Gestion des clés :

Génération d’un clé privée sans chiffrement :

 1 $ openssl genrsa  -out cle_prv 2048
 2 Generating RSA private key, 2048 bit long modulus
 3 ..........................................................+++
 4 ...........................................................................+++
 5 e is 65537 (0x10001)
 6 
 7 cat cle_prv
 8 -----BEGIN RSA PRIVATE KEY-----
 9 MIIEpQIBAAKCAQEAsB4ryOepJe3xRpaXGFdD/S8e9u3ndIWOxk+bnONsoYwr1QaV
10 n0ODNXJAOFFY0l05rnvnNbmD4u9VPlzy0TLzutJqoL/oY1MDPswjVsS3vv0uiaov
11 ayIs+JDk84b+ZujnZIleOLbc2qq6SeBBkCjCSMmXyMCVxVGcIhz39EOKusI78vFo
12 CFN8WRLSDTH5DI8lQGTLVGdpHKsON74bh5uE0MmuP0XTzEtJjcjZ1mP/GtggQtFf
13 8rLbuaoZo8323UcuV2Ff1bpD8Dat3d7hsxsjzdc4ZsXvh2f7YSdwgHvtXwlVz93y
14 1Ri7dbGTnsMgQOBf4/Ytzq23uywxOXDdomgbjQIDAQABAoIBAQCOijzBw81A542p
15 pePwTWC3n9Wd4Pq9cgMWOgQmPGMFdN9c8JFUb13YefnEGwKab91pfNqqvtUhbLc/
16 XBcifeyJvheStv+ss9kikDHh3iEhMOTjgpwSR3zCSPMkrpNkUwhEdHGP0WB6kkdn
17 11r5BCQKqS5xynztUJnfejasuaWkdItUjW+P57pfEgIOKlj3vbvPPpPrha1oOAEu
18 KxpqXP+lWzwXCK7pfG532EaDbICHo/3tMUAMnVOq6Byplc0BkGOV5V3VPHiy01Sm
19 sM+qdMICL5UDH3UFDCmPJU74a/2YI/3aixAqWqqWX3QEs0pWyYRr5OiNdYhq15f5
20 Mx3PJR05AoGBAORo8xwi5sXfftvA26i3jSoLj4sZ06Oei/Z9wFntqiyvuz7zw/QR
21 8A4GGUVZgDE6qMP49KXxR7JkXiHOT9EP7LYfj8ifGPEfAPnW8Jd2hdUiPpnu1QCX
22 xY8FH3O8/FTLCWo4c6ABinopUZgHcA6NDwXnmX6ANThp8cTrcxQW1tu3AoGBAMVk
23 NXiNij05H/gwdUivyct/dNV1onLilwLsj32F8fPMBXDqUeZvj4CVlQr+76hxFtg7
24 xfCt4wwGwOm5HwRlqq2gDc5CjzmWoJI0LP4NG+wIvzlhulsrb+No8T62YC+apIwu
25 aw3BGHy8HV4Ozy3NFt1Xy8Gu/OeGvi3KLZemIwrbAoGBAMmWeuIdR5HiJANtXjC0
26 9yjhlSnOfISO3LaK2+ZCpQvVeSwhVpOl9TlbVphnWoWYYPS9V6bRoVan0JCDltxL
27 8r32cx88k3XTyDe45RS4rXujQp73NBTW3qzQd6bdZ9Kqc7/E3P+d/Iq+xt2nytV8
28 14J9mnIUU2Rb1N7YcvOLCMxXAoGBAKg5X+yuy+qjfaB6Q+o/jn400LB/AYRhogtm
29 6l8ywWJiNRznRgdaenU+hfgKDtuCDdMZFfepaj+8nbpS/6EyuAQizMFFLmUI/y26
30 88FMEMjXJ4lSxYyfd0rbDAbDTTQk2ilyAeCF+UWM2IZpnp3NFLhs84TMilMTHY9O
31 qA5/E4xTAoGAbg7qd0uaxVlTTI2gnJcnxXpRXYWLiodm1m6tOuWytgS8g2+ue3vc
32 F0xkVe7n7wgWNZ8ycYV+DtrjYyscyxJHdXxbYBpa1kTRwTPXSL3bnCYzFdhJXupW
33 I6EURhya6cVo1PY+4WJ+TAttu+JCIe4ePHSw8/F+VokmJUhb/4dxRTM=
34 -----END RSA PRIVATE KEY-----

