OpenSSL - Commandes de base
Alasta 14 Décembre 2014 security SSL Security
Description : Voici quelques commandes de base que permet OpenSSL.
Gestion des clés :
Génération d’un clé privée sans chiffrement :
$ openssl genrsa -out cle_prv 2048
Generating RSA private key, 2048 bit long modulus
..........................................................+++
...........................................................................+++
e is 65537 (0x10001)
cat cle_prv
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAsB4ryOepJe3xRpaXGFdD/S8e9u3ndIWOxk+bnONsoYwr1QaV
n0ODNXJAOFFY0l05rnvnNbmD4u9VPlzy0TLzutJqoL/oY1MDPswjVsS3vv0uiaov
ayIs+JDk84b+ZujnZIleOLbc2qq6SeBBkCjCSMmXyMCVxVGcIhz39EOKusI78vFo
CFN8WRLSDTH5DI8lQGTLVGdpHKsON74bh5uE0MmuP0XTzEtJjcjZ1mP/GtggQtFf
8rLbuaoZo8323UcuV2Ff1bpD8Dat3d7hsxsjzdc4ZsXvh2f7YSdwgHvtXwlVz93y
1Ri7dbGTnsMgQOBf4/Ytzq23uywxOXDdomgbjQIDAQABAoIBAQCOijzBw81A542p
pePwTWC3n9Wd4Pq9cgMWOgQmPGMFdN9c8JFUb13YefnEGwKab91pfNqqvtUhbLc/
XBcifeyJvheStv+ss9kikDHh3iEhMOTjgpwSR3zCSPMkrpNkUwhEdHGP0WB6kkdn
11r5BCQKqS5xynztUJnfejasuaWkdItUjW+P57pfEgIOKlj3vbvPPpPrha1oOAEu
KxpqXP+lWzwXCK7pfG532EaDbICHo/3tMUAMnVOq6Byplc0BkGOV5V3VPHiy01Sm
sM+qdMICL5UDH3UFDCmPJU74a/2YI/3aixAqWqqWX3QEs0pWyYRr5OiNdYhq15f5
Mx3PJR05AoGBAORo8xwi5sXfftvA26i3jSoLj4sZ06Oei/Z9wFntqiyvuz7zw/QR
8A4GGUVZgDE6qMP49KXxR7JkXiHOT9EP7LYfj8ifGPEfAPnW8Jd2hdUiPpnu1QCX
xY8FH3O8/FTLCWo4c6ABinopUZgHcA6NDwXnmX6ANThp8cTrcxQW1tu3AoGBAMVk
NXiNij05H/gwdUivyct/dNV1onLilwLsj32F8fPMBXDqUeZvj4CVlQr+76hxFtg7
xfCt4wwGwOm5HwRlqq2gDc5CjzmWoJI0LP4NG+wIvzlhulsrb+No8T62YC+apIwu
aw3BGHy8HV4Ozy3NFt1Xy8Gu/OeGvi3KLZemIwrbAoGBAMmWeuIdR5HiJANtXjC0
9yjhlSnOfISO3LaK2+ZCpQvVeSwhVpOl9TlbVphnWoWYYPS9V6bRoVan0JCDltxL
8r32cx88k3XTyDe45RS4rXujQp73NBTW3qzQd6bdZ9Kqc7/E3P+d/Iq+xt2nytV8
14J9mnIUU2Rb1N7YcvOLCMxXAoGBAKg5X+yuy+qjfaB6Q+o/jn400LB/AYRhogtm
6l8ywWJiNRznRgdaenU+hfgKDtuCDdMZFfepaj+8nbpS/6EyuAQizMFFLmUI/y26
88FMEMjXJ4lSxYyfd0rbDAbDTTQk2ilyAeCF+UWM2IZpnp3NFLhs84TMilMTHY9O
qA5/E4xTAoGAbg7qd0uaxVlTTI2gnJcnxXpRXYWLiodm1m6tOuWytgS8g2+ue3vc
F0xkVe7n7wgWNZ8ycYV+DtrjYyscyxJHdXxbYBpa1kTRwTPXSL3bnCYzFdhJXupW
I6EURhya6cVo1PY+4WJ+TAttu+JCIe4ePHSw8/F+VokmJUhb/4dxRTM=
-----END RSA PRIVATE KEY-----Il est possible d’ajouter du random dans la clé en ajoutant : -rand fichier1:fichier2:…
Génération d’un clé privée avec chiffrement (ici en 3DES) :
$ openssl genrsa -des3 -out cle_prv 2048
Generating RSA private key, 2048 bit long modulus
...........................+++
......................................+++
e is 65537 (0x10001)
