Certificate Fingerprint
from http://www.bo.infn.it/alice/introgrd/certmgr/node15.html
A fast certificate verification is the comparison of the fingerprint between a trusted certificate and a certificate you have imported. The trusted certificate fingerprint is available from the web. For INFN CA the CA certificate fingerprint is printed in the download page. For the imported certificate the fingerprint is available with the following SSL command:
openssl x509 -noout -fingerprint -in public-cert.pem MD5 Fingerprint=43:FF:27:D0:68:81:AF:E1:7D:2A:D7:D7:E4:FE:CF:6C
How do I verify that a private key matches its Certificate?
from http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#verify
A private key contains a series of numbers. Two of these numbers form the "public key", the others are part of the "private key". The "public key" bits are included when you generate a CSR, and subsequently form part of the associated Certificate.
To check that the public key in your Certificate matches the public portion of your private key, you simply need to compare these numbers. To view the Certificate and the key run the commands:
openssl x509 -noout -text -in server.crt openssl rsa -noout -text -in server.key
The `modulus' and the `public exponent' portions in the key and the Certificate must match. As the public exponent is usually 65537 and it's difficult to visually check that the long modulus numbers are the same, you can use the following approach:
openssl x509 -noout -modulus -in server.crt | openssl md5 openssl rsa -noout -modulus -in server.key | openssl md5
This leaves you with two rather shorter numbers to compare. It is, in theory, possible that these numbers may be the same, without the modulus numbers being the same, but the chances of this are overwhelmingly remote.
Should you wish to check to which key or certificate a particular CSR belongs you can perform the same calculation on the CSR as follows:
openssl req -noout -modulus -in server.csr | openssl md5
Self Signed Certificate
-
Generate a Private Key
openssl genrsa -out server.key 2048
-
Generate a CSR
openssl req -new -key server.key -out server.csr
-
Generating a Self-Signed Certificate
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Or, in one line
openssl req -x509 -newkey rsa:2048 -keyout server.key -out server.crt -days 365 -nodes
Create a chained .pem file with
openssl req -x509 -newkey rsa:2048 -keyout server.pem -out server.pem -days 365 -nodes
Create PKCS12 File for IIS
openssl pkcs12 -export -in server.crt -inkey server.key -out server.pfx
Unpack a PKCS7 File
openssl pkcs7 -in server.pk7 -print_certs
View SSL Certificate on Web Server
echo | openssl s_client -connect hostname:443 2>/dev/null |\ sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -text
View SSL Certificate on FTPS Server
echo | openssl s_client -starttls ftp -connect hostname:21 2>/dev/null |\ sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -text
Convert Binary File to PEM
openssl x509 -in example.com.cer -out example.com.pem -outform PEM -inform DER
Create a new Java Keystore from PKCS12 File
This can only be done with the enhanced keytool found in java6 (and, presumably above)
keytool -importkeystore -srckeystore server.pfx -destkeystore server.jks -srcstoretype pkcs12