Il est possible d’ajouter du random dans la clé en ajoutant : -rand fichier1:fichier2:…

Génération d’un clé privée avec chiffrement (ici en 3DES) :

 1 $ openssl genrsa -des3 -out cle_prv 2048
 2 Generating RSA private key, 2048 bit long modulus
 3 ...........................+++
 4 ......................................+++
 5 e is 65537 (0x10001)
 6 Enter pass phrase for cle_prv:
 7 Verifying - Enter pass phrase for cle_prv:
 8 
 9 $ cat cle_prv
10 -----BEGIN RSA PRIVATE KEY-----
11 Proc-Type: 4,ENCRYPTED
12 DEK-Info: DES-EDE3-CBC,BC3518D11AE78E9D
13 
14 LN9FRWtIHa3ycI1CocP2rFUeiWyQYIJcolNMgIghhRrXlAaAABGikKQYAbq712pk
15 6F+UmsvQkWQjkYQh+n7c441P4PXoaEeGpNmS5OKjPt6j7hvNDOazUCzBb9ZFtQzB
16 I8cIFkWB5I5id9JJ3n0iWhqL/17sKxV1lp+xr2SpUUb1QS+PrNqkv5YY8HRfSbyq
17 GAQDXiXEZr5axLXSgphW8VptCE4OJTwGn9GfMi1IcVjfyROErl2eP0Juebn8x70k
18 +6PqvaPqVKpiAwjWzscyNNbNW5MYlNSRC/A7/Fh9O7TSnESU5f6LxapboaRqW9n3
19 qVAdm60FZYUsQ743vdm2yfYXzuAZUdfretOLiGLqcHZqSTjvwmIucfAZTFrS+Liy
20 RZ4TbbfMygXt6pgYEg+gf67Boekv12tB6fOY6LG88v//LVEG1e6IS/M+xWg8ck9c
21 jSJ5Kc0u2lUFWjlOtVK0NZ1/1xai4bzeAXJPmVQCHXbR+V+MORoxAAZs1dgXmOOc
22 WpTVRiAiCaHyPIqo9Cz5PuxXboAxddIhi6yPkZRHgQpzsxGvQ7VubZc+gERHGQMo
23 9bkIfds/4+GLkdREIBsHlIRa+sFht7gUcQEVs/ACUKN4sJRB2+CZaI80VFnmyuzD
24 6E02FeCGEx2LBwbvXtY0Wch1a9IiwA5qbmj+ysbgGPJtojv1IqGZTuAb2C4Q9rXV
25 rW9ridQFNupqRPb0FKxCEb9XIyFlAYjsUGzXyCeNyUHFtK/kxp6SEYoLItuhzCgd
26 uA71IR2VZmzrvzEhJLCRbPGTvD0CrvUI7y5My55lJbuQgws0hE3KPgqZrUjfdgLi
27 wA6QRl8OyPJOwMBL4K3wQ8o4/R5jzIDdRiksSJxk2zbK6WwzyQybifCl4jAJQoTP
28 +evn50HRRTiPJ9fPcwpeuvJH3rPwpaaXGRyx7x6YRQnmTe2mOcoOCL96CwKOpY8b
29 x5tBUi4i8m9G2spHHPiHnZOojfXBFE2sNQFo/QUi+JKBXDnT04IHy48GIUwhu8R+
30 W5js8wZqIcWFOhvRXewzxJQ+qf7kS9DJZAmck5CJ9Rw+WO3H8fBTMj5UE107rwIu
31 htrOO3ldkKoNTADKBAaIELc0o8ARRttenWZWkAdjGrErR1fIatvwyT/P5JLn0+3O
32 GupicPoPDDXBqFlM4w4KZWMEm2kUrIQlrauUx23w5EQIcG16zvD+4AFkBf29+GiS
33 8lGMqqVkHPjV20lNsCw65CC1ZVoR7kKkioipcUVvZDRnL1G6XRBS9A3WEHLMUp+Q
34 dg6jTYgwcoq6tt4SSphNGCUIaYi2UDqEpmEWWqfXB/sXRfUZ79H2RSqBoVEdzOzC
35 +A70SScWBFDsV/aywjSYD0jC/gzr8sdjfmsPt9GwD/RjsLqqsAJnb5u3myEZpJrd
36 pUQN4xveOhomS2IcZFhj1MFrQAvzKNRRRURUciSO2O/GfCgOZQZvbKZ95eM5oWnO
37 0mi1n6qcYBJQIYBhCy7V2lSbLEdpIGQdVEAufrVchyMCj40r7oag5avZA+Hs7TTO
38 hdWoqIeUH3VdShlgyPcnfQ1/O6O/t4tRsaagT3974UgL2C/bHGCVmA==
39 -----END RSA PRIVATE KEY-----