Enter pass phrase for cle_prv:
Verifying - Enter pass phrase for cle_prv:
$ cat cle_prv
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,BC3518D11AE78E9D
LN9FRWtIHa3ycI1CocP2rFUeiWyQYIJcolNMgIghhRrXlAaAABGikKQYAbq712pk
6F+UmsvQkWQjkYQh+n7c441P4PXoaEeGpNmS5OKjPt6j7hvNDOazUCzBb9ZFtQzB
I8cIFkWB5I5id9JJ3n0iWhqL/17sKxV1lp+xr2SpUUb1QS+PrNqkv5YY8HRfSbyq
GAQDXiXEZr5axLXSgphW8VptCE4OJTwGn9GfMi1IcVjfyROErl2eP0Juebn8x70k
+6PqvaPqVKpiAwjWzscyNNbNW5MYlNSRC/A7/Fh9O7TSnESU5f6LxapboaRqW9n3
qVAdm60FZYUsQ743vdm2yfYXzuAZUdfretOLiGLqcHZqSTjvwmIucfAZTFrS+Liy
RZ4TbbfMygXt6pgYEg+gf67Boekv12tB6fOY6LG88v//LVEG1e6IS/M+xWg8ck9c
jSJ5Kc0u2lUFWjlOtVK0NZ1/1xai4bzeAXJPmVQCHXbR+V+MORoxAAZs1dgXmOOc
WpTVRiAiCaHyPIqo9Cz5PuxXboAxddIhi6yPkZRHgQpzsxGvQ7VubZc+gERHGQMo
9bkIfds/4+GLkdREIBsHlIRa+sFht7gUcQEVs/ACUKN4sJRB2+CZaI80VFnmyuzD
6E02FeCGEx2LBwbvXtY0Wch1a9IiwA5qbmj+ysbgGPJtojv1IqGZTuAb2C4Q9rXV
rW9ridQFNupqRPb0FKxCEb9XIyFlAYjsUGzXyCeNyUHFtK/kxp6SEYoLItuhzCgd
uA71IR2VZmzrvzEhJLCRbPGTvD0CrvUI7y5My55lJbuQgws0hE3KPgqZrUjfdgLi
wA6QRl8OyPJOwMBL4K3wQ8o4/R5jzIDdRiksSJxk2zbK6WwzyQybifCl4jAJQoTP
+evn50HRRTiPJ9fPcwpeuvJH3rPwpaaXGRyx7x6YRQnmTe2mOcoOCL96CwKOpY8b
x5tBUi4i8m9G2spHHPiHnZOojfXBFE2sNQFo/QUi+JKBXDnT04IHy48GIUwhu8R+
W5js8wZqIcWFOhvRXewzxJQ+qf7kS9DJZAmck5CJ9Rw+WO3H8fBTMj5UE107rwIu
htrOO3ldkKoNTADKBAaIELc0o8ARRttenWZWkAdjGrErR1fIatvwyT/P5JLn0+3O
GupicPoPDDXBqFlM4w4KZWMEm2kUrIQlrauUx23w5EQIcG16zvD+4AFkBf29+GiS
8lGMqqVkHPjV20lNsCw65CC1ZVoR7kKkioipcUVvZDRnL1G6XRBS9A3WEHLMUp+Q
dg6jTYgwcoq6tt4SSphNGCUIaYi2UDqEpmEWWqfXB/sXRfUZ79H2RSqBoVEdzOzC
+A70SScWBFDsV/aywjSYD0jC/gzr8sdjfmsPt9GwD/RjsLqqsAJnb5u3myEZpJrd
pUQN4xveOhomS2IcZFhj1MFrQAvzKNRRRURUciSO2O/GfCgOZQZvbKZ95eM5oWnO
0mi1n6qcYBJQIYBhCy7V2lSbLEdpIGQdVEAufrVchyMCj40r7oag5avZA+Hs7TTO
hdWoqIeUH3VdShlgyPcnfQ1/O6O/t4tRsaagT3974UgL2C/bHGCVmA==
-----END RSA PRIVATE KEY-----Extraction de la clé publique à partir de la clé privée :
$ openssl rsa -in cle_prv -pubout -out cle_pub
Enter pass phrase for cle_prv:
writing RSA key
$ cat cle_pub
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuvap5aUs38ySLsZj0NUM
/yNN3+32aMt5qm3zk4g30EKqhN2xAEY7zYAa0pw7GMnjTBQCrDMBJIBZvNJxM340
phJnjAmEcjGNPIHJET+a3sNlkqcvgv2ypfwPGOP5CjTIe6vHl9qXRVDPqWt3orM4
u2kLsyA6K/ukZVkLv0xOfVtuEqNqkrugBl7lFM4+4XzUldx+cNzfgu0WTMLCHMrd
NPLNkGpd2rtoPy62GJhm2lnGFXvN6G7ip8AYQq8o11/ktona2FDYww92tJvoPhyW
jSBwVwqVttuujUjjyT8tEVXF6I3cz1fmd7PbXrzHA/RfOqg9egfqHbJCm7mBRTsy
fwIDAQAB
-----END PUBLIC KEY-----La passphrase est à fournir si la clé privée est chiffrée.
