Posts tagged openssl

imap via linux shell
posted on 2016-11-09 23:52

Connect to server:

openssl s_client -connect SERVERNAME-OR-IP:993

IMAP commands:

  • enumerate/prefix commands with arbitrary labels or simply a '.'
  • login USERNAME "PASSWORD" # login
  • list "" "*" # show all mailboxes
  • status [mailbox]
  • select "MAILBOX" # switch to mailbox
  • uid search all
  • uid store MAILID +flags (\Deleted) # mark as deleted
  • expunge # actual delete
  • logout # logout
openssl convert .pfx
posted on 2016-11-08 15:21

To extract privatekey, certificate and ca-certificate from a .pfx file, do these:

# extract key
openssl pkcs12 -in FILE.PFX -out FILE.key-nodes

# extract cacert
openssl pkcs12 -in FILE.PFX -out -cacerts

# extract cert
openssl pkcs12 -in FILE.PFX -out FILE.crt -clcerts

To create a .pfx / .p12:

# create .pfx
openssl pkcs12 -export -out FILE.pfx -inkey PRIVATEKEY.key -in CERTIFICATE.crt -certfile
openssl: s_client to check certificates
posted on 2016-03-18 13:47:07

In short:

openssl s_client -connect <>:443
openssl: check privkey, cert request, certificate
posted on 2016-02-26 13:50:50

Here is a one-liner that prompts you to enter the filenames of your private key, your certificate's request and your final certificate:

echo; echo $'\e[32;1m'"cd into keyfolder, enter filenames when prompted."$'\e[0m'; ls -lah; echo; read -p "privkey:  " fn; read -p "certreq:  " csr; read -p "certname: " cert; openssl rsa -in $fn -modulus -noout | openssl md5; openssl req -in $csr -modulus -noout | openssl md5; openssl x509 -in  $cert -modulus -noout | openssl md5'

Only if all hash value results are the same, your files will work. If they differ something is broken and you have to have a more in-depth look.

OpenSSL: Create a TLS certificate
posted on 2015-07-18 01:13:32

This posting is solely about handling certificates, no cryptographic background or deeper technical digging.

background and grey theory

Basically creating a certificate can be done via two ways:

  • create a private key and a certificate from it
  • create a private key, a certificate signing-request out of it, and with another certificate-authority private-key and certificate-authority certificate create an own certificate

The first approach is to be done for CA's (certificate authorities), and their (CA) certificates are shipped with the common browsers.

Website (or whatever type of service uses SSL/TLS) let their domain be secured with an own certificate, which the certificate authority created from a certificate signing request the owner sent them using their private key and certificate.

The user using the browser to access the secured domain gets the ca cert and the site owner's cert, and can check if the site owner's cert can be validated against the root CA cert.

So these are the artifacts in play: (CA = certificate authority, SRV = server owner)

  • CA privkey (CA_PK)
  • CA cert (CA_C)
  • SRV privkey (SRV_PK)
  • SRV cert (SRV_C)

installing them server-side

In this order they are created and installed:

         SRV                                         CA
        -----                                       ----
          |                                          |
          |                                     1. create CA_PK
          |                                     2. create CA_C
          |                                          |
    3. create SRV_PK                                 |
    4. create SRV_CSR                                |
          |                                          |
    5.    |--------------- email SRV_CSR ----------->|
          |                                          |
          |                                     6. create SRV_C
          |                                     (from CA_PK,CA_C,SRV_CSR)
          |                                          |
    7.    |<--------------  email SRV_C  ------------|
          |                                          |
    8. configure server (web,ftp,...)                |
       (to provide CA_C,SRV_PK,SRV_C)                |
          |                                          |

This is all which is needed to set TLS encryption up.

Note: CA_C and SRV_C differ in having the CA flag set to TRUE or not. Besides that, they are the same.

using them client-wise

To keep it simple, clients negotiate the connection with the server, and use the th SRV_C of aforementioned artefacts from the server. The CA_C is already part of the web browser.

practice and its complexities

To prevent some misunderstandings, even more basics:

  • CA's are just companies printing money, as these certificates tend to be very expensive but are not saver than ones you create on your own and validate these against a self-created self-signed one (With you being basically your own CA.). The only difference is, the CA's get their certificates shipped with every browser, whereas you do not get that luxury.
  • CA_PK and SRV_PK do not differ in how they were created.
  • self-signed certificate = no higher-level cert is needed for validation (for CA's)
  • messing up which one is which is the third biggest source of problems revolving around certificates
  • the second biggest problem is the unwieldiness of the tools to handle these things
  • the biggest source of FAIL when dealing with certificates is the amount of different ones being in different formats (single file or container 'containing' several 'files') and encodings (ascii/base64 vs. binary) and simple copy-paste errors when creating some of them

This sounds complexer than it really is. Haha, I know.

