UNIX SSL
View Certificates
If the certificate is PEM encoded use...
openssl x509 -in cert.pem -text -noout
If the certificte is DER encoded use...
openssl x509 -in cert.der -inform der -text -noout
Check Certificate End Date
openssl x509 -enddate -noout -in cert.pem
Version
openssl version
Encoding
Certificates (and keys) can be Binary (DER) or ASCII Base64 (PEM) encoded. Often certificates have a .der or .pem suffix to indicate the encoding type. Other common suffixes (.crt, .cer, .key) may be either type.
You can convert between formats using...
PEM to DER
Certificates...
openssl x509 -in cert.pem -outform der -out cert.der
Keys...
openssl pkcs8 -topk8 -inform PEM -outform DER -in key.pem -out key.der -nocrypt
DER to PEM
Certificates...
openssl x509 -in cert.der -inform der -outform pem -out cert.pem
Keys...
openssl pkcs8 -topk8 -inform DER -outform PEM -in key.der -out key.pem -nocrypt
Remove Passphrase
To remove the passphrase from a certificate key...
openssl rsa -in mykeywithpassphrase.pem -out mykeywithoutpassphrase.pem
Validate SSL Certificate
If your SSL certificate is protecting a publicly accessible website, use:
Check encryption using openssl...
openssl s_client -connect hostname:443 -tls1
openssl s_client -connect hostname:443 -tls1_1
openssl s_client -connect hostname:443 -tls1_2
Check encryption using curl...
curl --tlsv1.0 https://hostname:443/
curl --tlsv1.1 https://hostname:443/
curl --tlsv1.2 https://hostname:443/
sslscan
sslscan myserver
nmap
nmap --script ssl-enum-ciphers -p 443 www.example.com
nmap --script ssl-enum-ciphers -p 993 mail.example.com
Self Signed Certificate
Generate a private key...
You can (optionally) use an existing private key if you have one.openssl genrsa -des3 -out private.pem 2048
where server.key is the name of your private key file.Keep a secure record of your passphrase.To create a self-signed certificate in DER (Binary) format...
openssl req -new -x509 -key private.pem -days 30 -out mycert.der -outform der
You will be prompted for...
Your private key passphrase
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
To convert the private key to DER (Binary) format (if required, e.g. for ORDS)...
openssl pkcs8 -topk8 -inform PEM -outform DER -in private.pem -out private.der -nocrypt
Lets Encrypt Certificate
TODO
Keystores
Heartbleed
A vulnerability has been discovered in OpenSSL that potentially allows an attacker to retrieve private keys from a website, theoretically allowing the attacker to unencrypt encrypted data.
The vulnerability is fully documented at: http://heartbleed.com/
OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable
Bibliography
https://www.sslshopper.com/ssl-checker.html https://www.digicert.com/help/ https://opensource.com/article/21/5/linux-security-tools
https://www.openssl.org/https://www.openssl.org/docs/https://heartbleed.com/https://www.feistyduck.com/books/openssl-cookbook/https://www.ssllabs.com/https://www.digicert.com/ https://support.ssl.com/Knowledgebase/Article/View/19/0/der-vs-crt-vs-cer-vs-pem-certificates-and-how-to-convert-themhttps://www.rfc-editor.org/info/rfc5280http://www.herongyang.com/Cryptography/index.htmlhttps://www.openssl.org/docs/manmaster/man1/openssl.htmlhttps://stackoverflow.com/questions/24772167/convert-pem-private-key-to-key-formathttps://www.ssl.com/guide/pem-der-crt-and-cer-x-509-encodings-and-conversions/https://www.ssl.com/how-to/create-a-pfx-p12-certificate-file-using-openssl/ https://www.xolphin.com/support/Certificate_conversions/Convert_pfx_file_to_pem_file https://www.sslshopper.com/article-most-common-openssl-commands.html https://help.cloud66.com/maestro/how-to-guides/security/remove-passphrase.html
https://superuser.com/questions/109213/how-do-i-list-the-ssl-tls-cipher-suites-a-particular-website-offershttp://nmap.org/svn/scripts/ssl-enum-ciphers.nsehttp://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html
How to Check the SSL Version Used in ORDS of DBCS (OCIC) (Doc ID 2566721.1)
Lets Encrypthttps://certbot.eff.org/https://easyoradba.com/2018/07/09/ssl-certificates-for-oracle-apex-18-1-with-oracle-rest-data-services-ords-18-1-hosted-on-apache-tomcat-9/