Extraction de la clé prv à partir de la clé prv chiffrée :
openssl rsa -in cle_prv -out cle_prv_unc
Enter pass phrase for cle_prv:
writing RSA key
cat cle_prv_unc
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAuvap5aUs38ySLsZj0NUM/yNN3+32aMt5qm3zk4g30EKqhN2x
AEY7zYAa0pw7GMnjTBQCrDMBJIBZvNJxM340phJnjAmEcjGNPIHJET+a3sNlkqcv
gv2ypfwPGOP5CjTIe6vHl9qXRVDPqWt3orM4u2kLsyA6K/ukZVkLv0xOfVtuEqNq
krugBl7lFM4+4XzUldx+cNzfgu0WTMLCHMrdNPLNkGpd2rtoPy62GJhm2lnGFXvN
6G7ip8AYQq8o11/ktona2FDYww92tJvoPhyWjSBwVwqVttuujUjjyT8tEVXF6I3c
z1fmd7PbXrzHA/RfOqg9egfqHbJCm7mBRTsyfwIDAQABAoIBAHdzwXkH33PdsEhS
WNPES1l3pPm9gAHUfxd0yHsqPP7CmU/qlHwoY20YvApz5w4fbyncXxjGPaSknLEX
g1vy9pBkkePW8NhE8IgII/7xNHG/RdY9Gw4GKW4DbWHpxePPdYgOaKeM8blHuGX2
U6mP+F9E7kS0Ana3gIGAMxE2H6/W8x0jdz6RuKggXR2nqNZ5TkFcM6m4QrM3Eoxr
2MHJ0ppdaqteASK7j0ByQTv2WrKLtb6SklLCgJblpIXFt/Fh2O2Z/84iDyoepl6P
ZwKeD/Kox14RBXIC6PUaAKu3gaqcr2TTaolLn8QdG1ygnqhalbGHldCFyNXofEZt
6dh1oYECgYEA29AqM0PSuJ4s2QSFc8GtYN93nu2lvl8DGZ/9xzD3yleEVncylWHu
P4Wm0vqAlN4mZSaCqkN2YoMS/9aNfz10TL6FXFhSQNuS7BeQYxr5IAANtg6gtlyu
6lvOqUGkrQO5WFSP+d2FqyBcCbvIfd0ADgoZDCui0ON/aGyNLomqDmsCgYEA2b4U
h82h103ThOLEmKjYhUFVxx5ix6kvgM+al3Nj0sQYcu+wOSiCgkGXh0YOSnKGrBh/
JlnQX4LXL9Rx4/Ug1/KelFzEZ+WkKAaoS2jzzuE+lqJCuOPCXeudT7jbFCSC7uOz
Dn7XwJOFzGR4eNWbmsaJeVn2/d0QZ9ZJ3RycCT0CgYEA17RXNSeBSZou+GfvbcDJ
mx6wDE25MC+cozDVoPr0rqNjQlaGVQFdAwjsxGz+cRfvJaO85ch+C/4ETvsEr7Bm
yEjOJeimDu9qJjSZhCecAUMMMXP5Uftxypl9G6tHJmFZKM0S3Gf+HAgNSZ/1B04w
F5bhLYhEpigZhye/A8QkFTECgYBPCLuS/4S7Dbi1B0qszryowapM+C6KolJnwvMt
/ehB3IOzVGT2mkmk1gIWS8tsIl3XoZylYvxLbsaEyev8/kDJoXsGBxYTUDthe+ki
VhoJAaEiNAtb6O/n/1m+Ui7TBN2xsFyR6mCNuf5azi0cTwyIBYBo18rbIp6N0i5F
X9kTUQKBgBp+nbufG4LsNJCHI+cyCqcEJOKY8eUapj6EZ9LxQMkIZoTCvSOBNuj8
oPUQyADLL5Zrv80H6Zo6cNR7ebkUfgREvr/dtr+TNVLmJxoaKxkVF/t8LOFCTDJF
qg86o0ihqS3+T9jIyOszuYJ1b0tHZPBA4jTGvfededYaKEJf/f+D
-----END RSA PRIVATE KEY-----Chiffrement :
Chiffrer un fichier avec la clé publique :
$ openssl rsautl -encrypt -pubin -inkey cle_pub -in fic_clair -out fic_chiffDéchiffer le fichier chiffrer, avec la pivée :
$ openssl rsautl -decrypt -inkey cle_prv -in fic_chiff -out fic_clair2
Enter pass phrase for cle_prv:La passphrase est à fournir si la clé privée est chiffrée.
Attention : suivant la taille du fichier, le chiffrement peut vous afficher le message suivant : RSA operation error 140735216935760:error:0406D06E:rsa routines:RSA_padding_add_PKCS1_type_2:data too large for key size:rsa_pk1.c:151: et là, le fichier à chiffrer est trop important (même quelque dizaine de kilo-octets…).