You can import the self-created self-signed CA cert into your browser by hand, so you don't get the warning about visiting unsecure sites anymore, but the rest of the world will still get the error. Plus your google ranking for your website should be lower, as far as I can remember.

a script for automating things

When having to have to create certificates from time to time, this may come handy:

openssl genrsa 2048 > ca-key.pem && \
openssl req -new -x509 -nodes -days 3650 -key ca-key.pem -out ca-cert.pem && \
openssl req -newkey rsa:2048 -days 3650 -nodes -keyout server-key.pem -out server-req.pem && \
openssl rsa -in server-key.pem -out server-key.pem && \
openssl x509 -req -in server-req.pem -days 3650 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

For automated generation, the openssl tool is way more nicer than certtool from GnuTLS. For checking contents or creating a .p12 / pkcs #12 container, the latter is better:

# check contents
certtool --certificate-info --infile C.pem

# create .p12
certtool --to-p12 --load-ca-certificate CA_C.pem --load-privkey PK.key --load-certificate C.pem --outfile CONTAINER.p12 --outder

show certificate information

certtool --certificate-info --infile C.pem
Certificates, OpenSSL in depth and GnuTLS
posted on 2014-07-10 14:37:52

This post should give an overview on the most used OpenSSL commands, and how SSL/TLS/X.509 in general works.

Since this post was written a long time ago, it might get revisited in the future. But this will be a major overhaul, so this will not happen in the near future either.

But there will come some ascii art on a schematic PKI in general, the section about the filenames will get cleaned up as well as the openssl section.

post vocabulary and some notes

The most used terms are abbreviated in the following.

PK = Private Key
C = Certificate
CSR = Certificate Signing Request
CA = Certificate Authority

Usually this seems way harder than it is in reality, once you get the hang of it. Hardest part is to understand which file belonging to which server is needed for the current step.


Some more abbreviations first:

SSL : Secure Sockets Layer
TLS : Transport Layer Security
X.509 : Public Key Infrastructure (PKI) and Priviledge Management Infrastructure (PMI) standard by the "International Telecommunication Union Telecommunication Standardization Sector" (ITU-T).

SSL and its successor TLS, which includes SSL, are protocols for encrypting internet communication. The C infrastructure setup is defined in the X.509 standard. That is why these acronyms are popping up in any discussion about this topic.

On a sidenote, a more general equation:


Since this post is focused on usability, the techniques in question that are used in a PKI or PMI are of no concern here.

The C chain looks usually like this: (intermeadiates can, but need not exist)

  1. Root C
  2. Intermediate C
  3. C

The last C is the one issued by the CA where you subitted your CSR to.

Only if all C's are present and used correctly, SSL checking tools (See here or here.) will tell you your C's are set up accordingly.

File types

There exist a bunch of file types, you have to be able to differentiate.

file types

.key : private key file (PK), but that's just a convention
.csr : certificate signing request (CSR)
.crt : certificate (C)
.cer : certificate (C), Microsoft used this naming scheme earlier

For .pem and .der files, see next section.

PK.key, CSR.csr, C.crt are kind of placeholders for your actual filenames in the following sections. A good naming scheme would be subdomain_domain_tld-year, without dots. Dots happen to either not work or cause other problems. Appending the year your C was issued helps with distinguishing in case you renew a certain certificate.

containers and encodings

Containers are used for grouping together C's (and) into a single file.

.pem: ascii / base64 encoded container
.der: container in binary format

The extension hints at the encoding being used, for the container. A container usually consists of the set of all C's (the entire trust chain), and can optionally also contain the PK.

All the files from the section before can be in PEM or DER format, IIRC!

For more information on the Distinguished Encoding Rules (DER) or the Privacy-enhanced Electronic Mail (PEM), just click these links.


PK / CSR generation

For usage with Certificate Authorities (CA's)

Generate a PK and a CSR:

openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout PK.key

If you already have an existing PK and just need a CSR:

openssl req -out CSR.csr -key PK.key -new

Create a new CSR for an existing C:

openssl x509 -x509toreq -in C.crt -out CSR.csr -signkey PK.key

Complete self-signed certificate

Generation of a self-signed (ss) C, based on a newly generated PK with a term of validity of one year (365 days):

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout PK.key -out C.crt

ss-C's for https are still better than traffic over plain http, but for private websites for example, StartSSL Certificates provide C's for free. Free as in 'no money needed'.

convert PEM to DER

openssl x509 -in C.crt -outform der -out C.der

convert DER to PEM

openssl x509 -in C.crt -inform der -outform pem -out C.pem

viewing PEM encoded files containing a C

For debugging reasons, this might actually be the most used command.

openssl x509 -in C.pem -text -noout
openssl x509 -in C.crt -text -noout
openssl x509 -in C.cer -text -noout

This will not work on a single PK file.