Extraction de la clé publique à partir de la clé privée :

 1 $ openssl rsa -in cle_prv -pubout -out cle_pub
 2 Enter pass phrase for cle_prv:
 3 writing RSA key
 4 
 5 $ cat cle_pub
 6 -----BEGIN PUBLIC KEY-----
 7 MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuvap5aUs38ySLsZj0NUM
 8 /yNN3+32aMt5qm3zk4g30EKqhN2xAEY7zYAa0pw7GMnjTBQCrDMBJIBZvNJxM340
 9 phJnjAmEcjGNPIHJET+a3sNlkqcvgv2ypfwPGOP5CjTIe6vHl9qXRVDPqWt3orM4
10 u2kLsyA6K/ukZVkLv0xOfVtuEqNqkrugBl7lFM4+4XzUldx+cNzfgu0WTMLCHMrd
11 NPLNkGpd2rtoPy62GJhm2lnGFXvN6G7ip8AYQq8o11/ktona2FDYww92tJvoPhyW
12 jSBwVwqVttuujUjjyT8tEVXF6I3cz1fmd7PbXrzHA/RfOqg9egfqHbJCm7mBRTsy
13 fwIDAQAB
14 -----END PUBLIC KEY-----

La passphrase est à fournir si la clé privée est chiffrée.

Extraction de la clé prv à partir de la clé prv chiffrée :

 1 openssl rsa -in cle_prv -out cle_prv_unc
 2 Enter pass phrase for cle_prv:
 3 writing RSA key
 4 
 5 
 6 cat cle_prv_unc
 7 -----BEGIN RSA PRIVATE KEY-----
 8 MIIEowIBAAKCAQEAuvap5aUs38ySLsZj0NUM/yNN3+32aMt5qm3zk4g30EKqhN2x
 9 AEY7zYAa0pw7GMnjTBQCrDMBJIBZvNJxM340phJnjAmEcjGNPIHJET+a3sNlkqcv
10 gv2ypfwPGOP5CjTIe6vHl9qXRVDPqWt3orM4u2kLsyA6K/ukZVkLv0xOfVtuEqNq
11 krugBl7lFM4+4XzUldx+cNzfgu0WTMLCHMrdNPLNkGpd2rtoPy62GJhm2lnGFXvN
12 6G7ip8AYQq8o11/ktona2FDYww92tJvoPhyWjSBwVwqVttuujUjjyT8tEVXF6I3c
13 z1fmd7PbXrzHA/RfOqg9egfqHbJCm7mBRTsyfwIDAQABAoIBAHdzwXkH33PdsEhS
14 WNPES1l3pPm9gAHUfxd0yHsqPP7CmU/qlHwoY20YvApz5w4fbyncXxjGPaSknLEX
15 g1vy9pBkkePW8NhE8IgII/7xNHG/RdY9Gw4GKW4DbWHpxePPdYgOaKeM8blHuGX2
16 U6mP+F9E7kS0Ana3gIGAMxE2H6/W8x0jdz6RuKggXR2nqNZ5TkFcM6m4QrM3Eoxr
17 2MHJ0ppdaqteASK7j0ByQTv2WrKLtb6SklLCgJblpIXFt/Fh2O2Z/84iDyoepl6P
18 ZwKeD/Kox14RBXIC6PUaAKu3gaqcr2TTaolLn8QdG1ygnqhalbGHldCFyNXofEZt
19 6dh1oYECgYEA29AqM0PSuJ4s2QSFc8GtYN93nu2lvl8DGZ/9xzD3yleEVncylWHu
20 P4Wm0vqAlN4mZSaCqkN2YoMS/9aNfz10TL6FXFhSQNuS7BeQYxr5IAANtg6gtlyu
21 6lvOqUGkrQO5WFSP+d2FqyBcCbvIfd0ADgoZDCui0ON/aGyNLomqDmsCgYEA2b4U
22 h82h103ThOLEmKjYhUFVxx5ix6kvgM+al3Nj0sQYcu+wOSiCgkGXh0YOSnKGrBh/
23 JlnQX4LXL9Rx4/Ug1/KelFzEZ+WkKAaoS2jzzuE+lqJCuOPCXeudT7jbFCSC7uOz
24 Dn7XwJOFzGR4eNWbmsaJeVn2/d0QZ9ZJ3RycCT0CgYEA17RXNSeBSZou+GfvbcDJ
25 mx6wDE25MC+cozDVoPr0rqNjQlaGVQFdAwjsxGz+cRfvJaO85ch+C/4ETvsEr7Bm
26 yEjOJeimDu9qJjSZhCecAUMMMXP5Uftxypl9G6tHJmFZKM0S3Gf+HAgNSZ/1B04w
27 F5bhLYhEpigZhye/A8QkFTECgYBPCLuS/4S7Dbi1B0qszryowapM+C6KolJnwvMt
28 /ehB3IOzVGT2mkmk1gIWS8tsIl3XoZylYvxLbsaEyev8/kDJoXsGBxYTUDthe+ki
29 VhoJAaEiNAtb6O/n/1m+Ui7TBN2xsFyR6mCNuf5azi0cTwyIBYBo18rbIp6N0i5F
30 X9kTUQKBgBp+nbufG4LsNJCHI+cyCqcEJOKY8eUapj6EZ9LxQMkIZoTCvSOBNuj8
31 oPUQyADLL5Zrv80H6Zo6cNR7ebkUfgREvr/dtr+TNVLmJxoaKxkVF/t8LOFCTDJF
32 qg86o0ihqS3+T9jIyOszuYJ1b0tHZPBA4jTGvfededYaKEJf/f+D
33 -----END RSA PRIVATE KEY-----