La solution pour passer cela est SMIME.
#1) Génération d’un bi-clé (privée et publique) :
$ openssl req -x509 -nodes -days 100000 -newkey rsa:2048 -keyout privatekey.pem -out publickey.pem -subj ‘/’
#2) Chiffrer le fichier volumineux :
$ openssl smime -encrypt -aes256 -in LargeFile.zip -binary -outform DEM -out LargeFile_encrypted.zip publickey.pem
#3) Déchiffrement :
$ openssl smime -decrypt -in LargeFile_encrypted.zip -binary -inform DEM -inkey privatekey.pem -out LargeFile.zipChiffrer un fichier avec un chiffrement symétrique :
$ openssl enc -des3 -in fic_clair -out fichier.chiff
enter des-ede3-cbc encryption password:
Verifying - enter des-ede3-cbc encryption password:Déchiffrement symétrique du fichier :
$ openssl enc -des3 -d -in fichier.chiff -out fichier.claire2
enter des-ede3-cbc decryption password:Création de certificat auto-signé :
Génération du bi-clé sans pass phrase :
$ openssl genrsa -out server.key 2048
Generating RSA private key, 2048 bit long modulus
..............+++
.....................................+++
e is 65537 (0x10001)Fichier de personnalisation des paramètres pour la création de certificat :
# Pour les Debian-like
$ vi /etc/ssl/openssl.cnf
# Pour les Red-Hat-like
$ vi /etc/pki/tls/openssl.cnfLe Common Name doit être le fqdn du serveur
Création du certificat auto-signé :
# De base les différentes questions vous seront posées :
$ openssl req -new -x509 -nodes -sha256 -key server.key -out server.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:Fr
State or Province Name (full name) [Some-State]:France
Locality Name (eg, city) []:
...
...
# Avec le fichier personnalisé
$ openssl req -new -x509 -nodes -sha256 -key server.key -out server.crt -config /etc/ssl/openssl.cnf
# Override de certains paramétres présent dans le fichier de personnalisation
$ openssl req -new -x509 -nodes -sha256 -days 365 -key server.key -out server.crt -config /etc/ssl/openssl.cnfDe base OpenSSL utilise le SHA1, d’ici quelques années celui-ci ne sera plus reconnu comme sur par les navigateurs, donc on met force le SHA2 256. Le paramètre -x509 indique la génération d’un certificat auto-signé et pas une simple requête. Pour un wildcard il faut mettre *.example.com dans le CN.