Get it:

apt-get install gnutls-bin -y



Instead of the openssl tool suite, this is actually self-explanatory.


In the following, keyfiles are called .key extension-wise, but that is just a name differentiation. They are in reality just .pem files, too, but with this practice files are easier to differentiate.

generate PK's (private keys)

certtool --generate-privkey --outfile PK.key --rsa

Use --dsa or --ecc flags if you want to change the used cryptosystem.

generate CSR's (certificate signing requests)

certtool --generate-request --load-privkey PK.key --outfile CSR.pem

generate C (certificate) from CSR (certificate signing request)

Usually this is a CA_C.pem, a CA certificate.

certtool --generate-certificate --load-ca-privkey CA_PK.key --load-ca-certificate CA_C.pem --load-request CSR.pem --outfile C.pem

generate C (certificate) from PK (private key), lacking a CSR

certtool --generate-certificate --load-ca-privkey CA_PK.key --load-ca-certificate CA_C.pem --load-privkey PK.key --outfile C.pem

generate a self-signed C (certificate), the fast way

certtool --generate-privkey --outfile CA_PK.key --rsa
certtool --generate-self-signed --load-privkey CA_PK.key --outfile CA_C.pem

Here's a one-liner to copy-paste:

certtool --generate-privkey --outfile CA_PK.key --rsa && certtool --generate-self-signed --load-privkey CA_PK.key --outfile CA_C.pem

create a .p12 / pkcs #12 container file

A .p12 file includes all three part usually needed on the server side:

  • CA certificate

  • server PK

  • server C

    certtool --to-p12 --load-ca-certificate CA_C.pem --load-privkey PK.key --load-certificate C.pem --outfile CONTAINER.p12 --outder

show certificate information

certtool --certificate-info --infile C.pem
Certificate content viewed with OpenSSL
posted on 2014-07-07 11:27:04

To show the contents of a ssl/tls certificate with openssl, do:

openssl x509 -in C.crt -text -noout

where C.crt is the name of your actual certificate. Should work for .pem, .cer and .key files as well.