Chiffrement :

Chiffrer un fichier avec la clé publique :

1 $ openssl rsautl -encrypt -pubin -inkey cle_pub -in fic_clair -out fic_chiff

Déchiffer le fichier chiffrer, avec la pivée :

1 $ openssl rsautl -decrypt -inkey cle_prv -in fic_chiff -out fic_clair2
2 Enter pass phrase for cle_prv:

La passphrase est à fournir si la clé privée est chiffrée.

Attention : suivant la taille du fichier, le chiffrement peut vous afficher le message suivant : RSA operation error 140735216935760:error:0406D06E:rsa routines:RSA_padding_add_PKCS1_type_2:data too large for key size:rsa_pk1.c:151: et là, le fichier à chiffrer est trop important (même quelque dizaine de kilo-octets…).

La solution pour passer cela est SMIME.

1 #1) Génération d’un bi-clé (privée et publique) :
2 $ openssl req -x509 -nodes -days 100000 -newkey rsa:2048  -keyout privatekey.pem  -out publickey.pem  -subj /
3 
4 #2) Chiffrer le fichier volumineux :
5 $ openssl  smime  -encrypt -aes256  -in  LargeFile.zip  -binary  -outform DEM  -out LargeFile_encrypted.zip  publickey.pem
6 
7 #3) Déchiffrement :
8 $ openssl  smime -decrypt  -in  LargeFile_encrypted.zip  -binary -inform DEM -inkey privatekey.pem  -out  LargeFile.zip

Chiffrer un fichier avec un chiffrement symétrique :

1 $ openssl enc -des3 -in fic_clair -out fichier.chiff
2 enter des-ede3-cbc encryption password:
3 Verifying - enter des-ede3-cbc encryption password:

Déchiffrement symétrique du fichier :

1 $ openssl enc -des3 -d -in fichier.chiff -out fichier.claire2
2 enter des-ede3-cbc decryption password:

Création de certificat auto-signé :

Génération du bi-clé sans pass phrase :

1 $ openssl genrsa  -out server.key 2048
2 Generating RSA private key, 2048 bit long modulus
3 ..............+++
4 .....................................+++
5 e is 65537 (0x10001)