Informations sur le certificat :
Informations du certificat :
$ openssl x509 -in server.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 13008563029812239127 (0xb487b3273e3cdb17)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=Fr, ST=France, L=Paris, O=Alasta, OU=IT, CN=www.alasta.com/emailAddress=email@example.com
Validity
Not Before: Nov 11 14:44:22 2014 GMT
Not After : Dec 11 14:44:22 2014 GMT
Subject: C=Fr, ST=France, L=Paris, O=Alasta, OU=IT, CN=www.alasta.com/emailAddress=email@example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:af:6a:1a:2f:b2:e5:ae:f4:89:d5:aa:b7:0b:90:
3b:79:de:bf:ee:35:c9:38:3d:53:60:3c:8e:df:81:
32:f0:1b:26:42:f9:10:b1:b9:90:d1:d4:bb:9a:c8:
90:43:ef:c9:6a:6a:d8:db:91:a4:05:0f:8e:8a:f1:
3a:48:d8:b5:47:88:ef:a9:e8:97:b4:56:34:ca:f0:
ea:d6:7c:9e:7c:16:de:1e:27:3c:b0:13:5e:76:b7:
d8:34:9a:c8:43:74:7d:9a:ec:c9:3a:79:f3:f7:2c:
02:bb:63:eb:e6:61:bb:71:67:ec:78:92:34:ae:f9:
e4:eb:b3:59:57:4e:77:6e:81:1a:91:af:7f:c6:8e:
76:bf:52:74:ea:e8:f7:22:15:1d:d6:a7:ae:46:b6:
b5:65:20:70:e4:22:75:9f:c0:04:1a:7d:f2:2b:e9:
a8:f4:16:d7:17:af:9e:b0:7e:a6:73:a9:60:14:87:
b1:68:4e:02:04:ec:67:5a:c7:09:0f:c4:3a:77:78:
f0:f1:aa:6b:82:fd:13:8e:a2:29:d4:f2:50:e6:ce:
19:fc:95:83:e0:f4:8d:ff:7a:3e:fa:ae:ce:a3:44:
34:fd:56:33:3b:88:e0:79:89:ae:f6:fc:71:bc:1f:
57:43:56:48:95:84:a6:53:cc:96:e0:2a:64:2c:10:
5c:5d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
53:79:FB:D1:9E:B3:80:A6:32:19:1D:AF:AF:CF:67:14:EF:4A:6F:58
X509v3 Authority Key Identifier:
keyid:53:79:FB:D1:9E:B3:80:A6:32:19:1D:AF:AF:CF:67:14:EF:4A:6F:58
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
29:d1:64:7a:b8:90:60:f0:34:13:d9:63:a5:f1:b8:96:a4:b0:
14:2d:d0:7d:5e:79:de:7b:f6:9c:9b:68:d5:bf:04:cd:ca:18:
f7:33:ad:4b:55:e0:99:6d:c4:1c:a1:01:0e:6c:4d:25:96:c7:
76:34:05:dc:fc:cf:5d:25:98:be:5f:a7:68:e8:01:76:09:33:
f5:66:5b:53:45:35:ae:2a:99:1e:e7:e7:f3:dd:64:f3:40:96:
a3:b6:4c:93:65:e6:fd:5e:40:a7:91:70:52:05:1e:58:03:10:
fb:36:e1:41:f5:56:22:2c:76:37:40:36:f4:ec:3d:3f:1e:b0:
e9:89:4d:1a:56:c9:81:de:50:b6:e7:bf:8c:7a:62:0b:f8:e0:
ce:82:8e:82:3d:09:02:8a:69:7c:62:5e:c2:3a:8c:80:f3:8b:
bf:a5:68:b5:36:a3:d6:f4:16:e5:6a:6d:bc:ad:ac:3e:46:0a:
5c:25:71:fb:0f:8c:c4:8b:4c:c8:54:fc:44:91:b4:0e:18:ea:
01:0f:ea:f6:13:04:ad:83:32:78:74:3c:28:50:3f:8b:e6:72:
5e:6a:6a:c8:98:2b:ac:55:5a:62:0b:62:ad:e2:09:5c:35:45:
75:ea:75:a3:29:05:7e:04:25:42:01:5a:6e:96:90:f2:24:04:
f3:2f:ba:54Informations spécifiques :
$ openssl x509 -in server.crt -issuer -noout -subject
issuer= /C=Fr/ST=France/L=Paris/O=Alasta/OU=IT/CN=www.alasta.com/emailAddress=email@example.com
subject= /C=Fr/ST=France/L=Paris/O=Alasta/OU=IT/CN=www.alasta.com/emailAddress=email@example.com
# avec option multi-ligne (-nameopt multiline)
$ openssl x509 -in server.crt -subject -issuer -noout -nameopt multiline
subject=
countryName = Fr
stateOrProvinceName = France
localityName = Paris
organizationName = Alasta
organizationalUnitName = IT
commonName = www.alasta.com
emailAddress = email@example.com
issuer=
countryName = Fr
stateOrProvinceName = France
localityName = Paris
organizationName = Alasta
organizationalUnitName = IT
commonName = www.alasta.com
emailAddress = email@example.comLorsque le subject et le issuer sont identique, c’est un CA racine.
