Skip to content

Instantly share code, notes, and snippets.

@commenthol

commenthol/openssl-certificates.md

Last active June 18, 2021 06:54
Show Gist options
  • Save commenthol/10737a37e482f8ca6d1ec616a5a08631 to your computer and use it in GitHub Desktop.
Save commenthol/10737a37e482f8ca6d1ec616a5a08631 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
openssl-certificates.md

openssl & certificates

A collection of openssl commands arround certificates.

Verify certificates

verify single certificate

openssl verify server.crt

verify certificate chain

openssl verify -CAfile root.crt -untrusted intermediate.crt server.crt

verify certificate from webpage

openssl s_client -showcerts -verify 5 -connect aserver.com:443 < /dev/null

show contents of certificate

openssl x509 -text -noout -in any.crt

view contents of a csr

openssl req -noout -text -in server.csr

Create a chained certificate from a server certificate

  1. Get the issuer of the server.crt

    openssl x509 -text -noout -in server.crt | grep Issuer:

  2. Find the intermediate certificate which matches Issuer: in Subject:

    openssl x509 -text -noout -in intermediate.crt | grep Subject:

  3. Get the issuer of the matching intermediate certificate

    openssl x509 -text -noout -in intermediate.crt | grep Issuer:

  4. Find the root certificate which matches Issuer: in Subject:

    openssl x509 -text -noout -in root.crt | grep Subject:

  5. Finally concatenate all certificates into a chained cert

    cat server.crt intermediate.crt root.crt > user-chained.crt

Add root cert to operating system

Linux

  1. Copy to location

    copy /tmp/root.crt /usr/local/share/ca-certificates/root.crt
chmod 644 /usr/local/share/ca-certificates/root.crt

  2. update certs

    update-ca-certificates

Add to docker

In Dockerfile add

ADD root.crt /usr/local/share/ca-certificates/root.crt
RUN chmod 644 /usr/local/share/ca-certificates/root.crt && update-ca-certificates

Common pitfalls

Chrome reports NET::ERR_CERT_AUTHORITY_INVALID

For self signed certificates with you own root certificate make sure to import that root.crt to your browser/ operating system.

Settings > Manage Certificates > Authorities > Import

Chrome reports NET::ERR_CERT_COMMON_NAME_INVALID

Most probably the "Subject Alternative Name" is missing or does not match "CN =":

Check also that "TLS Web Server Authentication" is part of the key usage!

Certificate:
    Data:
        ...
        Subject: O = my Server, CN = www.my.server, emailAddress = info@myserver
        ...
        X509v3 extensions:
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            X509v3 Subject Alternative Name: 
                DNS:www.my.server

Use a (chained) certificate with node.js

const read = filename => fs.readFileSync(path.resolve(__dirname, filename))

const options = {
  key: read('./server.key'),
  cert: read('./server-chained.crt'), // server + intermediate + root
}
// alternatively
const options = {s
  key: read('./server.key'),
  cert: read('./server.crt'),
  ca: [
    read('./intermediate.crt'), 
    read('./root.crt'), 
  ]
}

https.createServer(options, (req, res) => {
  res.end()
}).listen(443)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment