DEV Community

Cover image for OpenSSL a swiss army knife - part1
dejanualex
dejanualex

Posted on • Edited on

OpenSSL a swiss army knife - part1

#linux #devops #tutorial #bash

If you ever needed to verify SSL/TLS connections or check certificate information. Then openssl is the answer...maybe.

The openssl program provides a rich variety of commands

First a small walkthrough concerning some of file extensions that we might encounter.

CER (.cer) or CRT (.crt): certificate could be PEM or DER encoded, contains certificate owner information and public and private keys. PEM (.pem): Base64 encoded form of DER certificate. Certificate and private key are stored in different files. DER (.der): Binary form of PEM certificate used on Java platform. Certificate and private key are stored in different files. PKCS7 (.p7b): ASCII code. Contains the certificate but not the private key. PKCS12 (.pfx or .p12): Binary form used on Windows platforms. Contains certificate(s) private and public key. (it's password protected)
Enter fullscreen mode Exit fullscreen mode

Going to the point, troubleshooting SSL/TLS connections and inspecting certificate:

# debug the SSL/TLS connection (view the Handshake process) openssl s_client -msg -debug -state -connect <host_ip>:<port> # displays entire certificate chain in PEM format openssl s_client -connect <host_ip>:<port> -showcerts # check the TLS version: if you get the certificate chain and the handshake you know the system supports the TLS version in question openssl s_client -connect <host_ip>:<port> -tls1 openssl s_client -connect <host_ip>:<port> -tls1_2 openssl s_client -connect <host_ip>:<port> -tls1_1 # check certificate expiration date  openssl s_client -connect <hostname>:<PORT> -showcerts|openssl x509 -noout -dates # display PEM certificate (cert.crt) content openssl x509 -in cert.pem -noout -text openssl x509 -in cert.crt -text
Enter fullscreen mode Exit fullscreen mode

⚠️ Where X.509 utility is a standard format for public key certificates, digital documents that securely associate cryptographic key pairs with identities such as websites, individuals, or organizations.

OpenSSL is capable of doing much more, like generating .csr or converting from one format to another e.g. from .crt to .pem, but these subjects will be address in part 2.

Top comments (0)