OpenSSL kommando til checke og give info om certifikat.

 

Det kan være nyttigt at kontrollere et certifikat og en nøgle, før du anvender dem på din server. Følgende kommandoer hjælper med at verificere certifikatet, nøglen og CSR (anmodning om certifikatsignering).

Et af de mest brugte er OpenSSL som er en opensource version af SSL protokollen.  Der er versionen af OpenSSL for næsten alle platforme, som Windows Linux Mac OS X. Det bliver blandet andet også bruge i Apache/Nginx web servere med flere..

Tjek et certifikat

Kontroller et certifikat og returner oplysninger om det (underskrivelse myndighed, udløbsdato osv.):

$ openssl x509 -in server.crt -text -noout
$ openssl rsa -in server.crt -text -noout

Her bruger vi først x509 som er Certifikat display samt signing kommando.
-in Beskriver certifikat fil som skal læses.
-text -noout Sender output til din console.

For at checke om key bruges.

$ openssl rsa -in server.key -check

-check er parameteren for at checke Certifikat.

RSA key ok
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
MIIEpgIBAAKCAQEAzKC0AC8t/Sw8e0GvCwcazEI74Tezxe4R1d0UgcNkC8v9Mx6S
AQMNd6KP5tqF5fuqLAjidcPKVBtncV8ip6a2nFvwPJ9pcHpgo2H0M5Clhi1TI1+d
ZR5xCi8ZDH2c/j67B/mIpZ5urEY8/ymuPpTWKXRqAC0DmqYicAjfVyawlcxnn6bS
SQuAmtjRcMQF9lVZFepXPA02qwtP0RWpSDQ+JD9J4Kg6mO9v52vS0Wm5vIY6gHlN
XLJMlp4CyGOwMgBO31ynsXs5PBYd4OzGJr15c9uzfNNgk6Yft6L55vDV7vRkjO1M
aBmyCxa/ppF2Enr6G4+LZXcgM9nkWvbObzOA2QIDAQABAoeBAQCx0PxaJKV8GZK9
MQjhNl1NHklWnsbzurt48tK9KIOp1KvEXk5V3sc3LOaLn103ywfHmDjiSS9rAx1S
4W8F7NNG8IXEyGohudZ8Y8SHgqyz+nMCjDYEBv4H8YF83zMrpGt2tJrQAOr/fVHI
Efo+m6u2/liWqoc1PiUy4iLiYtaUdCvNfHAhU79DrzXefllezQuP4/j6f7HvMX4R
bckkK34G8/rG6ti4rMrgASbKqjpXbBtqn3hczKhvskTurNlN8dK4oRy53Bu2AOvi
u4ny3r+p0lFnxxHYMiFDq4bbv/c68dtVp9yWWOChcKiwy8QnA7vh0LZ6FfLe8VYM
G+S1w5MZAoGBAOghoRHeyH8dRRiPcmVAG//OVHIEL7EuyEKmqWSmplX2qgOyT6N2
40iHxaiQehCHC/0Aa2E+rJ2znMhH4nUYPjWOVA0wHUtSM+xRQQiaxqfkuw4LsHaW
J+o56wu53ujSpdBQdHgaKeqjmCRNGvClfJpEW9k2iHv5qrTSCTMGlh6jAoGBAOGr
GVWVepcnwxgkpYRsS2ihhJyumQWl0V8yzXXKW8/W1kN10isbcRcmxq32hwt5k8vH
MOPtBS7hckCVjVvihDcirh5fDlb7tWUtI6TXE0eU7ScuXzkSk1IZaOA8O6esj6QS
BfDNifoU1y3Ze7/S0ZuAqIGYjszXdd9Ou+MErUZTAoGBALlBtXk8kkiYRH+gY8yY
iH/z3AMOgj1mt54xwji4o0Ex1Q4xnUs445UL/lxTyYcNMC0fO5NlYH+PS82vSPTo
fyVgzIWl44ssNJIiGsPSOj7d1ccU3yUVWw/cX1CBa3vmOTzyKLF9N/yxyQcXnit1
9uZrLd5BnlVK4MjkY0EcvYv/AoGBAKXl9crewrgrt54m7LNfNaemzemthXscaq40
l8zXReWmR3/ydt4P33SoofizupWZ/CgbuHpm/Z94R1jpWLFK9e3eheh38v/JLZJC
u+hr4JWIC0v5kDFR0ZHSckIepbBfcH2qbfrXoK6DcakYMBxV7JgH3ljfgWNfphzT
Mdbz0jpXAoGBAL+eIRHtBVvaGMOEX+9/ZoB+WvSgbAhwiYxTuHYUbaXHwNcuVh2t
lEn3ExKxmP6SnVKdwKDkSxylo9uMkcNwdais7IYJ7FxMfvPpYczYy6jZn3Tc85Q6
uIt7PCYyHDRyVtO/MUpZpAQ1nsfYzepD/w2GY28tGM/Dte4ijE2kJqaz
-----END RSA PRIVATE KEY-----