Fichier de personnalisation des paramètres pour la création de certificat :

1 # Pour les Debian-like
2 $ vi /etc/ssl/openssl.cnf
3 
4 # Pour les Red-Hat-like
5 $ vi /etc/pki/tls/openssl.cnf

Le Common Name doit être le fqdn du serveur

Création du certificat auto-signé :

 1 # De base les différentes questions vous seront posées :
 2 $ openssl req -new -x509 -nodes -sha256 -key server.key -out server.crt
 3 You are about to be asked to enter information that will be incorporated
 4 into your certificate request.
 5 What you are about to enter is what is called a Distinguished Name or a DN.
 6 There are quite a few fields but you can leave some blank
 7 For some fields there will be a default value,
 8 If you enter '.', the field will be left blank.
 9 -----
10 Country Name (2 letter code) [AU]:Fr
11 State or Province Name (full name) [Some-State]:France
12 Locality Name (eg, city) []:
13 ...
14 ...
15 
16 
17 # Avec le fichier personnalisé
18 $ openssl req -new -x509 -nodes -sha256 -key server.key -out server.crt -config /etc/ssl/openssl.cnf
19 
20 # Override de certains paramétres présent dans le fichier de personnalisation
21 $ openssl req -new -x509 -nodes -sha256 -days 365 -key server.key -out server.crt -config /etc/ssl/openssl.cnf

De base OpenSSL utilise le SHA1, d’ici quelques années celui-ci ne sera plus reconnu comme sur par les navigateurs, donc on met force le SHA2 256. Le paramètre -x509 indique la génération d’un certificat auto-signé et pas une simple requête. Pour un wildcard il faut mettre *.example.com dans le CN.

Informations sur le certificat :

Informations du certificat :

