Configuring & Using OpenSSL Tools

RSA Keys
Requests
Signing
Client Testing

Creating Keys

Create an RSA Key

openssl genrsa -out $name.key 2048
openssl genrsa -des3 -out $name.key 2048

Open a Key that was previously created using -des3.

openssl rsa -in $name.key -out $name.key-open
openssl rsa -in $name.key -pubout $name.key-open

Certificate Requests

Make a key, make the CSR

openssl genrsa -out $name.key 2048
openssl req

Or do it all at once

openssl req -new -out $name.csr \
    -newkey rsa:2048  -nodes -keyout $name.key

View the CSR Certificate

openssl req -noout -text -in $name.crt

Create your Own Certificate Authority

Don't use the -nodes option, that removes the requirement for a passphrase

openssl req -new -x509 -days 3652 -keyout ca.key -out ca.crt
openssl x509 -in ca.crt -text

Sign the Request

Usually the CSR will be sent to a third party provider for signature, but you can make your own if you want.

openssl x509 -days 3652 -CA ca/ca.crt -CAkey ca/ca.key -req -in NEW.csr -out NEW.crt

View the CSR Certificate

~ openssl x509 -text -in $name.crt

Client Connection Test

~ openssl s_client -connect $hostname:443
~ openssl s_client -connect $hostname:465
~ openssl s_client -connect $hostname:993
~ openssl s_client -connect $hostname:995
~ openssl s_client -connect $hostname:6668

Some times the error Failed to configure CA certificate chain will show in the apache configuration file. This is most likely caused by a corrupted .crt, .key or .pem file (or any number of other extensions).

View a CSR as Text

~ $ openssl req -in file.csr -noout -text

Check SSL Connection

~ $ openssl s_client -host ssl.domain.tld -port 443
CONNECTED(00000003)
depth=1 /C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/serialNumber=HYrDQe7TIbfZHzfe4rVixzc-WfNWjCq4/C=US/ST=Washington/L=Seattle/O=Edoceo, Inc/OU=Internet Engineering/CN=*.edoceo.com
   i:/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
 1 s:/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
---
[ snipped ]
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: BD1BE308F8D34BC79BC047AC9C5570419AB5B104A3E2037E64443BB48DBDE55728B364137012516502B4059A9113240E
    Key-Arg   : None
    Start Time: 1331171036
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---

Here we are testing for SSLv2

~ $ openssl s_client -host ssl.domain.tld -port 443
[ snipped ]
New, SSLv2, Cipher is DES-CBC3-MD5
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv2
    Cipher    : DES-CBC3-MD5
    Session-ID: 837714D8DD5977D01DB81829CFB93269
    Session-ID-ctx: 
    Master-Key: AFD97F3116CB12940B9F66E3234D378C6F1AA2AA029377E5
    Key-Arg   : F6FE6FD14FECD333
    Start Time: 1331171179
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---