 

Check en CSR

For at checke CSR og udskrive CSR data som er udfyldt da det blev generet CSR:

$ openssl req -text -noout -verify -in server.csr
verify OK
Certificate Request:
Data:
Version: 1 (0x0)
Subject: C = DK, ST = Denmark, L = copenhagen, O = domain.dk, OU = linux, CN = domain.dk, emailAddress = admin@domain.dk
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:cc:a0:b4:00:2f:2d:fd:2c:3c:7b:41:af:0b:07:
1a:cc:42:3b:e1:37:b3:c5:ee:11:d5:dd:14:81:c3:
64:0b:cb:fd:33:1e:92:01:03:0d:77:a2:8f:e6:da:
85:e5:fb:aa:2c:08:e2:75:c3:ca:54:1b:67:11:5f:
22:a7:a6:b6:9c:5b:f0:4c:9f:69:70:7a:60:a3:61:
f4:33:90:a5:86:2d:53:23:5f:9d:65:1e:71:0a:2f:
19:0c:7d:9c:fe:3e:bb:07:f9:88:a5:9e:6e:ac:46:
3c:ff:29:ae:3e:94:d6:29:74:6a:00:2d:03:1a:a6:
22:70:08:df:57:26:b0:95:cc:67:9f:a6:d2:49:0b:
80:9a:d8:d1:70:c4:05:f6:55:59:15:ea:57:3c:0d:
36:ab:0b:4f:d1:15:a9:48:34:3e:24:3f:49:e0:a8:
3a:98:ef:6f:e7:6b:d2:31:69:b9:bc:46:3a:80:79:
4d:5c:b2:4c:96:9e:02:c8:63:b0:32:00:4e:df:5c:
a7:b1:7b:39:3c:16:1d:e0:ec:c2:26:bd:79:73:db:
b3:7c:d3:60:93:a6:1f:67:a2:f9:e6:f0:d5:ee:f4:
64:8c:ed:4c:68:19:b2:0b:16:bf:a6:91:76:12:7a:
fa:1b:8f:8b:65:77:20:33:d9:e4:5a:f6:ce:6f:33:
80:d9
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha256WithRSAEncryption
89:a7:26:96:35:86:28:00:90:27:21:cc:1c:2f:3a:fc:88:3b:
b4:bc:bf:ac:af:ba:a9:c3:7b:11:3f:a2:7c:de:db:e2:98:03:
ea:79:3e:ac:25:67:1b:1b:83:a0:b8:07:2e:39:ae:bb:8e:22:
7f:87:fc:7d:95:45:bd:09:44:1f:8f:cb:ba:4f:7f:0c:00:35:
97:bb:2a:bc:a4:4d:11:cf:dd:b8:1a:c5:2f:9d:95:a0:aa:36:
e0:7e:07:16:fb:39:88:10:d8:81:8e:50:0e:61:dc:a7:54:1b:
32:11:37:0a:50:ee:45:d6:16:3f:24:c6:4e:03:8d:6d:6e:78:
32:51:94:ca:43:4e:3b:9f:c6:88:0d:de:0a:e0:f7:3b:9a:83:
04:f6:be:d0:05:bc:af:85:58:0b:7e:56:08:2c:cd:7b:ae:0b:
5d:7e:90:86:c3:1c:c1:cb:9b:f8:5d:4b:16:7f:53:bf:d6:6d:
c5:f8:6f:ad:be:35:2c:5c:47:c9:35:44:c0:e1:cb:44:8f:d5:
6d:5a:e4:0e:31:ed:ee:b4:3c:ec:86:4b:69:0c:3b:55:01:90:
7a:8d:51:25:4a:4a:41:2a:fe:5e:cc:22:bb:ee:93:b2:89:0f:
8f:9d:6e:77:6b:03:07:b7:21:31:91:16:40:0d:20:97:9c:ba:
41:31:66:43

 

Check at certifikat og key passer sammen.

Disse to kommandoer udskriver md5 -kontrolsummer af certifikatet og nøglen; kontrolsummen kan sammenlignes for at kontrollere, at certifikatet og nøglen matcher.

$ openssl x509 -noout -modulus -in server.crt| openssl md5
$ openssl rsa -noout -modulus -in server.key| openssl md5

Mere om certifikater her https://www.linuxboxen.dk/?page_id=31835&preview=true

Kilde https://www.openssl.org/