L’utilisation du certificat :
$ openssl x509 -in server.crt -purpose -noout
Certificate purposes:
SSL client : Yes
SSL client CA : Yes
SSL server : Yes
SSL server CA : Yes
Netscape SSL server : Yes
Netscape SSL server CA : Yes
S/MIME signing : Yes
S/MIME signing CA : Yes
S/MIME encryption : Yes
S/MIME encryption CA : Yes
CRL signing : Yes
CRL signing CA : Yes
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : Yes
Time Stamp signing : No
Time Stamp signing CA : YesVérifier la clé privée :
$ openssl rsa -in server.key -check
RSA key ok
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAr2oaL7LlrvSJ1aq3C5A7ed6/7jXJOD1TYDyO34Ey8BsmQvkQ
sbmQ0dS7msiQQ+/JamrY25GkBQ+OivE6SNi1R4jvqeiXtFY0yvDq1nyefBbeHic8
sBNedrfYNJrIQ3R9muzJOnnz9ywCu2Pr5mG7cWfseJI0rvnk67NZV053boEaka9/
xo52v1J06uj3IhUd1qeuRra1ZSBw5CJ1n8AEGn3yK+mo9BbXF6+esH6mc6lgFIex
aE4CBOxnWscJD8Q6d3jw8aprgv0TjqIp1PJQ5s4Z/JWD4PSN/3o++q7Oo0Q0/VYz
O4jgeYmu9vxxvB9XQ1ZIlYSmU8yW4CpkLBBcXQIDAQABAoIBAEE6YTZvfb1LLZ4I
dzyTi6pLzG8WDRcepsxYeIBgGML0NYwd9blA2btNMd3iytKYbftmc/Fh/O3s1QKR
pSzFeNN69jPmS9NBYyw73feYK47VKg9oY8bNzQi0YG9fRyzeOn7LoiBejPvSn8ly
5Jusp/kJvgMvyutt/VQwQv6WLQ8n0SGjAuSvJ4wwG1wsONGiqBt8pIkFcUzBVWcI
lIhsYXHiqG5bu8JHmPFh4wQFn17SXbjjBZK3D7t77wnxsl0jIdOPl0R4itTgWJT9
fhaC2gvBGE0fzUqhMbHA+/H1V/VOvBSyU2dbR7B36wtXFZuVDaocsrmFSCIZ6ybI
ssmRzIECgYEA3oDikpqtC2/ONKjwkLNAE6RF0e1EllfSYi2DlqV2xoV3FwsNYZG/
IfvI3OEzgCTZByanOLbac0zl09c0gE61RmRZaWkk7kymVFbtKemAClJm1pm06Ocd
e6BMuDKAdnWRZu43o93HldAaapw4klgO0T+45Ws5v7nDJCUuB8MYvzECgYEAydJx
Z12RPqbFvf8J4/yhYV0LaBuSvt5iWdbZaGkvcT3WJxvbxfykhrBYafhhnXf+wGM0
7LBk7iNTC4rKuzBkiSZ//v4He1k5IRuIV+LdWt5S12qblcLVEo0IyL3fdHNLok1o
eF0+XvBIV3W9aasBqB8HPsDov5KZWYL/SSmeHO0CgYEAn56oa/HIqEa6EG8NvVDK
bAzSBcqIBK7V/5aVKvJi5gIDMCW+oLs0+cUuEL8B+jD0/LtPBVGwHz0QN0vQnydX
xjrhJczHMKkOPbzqgMHBGCaLHfLApMCAFxslTpL0M4ceG1BT3BuTPbc/7DFMKDhB
0P08wGCO2isCgiCmB+1/CFECgYEAtvm1WQqKuWuIEfac5/dN9LDfu5ZsF+IU9vCE
EVZz7c4rTy/BtCGWpIpSzlijX5m//Hq1K/XMu96I1wkRPl7kdzfRicST0fAVjH+i
wFNtbonsP2NnBYMrnHMDSMRkR/aT1uUpVx7qgjaEz85uWNPyX5MqBWnuWmk14OKU
QqeZsw0CgYA18fKeeNiA3LqeQ/hfbOEhilZqiwU96tySjjDUqdWJmm3mq5bjLQMR
8Y5VtiJQAqE7li8H2tBpgi2jEvoJIVJ73X01/nwIxUdokWAbrtRCnBNulfYwF2oV
bmcnB+ZgG7JQf/b7H0eVmQkiHOdja2Az5Dc6bZXhxE+RFMpPUX0y2Q==
-----END RSA PRIVATE KEY-----Ajouter -noout pour ne pas afficher la clé.