This blog covers .csv, .htaccess, .pfx, .vmx, /etc/crypttab, /etc/network/interfaces, /etc/sudoers, /proc, 10.04, 14.04, AS, ASA, ControlPanel, DS1054Z, GPT, HWR, Hyper-V, IPSEC, KVM, LSI, LVM, LXC, MBR, MTU, MegaCli, PHP, PKI, R, RAID, S.M.A.R.T., SNMP, SSD, SSL, TLS, TRIM, VEEAM, VMware, VServer, VirtualBox, Virtuozzo, XenServer, acpi, adaptec, algorithm, ansible, apache, apachebench, apple, arcconf, arch, architecture, areca, arping, asa, asdm, awk, backup, bandit, bar, bash, benchmarking, binding, bitrate, blackarmor, blowfish, bochs, bond, bonding, booknotes, bootable, bsd, btrfs, buffer, c-states, cache, caching, ccl, centos, certificate, certtool, cgdisk, cheatsheet, chrome, chroot, cisco, clamav, cli, clp, clush, cluster, coleslaw, colorscheme, common lisp, console, container, containers, controller, cron, cryptsetup, csync2, cu, cups, cygwin, d-states, database, date, db2, dcfldd, dcim, dd, debian, debug, debugger, debugging, decimal, desktop, df, dhclient, dhcp, diff, dig, display manager, dm-crypt, dmesg, dmidecode, dns, docker, dos, drivers, dtrace, dtrace4linux, du, dynamictracing, e2fsck, eBPF, ebook, efi, egrep, emacs, encoding, env, error, ess, esx, esxcli, esxi, ethtool, evil, expect, exportfs, factory reset, factory_reset, factoryreset, fail2ban, fbsd, fedora, file, filesystem, find, fio, firewall, firmware, fish, flashrom, forensics, free, freebsd, freedos, fritzbox, fsck, fstrim, ftp, ftps, g-states, gentoo, ghostscript, git, git-filter-branch, github, gitolite, gnutls, gradle, grep, grml, grub, grub2, guacamole, hardware, haskell, hdd, hdparm, hellowor, hex, hexdump, history, howto, htop, htpasswd, http, httpd, https, i3, icmp, ifenslave, iftop, iis, imagemagick, imap, imaps, init, innoDB, inodes, intel, ioncube, ios, iostat, ip, iperf, iphone, ipmi, ipmitool, iproute2, ipsec, iptables, ipv6, irc, irssi, iw, iwconfig, iwlist, iwlwifi, jailbreak, jails, java, javascript, javaws, js, juniper, junit, kali, kde, kemp, kernel, keyremap, kill, kpartx, krypton, lacp, lamp, languages, ldap, ldapsearch, less, leviathan, liero, lightning, links, linux, linuxin3months, lisp, list, livedisk, lmctfy, loadbalancing, locale, log, logrotate, looback, loopback, losetup, lsblk, lsi, lsof, lsusb, lsyncd, luks, lvextend, lvm, lvm2, lvreduce, lxc, lxde, macbook, macro, magento, mailclient, mailing, mailq, manpages, markdown, mbr, mdadm, megacli, micro sd, microsoft, minicom, mkfs, mktemp, mod_pagespeed, mod_proxy, modbus, modprobe, mount, mouse, movement, mpstat, multitasking, myISAM, mysql, mysql 5.7, mysql workbench, mysqlcheck, mysqldump, nagios, nas, nat, nc, netfilter, networking, nfs, nginx, nmap, nocaps, nodejs, numberingsystem, numbers, od, onyx, opcode-cache, openVZ, openlierox, openssl, openvpn, openvswitch, openwrt, oracle linux, org-mode, os, oscilloscope, overview, parallel, parameter expansion, parted, partitioning, passwd, patch, pdf, performance, pfsense, php, php7, phpmyadmin, pi, pidgin, pidstat, pins, pkill, plesk, plugin, posix, postfix, postfixadmin, postgres, postgresql, poudriere, powershell, preview, profiling, prompt, proxmox, ps, puppet, pv, pvecm, pvresize, python, qemu, qemu-img, qm, qmrestore, quicklisp, r, racktables, raid, raspberry pi, raspberrypi, raspbian, rbpi, rdp, redhat, redirect, registry, requirements, resize2fs, rewrite, rewrites, rhel, rigol, roccat, routing, rs0485, rs232, rsync, s-states, s_client, samba, sar, sata, sbcl, scite, scp, screen, scripting, seafile, seagate, security, sed, serial, serial port, setup, sftp, sg300, shell, shopware, shortcuts, showmount, signals, slattach, slip, slow-query-log, smbclient, snmpget, snmpwalk, software RAID, software raid, softwareraid, sophos, spacemacs, spam, specification, speedport, spi, sqlite, squid, ssd, ssh, ssh-add, sshd, ssl, stats, storage, strace, stronswan, su, submodules, subzone, sudo, sudoers, sup, swaks, swap, switch, switching, synaptics, synergy, sysfs, systemd, systemtap, tar, tcpdump, tcsh, tee, telnet, terminal, terminator, testdisk, testing, throughput, tmux, todo, tomcat, top, tput, trafficshaping, ttl, tuning, tunnel, tunneling, typo3, uboot, ubuntu, ubuntu 16.04, udev, uefi, ulimit, uname, unetbootin, unit testing, upstart, uptime, usb, usbstick, utf8, utm, utm 220, ux305, vcs, vgchange, vim, vimdiff, virtualbox, virtualization, visual studio code, vlan, vmstat, vmware, vnc, vncviewer, voltage, vpn, vsphere, vzdump, w, w701, wakeonlan, wargames, web, webdav, weechat, wget, whois, wicd, wifi, windowmanager, windows, wine, wireshark, wpa, wpa_passphrase, wpa_supplicant, x2x, xfce, xfreerdp, xmodem, xterm, xxd, yum, zones, zsh

View posts from 2017-02, 2017-01, 2016-12, 2016-11, 2016-10, 2016-09, 2016-08, 2016-07, 2016-06, 2016-05, 2016-04, 2016-03, 2016-02, 2016-01, 2015-12, 2015-11, 2015-10, 2015-09, 2015-08, 2015-07, 2015-06, 2015-05, 2015-04, 2015-03, 2015-02, 2015-01, 2014-12, 2014-11, 2014-10, 2014-09, 2014-08, 2014-07, 2014-06, 2014-05, 2014-04, 2014-03, 2014-01, 2013-12, 2013-11, 2013-10

Unless otherwise credited all material Creative Commons License by sjas