 1 $ openssl x509 -in server.crt -text -noout
 2 Certificate:
 3 Data:
 4 Version: 3 (0x2)
 5 Serial Number: 13008563029812239127 (0xb487b3273e3cdb17)
 6 Signature Algorithm: sha256WithRSAEncryption
 7 Issuer: C=Fr, ST=France, L=Paris, O=Alasta, OU=IT, CN=www.alasta.com/emailAddress=email@example.com
 8 Validity
 9 Not Before: Nov 11 14:44:22 2014 GMT
10 Not After : Dec 11 14:44:22 2014 GMT
11 Subject: C=Fr, ST=France, L=Paris, O=Alasta, OU=IT, CN=www.alasta.com/emailAddress=email@example.com
12 Subject Public Key Info:
13 Public Key Algorithm: rsaEncryption
14 Public-Key: (2048 bit)
15 Modulus:
16 00:af:6a:1a:2f:b2:e5:ae:f4:89:d5:aa:b7:0b:90:
17 3b:79:de:bf:ee:35:c9:38:3d:53:60:3c:8e:df:81:
18 32:f0:1b:26:42:f9:10:b1:b9:90:d1:d4:bb:9a:c8:
19 90:43:ef:c9:6a:6a:d8:db:91:a4:05:0f:8e:8a:f1:
20 3a:48:d8:b5:47:88:ef:a9:e8:97:b4:56:34:ca:f0:
21 ea:d6:7c:9e:7c:16:de:1e:27:3c:b0:13:5e:76:b7:
22 d8:34:9a:c8:43:74:7d:9a:ec:c9:3a:79:f3:f7:2c:
23 02:bb:63:eb:e6:61:bb:71:67:ec:78:92:34:ae:f9:
24 e4:eb:b3:59:57:4e:77:6e:81:1a:91:af:7f:c6:8e:
25 76:bf:52:74:ea:e8:f7:22:15:1d:d6:a7:ae:46:b6:
26 b5:65:20:70:e4:22:75:9f:c0:04:1a:7d:f2:2b:e9:
27 a8:f4:16:d7:17:af:9e:b0:7e:a6:73:a9:60:14:87:
28 b1:68:4e:02:04:ec:67:5a:c7:09:0f:c4:3a:77:78:
29 f0:f1:aa:6b:82:fd:13:8e:a2:29:d4:f2:50:e6:ce:
30 19:fc:95:83:e0:f4:8d:ff:7a:3e:fa:ae:ce:a3:44:
31 34:fd:56:33:3b:88:e0:79:89:ae:f6:fc:71:bc:1f:
32 57:43:56:48:95:84:a6:53:cc:96:e0:2a:64:2c:10:
33 5c:5d
34 Exponent: 65537 (0x10001)
35 X509v3 extensions:
36 X509v3 Subject Key Identifier:
37 53:79:FB:D1:9E:B3:80:A6:32:19:1D:AF:AF:CF:67:14:EF:4A:6F:58
38 X509v3 Authority Key Identifier:
39 keyid:53:79:FB:D1:9E:B3:80:A6:32:19:1D:AF:AF:CF:67:14:EF:4A:6F:58
40 
41 X509v3 Basic Constraints:
42 CA:TRUE
43 Signature Algorithm: sha256WithRSAEncryption
44 29:d1:64:7a:b8:90:60:f0:34:13:d9:63:a5:f1:b8:96:a4:b0:
45 14:2d:d0:7d:5e:79:de:7b:f6:9c:9b:68:d5:bf:04:cd:ca:18:
46 f7:33:ad:4b:55:e0:99:6d:c4:1c:a1:01:0e:6c:4d:25:96:c7:
47 76:34:05:dc:fc:cf:5d:25:98:be:5f:a7:68:e8:01:76:09:33:
48 f5:66:5b:53:45:35:ae:2a:99:1e:e7:e7:f3:dd:64:f3:40:96:
49 a3:b6:4c:93:65:e6:fd:5e:40:a7:91:70:52:05:1e:58:03:10:
50 fb:36:e1:41:f5:56:22:2c:76:37:40:36:f4:ec:3d:3f:1e:b0:
51 e9:89:4d:1a:56:c9:81:de:50:b6:e7:bf:8c:7a:62:0b:f8:e0:
52 ce:82:8e:82:3d:09:02:8a:69:7c:62:5e:c2:3a:8c:80:f3:8b:
53 bf:a5:68:b5:36:a3:d6:f4:16:e5:6a:6d:bc:ad:ac:3e:46:0a:
54 5c:25:71:fb:0f:8c:c4:8b:4c:c8:54:fc:44:91:b4:0e:18:ea:
55 01:0f:ea:f6:13:04:ad:83:32:78:74:3c:28:50:3f:8b:e6:72:
56 5e:6a:6a:c8:98:2b:ac:55:5a:62:0b:62:ad:e2:09:5c:35:45:
57 75:ea:75:a3:29:05:7e:04:25:42:01:5a:6e:96:90:f2:24:04:
58 f3:2f:ba:54

Informations spécifiques :

 1 $ openssl x509 -in server.crt   -issuer -noout -subject
 2 issuer= /C=Fr/ST=France/L=Paris/O=Alasta/OU=IT/CN=www.alasta.com/emailAddress=email@example.com
 3 subject= /C=Fr/ST=France/L=Paris/O=Alasta/OU=IT/CN=www.alasta.com/emailAddress=email@example.com
 4 
 5 # avec option multi-ligne (-nameopt multiline)
 6 $ openssl x509 -in server.crt  -subject -issuer -noout -nameopt multiline
 7 subject=
 8 countryName               = Fr
 9 stateOrProvinceName       = France
10 localityName              = Paris
11 organizationName          = Alasta
12 organizationalUnitName    = IT
13 commonName                = www.alasta.com
14 emailAddress              = email@example.com
15 issuer=
16 countryName               = Fr
17 stateOrProvinceName       = France
18 localityName              = Paris
19 organizationName          = Alasta
20 organizationalUnitName    = IT
21 commonName                = www.alasta.com
22 emailAddress              = email@example.com

Lorsque le subject et le issuer sont identique, c’est un CA racine.