CA :
Création d’une autorité de certification :
# Script pour Red-Hat-like
/etc/pki/tls/misc/CA
# Script pour Debian-like
/usr/lib/ssl/misc/CA.pl
$ cd /etc/pki/tls/misc/
$ ./CA -newca
#Création du certificat auto-signé, servant à la CA pour signer les requêtes des utilisateurs.
#Le certificat : /etc/pki/CA/cacert.pem
#La clé privée : /etc/pki/CA/private/cakey.pemDemande de certificat :
$ cd /etc/pki/tls/misc/
$ ./CA -newreq
# Création de la demande de certificat auprès du CA (CSR)
# le CSR : /etc/pki/tls/misc/newreq.pem
# la clé privée : /etc/pki/tls/misc/newkey.pem
# ou
$ openssl req -new -key newkey.key -out newcsr.csrSignature du certificat par le CA :
$ cd /etc/pki/tls/misc/
$ ./CA -sign
# (il y a utilisation de la clé privée cakey.pem crée précédement)
# le certificat : newcert.pem => auto-signéAffichage des informations :
# Affichage d’un certificat :
$ openssl x509 -in newcert.pem -text -noout
# Affichage d’un CSR :
$ openssl req -in newreq.pem -text -noout
# Affichage des rôles d’un certificat :
$ openssl x509 -in newcert.pem -purpose -noout
# Autres infos dispo : -subject -dates -fingerprintConvertion d’un PEM en PKCS12 :
$ openssl pkcs12 -export -inkey newkey.pem -in newcert.pem -out openssl_ca3.p12
# newkey.pem : clé privée
# newcert.pem : certificat en PEMPour voir un certificat au format pkcs12 :
$ openssl pkcs12 -info -noout -in openssl_ca3.p12Génération de la clé privée et CSR en 1 commande :
$ openssl req -new -newkey rsa:2048 -nodes -out ww.bob.com.csr -keyout ww.bob.com.key -subj "/C=US/ST=AA/L=NY/O=BOB/OU=Form/CN=ww.bob.com"Afficher un CSR :
$ openssl req -in ww.bob.com.csr -noout -textCalcul de hash d’un fichier :
MD5
$ openssl md5 server.crt
MD5(server.crt)= 219fae7294cb717704d6f3059bf7db86
# ou
$ md5 server.crt
MD5 (server.crt) = 219fae7294cb717704d6f3059bf7db86SHA
$ shasum server.crt
9b8217d6f9d678df10f21ba9796bfa4e1d6d64cf server.crt
# ou
$ openssl sha1 server.crt
SHA1(server.crt)= 9b8217d6f9d678df10f21ba9796bfa4e1d6d64cf
# ou
$ openssl sha256 server.crt
SHA256(server.crt)= 9539d784c12ebf98dd0bb958fc90e6bc73fa2a188631c06e40ff0dcadedd1cefAutres :
Afficher le certificat d’un site :
$ openssl s_client -connect www.gmail.com:443
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com
i:/C=US/O=Google Inc/CN=Google Internet Authority G2
1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEeDCCA2CgAwIBAgIIOH1BiocMbDowDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnR
...
...