Some OpenSSL and SSL certificate basics
December 27, 2009
I'm writing this down for the traditional reason, that being to try to
fix it in my mind for the next time I have to deal with all of this
stuff (which will probably be in about a year):
- a SSL key is basically a blob of data. It has no interesting attributes
associated with it, and it is thus reusable if you want to. There are
probably OpenSSL commands to dump key information, but I haven't looked.
SSL keys are generated with
openssl genrsa. It asks for no
(I would not reuse the same SSL key on different servers, but if you
would otherwise give a website a ten year self-signed certificate, well,
you might as well reuse the same key for it for ten years.)
- a CSR has a Distinguished Name (aka Subject, aka DN), with all of the
details of what it is for; however, it does not have any dates.
If you're keeping the same key from year to year, you can also
keep the CSR and just resubmit it again every year to get a new
(Locally we have tended to discard the CSR once the certificate has
been issued, and to generate new keys when we get new certificates.)
CSRs are generated with
openssl req, which asks about all of
the fields for the DN and can be fed standard input. If you are
mass-generating CSRs for some reason, note
that the tempting
-batch option is basically useless. Rather than
silently reading the CSR parameters from stdin, it reads them only
from the OpenSSL configuration file.
If you are going to be generating more than a few CSRs, I would write
a script to do it; among other things, it makes sure that you're
consistent in your Distinguished Names (which should normally vary
only in the hostname). Plus, it makes the whole process a lot less
CSRs can be examined with:
openssl req -text -noout -in WHAT.csr
I recommend doing this after using any automated script for the
first time, just in case of accidents (like, say, using
without really understanding what it does).
- a SSL certificate is the only thing with expiry dates (which are
added by the CA), as well as the CA signature. SSL certificates
can be examined with:
openssl x509 -text -noout -in WHAT.crt
The CA that signed a certificate can be determined with:
openssl x509 -noout -issuer -issuer_hash -in WHAT.crt
Determining the CA certificate expiry times must be done by getting a
copy of the CA root certificate and examining it. If you have a website
that's using a certificate from this CA, the easiest way to do this
is to go to that website, pull up the security information, view the
certificate, and then look at all of the certificates involved in the
These are my WanderingThoughts
(About the blog)
Full index of entries
This is part of CSpace, and is written by ChrisSiebenmann.
* * *
Atom feeds are available; see the bottom of most pages.
This is a DWiki.
Categories: links, linux, programming, python, snark, solaris, spam, sysadmin, tech, unix, web