local
O=JMM Local CA
CN=JMM Local Certificate Authority
EOF
)


# Make a config for signing
cat > signing.conf <<EOF
[ca]
default_ca = CA_default

[CA_default]
dir = $(pwd)
certs = \$dir/certs
new_certs_dir = \$dir/newcerts
database = \$dir/index.txt
serial = \$dir/serial
private_key = \$dir/private/ca.key
certificate = \$dir/certs/ca.crt
default_days = 365
default_md = sha256
policy = policy_anything
copy_extensions = copy

[policy_anything]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
EOF

Creating a locally-signed certificate

This could be for local TLS testing purposes.

# Making an elliptic curve P-256 key.
openssl ecparam -genkey -name prime256v1 -out whatever.key

# Create a certificate request
openssl req -new -key whatever.key -out whatever.csr \
  -subj "/CN=whatever.localhost/O=Example Org/C=US" \
  -extensions v3_req -config <(
cat <<EOF
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req

[req_distinguished_name]

[v3_req]
keyUsage = critical, digitalSignature
extendedKeyUsage = serverAuth
basicConstraints = critical, CA:FALSE
EOF
)

#  Create certificate by signing the request
openssl ca -in whatever.csr -out whatever.crt -config ~/local-ca/signing.conf

GnuTLS pays particular attention to incorrect keyUsages. I had an issue where I couldn’t check IMAP in Emacs because I incorrectly specified keyUsages to include data encipherment.