Wandering Thoughts archives


Some OpenSSL and SSL certificate basics

I'm writing this down for the traditional reason, that being to try to fix it in my mind for the next time I have to deal with all of this stuff (which will probably be in about a year):

  • a SSL key is basically a blob of data. It has no interesting attributes associated with it, and it is thus reusable if you want to. There are probably OpenSSL commands to dump key information, but I haven't looked.

    SSL keys are generated with openssl genrsa. It asks for no information.

    (I would not reuse the same SSL key on different servers, but if you would otherwise give a website a ten year self-signed certificate, well, you might as well reuse the same key for it for ten years.)

  • a CSR has a Distinguished Name (aka Subject, aka DN), with all of the details of what it is for; however, it does not have any dates. If you're keeping the same key from year to year, you can also keep the CSR and just resubmit it again every year to get a new certificate.

    (Locally we have tended to discard the CSR once the certificate has been issued, and to generate new keys when we get new certificates.)

    CSRs are generated with openssl req, which asks about all of the fields for the DN and can be fed standard input. If you are mass-generating CSRs for some reason, note that the tempting -batch option is basically useless. Rather than silently reading the CSR parameters from stdin, it reads them only from the OpenSSL configuration file.

    If you are going to be generating more than a few CSRs, I would write a script to do it; among other things, it makes sure that you're consistent in your Distinguished Names (which should normally vary only in the hostname). Plus, it makes the whole process a lot less annoying.

    CSRs can be examined with:

    openssl req -text -noout -in WHAT.csr

    I recommend doing this after using any automated script for the first time, just in case of accidents (like, say, using -batch without really understanding what it does).

  • a SSL certificate is the only thing with expiry dates (which are added by the CA), as well as the CA signature. SSL certificates can be examined with:
    openssl x509 -text -noout -in WHAT.crt

    The CA that signed a certificate can be determined with:

    openssl x509 -noout -issuer -issuer_hash -in WHAT.crt

Determining the CA certificate expiry times must be done by getting a copy of the CA root certificate and examining it. If you have a website that's using a certificate from this CA, the easiest way to do this is to go to that website, pull up the security information, view the certificate, and then look at all of the certificates involved in the details view.

sysadmin/OpenSSLBasics written at 20:03:20; Add Comment

Page tools: See As Normal.
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.