L'utilisation du certificat :

 1 $ openssl x509 -in server.crt  -purpose -noout
 2 Certificate purposes:
 3 SSL client : Yes
 4 SSL client CA : Yes
 5 SSL server : Yes
 6 SSL server CA : Yes
 7 Netscape SSL server : Yes
 8 Netscape SSL server CA : Yes
 9 S/MIME signing : Yes
10 S/MIME signing CA : Yes
11 S/MIME encryption : Yes
12 S/MIME encryption CA : Yes
13 CRL signing : Yes
14 CRL signing CA : Yes
15 Any Purpose : Yes
16 Any Purpose CA : Yes
17 OCSP helper : Yes
18 OCSP helper CA : Yes
19 Time Stamp signing : No
20 Time Stamp signing CA : Yes

Vérifier la clé privée :

 1 $ openssl rsa -in server.key -check
 2 RSA key ok
 3 writing RSA key
 4 -----BEGIN RSA PRIVATE KEY-----
 5 MIIEpAIBAAKCAQEAr2oaL7LlrvSJ1aq3C5A7ed6/7jXJOD1TYDyO34Ey8BsmQvkQ
 6 sbmQ0dS7msiQQ+/JamrY25GkBQ+OivE6SNi1R4jvqeiXtFY0yvDq1nyefBbeHic8
 7 sBNedrfYNJrIQ3R9muzJOnnz9ywCu2Pr5mG7cWfseJI0rvnk67NZV053boEaka9/
 8 xo52v1J06uj3IhUd1qeuRra1ZSBw5CJ1n8AEGn3yK+mo9BbXF6+esH6mc6lgFIex
 9 aE4CBOxnWscJD8Q6d3jw8aprgv0TjqIp1PJQ5s4Z/JWD4PSN/3o++q7Oo0Q0/VYz
10 O4jgeYmu9vxxvB9XQ1ZIlYSmU8yW4CpkLBBcXQIDAQABAoIBAEE6YTZvfb1LLZ4I
11 dzyTi6pLzG8WDRcepsxYeIBgGML0NYwd9blA2btNMd3iytKYbftmc/Fh/O3s1QKR
12 pSzFeNN69jPmS9NBYyw73feYK47VKg9oY8bNzQi0YG9fRyzeOn7LoiBejPvSn8ly
13 5Jusp/kJvgMvyutt/VQwQv6WLQ8n0SGjAuSvJ4wwG1wsONGiqBt8pIkFcUzBVWcI
14 lIhsYXHiqG5bu8JHmPFh4wQFn17SXbjjBZK3D7t77wnxsl0jIdOPl0R4itTgWJT9
15 fhaC2gvBGE0fzUqhMbHA+/H1V/VOvBSyU2dbR7B36wtXFZuVDaocsrmFSCIZ6ybI
16 ssmRzIECgYEA3oDikpqtC2/ONKjwkLNAE6RF0e1EllfSYi2DlqV2xoV3FwsNYZG/
17 IfvI3OEzgCTZByanOLbac0zl09c0gE61RmRZaWkk7kymVFbtKemAClJm1pm06Ocd
18 e6BMuDKAdnWRZu43o93HldAaapw4klgO0T+45Ws5v7nDJCUuB8MYvzECgYEAydJx
19 Z12RPqbFvf8J4/yhYV0LaBuSvt5iWdbZaGkvcT3WJxvbxfykhrBYafhhnXf+wGM0
20 7LBk7iNTC4rKuzBkiSZ//v4He1k5IRuIV+LdWt5S12qblcLVEo0IyL3fdHNLok1o
21 eF0+XvBIV3W9aasBqB8HPsDov5KZWYL/SSmeHO0CgYEAn56oa/HIqEa6EG8NvVDK
22 bAzSBcqIBK7V/5aVKvJi5gIDMCW+oLs0+cUuEL8B+jD0/LtPBVGwHz0QN0vQnydX
23 xjrhJczHMKkOPbzqgMHBGCaLHfLApMCAFxslTpL0M4ceG1BT3BuTPbc/7DFMKDhB
24 0P08wGCO2isCgiCmB+1/CFECgYEAtvm1WQqKuWuIEfac5/dN9LDfu5ZsF+IU9vCE
25 EVZz7c4rTy/BtCGWpIpSzlijX5m//Hq1K/XMu96I1wkRPl7kdzfRicST0fAVjH+i
26 wFNtbonsP2NnBYMrnHMDSMRkR/aT1uUpVx7qgjaEz85uWNPyX5MqBWnuWmk14OKU
27 QqeZsw0CgYA18fKeeNiA3LqeQ/hfbOEhilZqiwU96tySjjDUqdWJmm3mq5bjLQMR
28 8Y5VtiJQAqE7li8H2tBpgi2jEvoJIVJ73X01/nwIxUdokWAbrtRCnBNulfYwF2oV
29 bmcnB+ZgG7JQf/b7H0eVmQkiHOdja2Az5Dc6bZXhxE+RFMpPUX0y2Q==
30 -----END RSA PRIVATE KEY-----

Ajouter -noout pour ne pas afficher la clé.

CA :

Création d’une autorité de certification :

 1 # Script pour Red-Hat-like
 2 /etc/pki/tls/misc/CA
 3 
 4 # Script pour Debian-like
 5 /usr/lib/ssl/misc/CA.pl
 6 
 7 $ cd /etc/pki/tls/misc/
 8 $ ./CA -newca
 9 #Création du certificat auto-signé, servant à la CA pour signer les requêtes des utilisateurs.
10 #Le certificat : /etc/pki/CA/cacert.pem
11 #La clé privée : /etc/pki/CA/private/cakey.pem

Demande de certificat :

1 $ cd /etc/pki/tls/misc/
2 $ ./CA -newreq
3 
4 # Création de la demande de certificat auprès du CA (CSR)
5 # le CSR : /etc/pki/tls/misc/newreq.pem
6 # la clé privée : /etc/pki/tls/misc/newkey.pem
7 
8 # ou
9 $ openssl req -new -key newkey.key -out newcsr.csr

Signature du certificat par le CA :

1 $ cd /etc/pki/tls/misc/
2 $ ./CA -sign
3 
4 # (il y a utilisation de la clé privée cakey.pem crée précédement)
5 # le certificat : newcert.pem => auto-signé

Affichage des informations :

 1 # Affichage d’un certificat :
 2 $ openssl x509 -in newcert.pem -text -noout
 3 
 4 # Affichage d’un CSR :
 5 $ openssl req   -in newreq.pem -text -noout
 6 
 7 # Affichage des rôles d’un certificat :
 8 $ openssl x509 -in newcert.pem -purpose -noout
 9 
10 # Autres infos dispo : -subject -dates -fingerprint

Convertion d’un PEM en PKCS12 :

1 $ openssl pkcs12 -export -inkey newkey.pem -in newcert.pem -out openssl_ca3.p12
2 # newkey.pem : clé privée
3 # newcert.pem : certificat en PEM

Pour voir un certificat au format pkcs12 :

1 $ openssl pkcs12 -info -noout -in openssl_ca3.p12

Génération de la clé privée et CSR en 1 commande :

1 $ openssl req -new -newkey rsa:2048 -nodes -out ww.bob.com.csr -keyout ww.bob.com.key -subj "/C=US/ST=AA/L=NY/O=BOB/OU=Form/CN=ww.bob.com"

Afficher un CSR :

1 $ openssl req -in ww.bob.com.csr -noout -text

Calcul de hash d’un fichier :

MD5

1 $ openssl md5 server.crt
2 MD5(server.crt)= 219fae7294cb717704d6f3059bf7db86
3 
4 # ou
5 
6 $ md5 server.crt
7 MD5 (server.crt) = 219fae7294cb717704d6f3059bf7db86

SHA

 1 $ shasum server.crt
 2 9b8217d6f9d678df10f21ba9796bfa4e1d6d64cf  server.crt
 3 
 4 # ou
 5 $ openssl sha1 server.crt
 6 SHA1(server.crt)= 9b8217d6f9d678df10f21ba9796bfa4e1d6d64cf
 7 
 8 # ou
 9 
10 $ openssl sha256 server.crt
11 SHA256(server.crt)= 9539d784c12ebf98dd0bb958fc90e6bc73fa2a188631c06e40ff0dcadedd1cef

Autres :

Afficher le certificat d'un site :

 1 $ openssl s_client -connect www.gmail.com:443
 2 CONNECTED(00000003)
 3 depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
 4 verify error:num=20:unable to get local issuer certificate
 5 verify return:0
 6 ---
 7 Certificate chain
 8 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com
 9 i:/C=US/O=Google Inc/CN=Google Internet Authority G2
10 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
11 i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
12 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
13 i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
14 ---
15 Server certificate
16 -----BEGIN CERTIFICATE-----
17 MIIEeDCCA2CgAwIBAgIIOH1BiocMbDowDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
18 BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnR
19 ...
20 ...