1. Openssl X509 Pem
  2. Openssl X509 Extfile
  3. Openssl X509 Command
  4. Openssl X509 Expecting Trusted Certificate
  5. Openssl Expecting Any Private Key

For example, GitLab automatically fetches and places certificates acquired from Let’s Encrypt at /etc/gitlab/ssl/hostname.crt. You can use the x509 command with that path to quickly display the certificate’s information (for example, the hostname, issuer, validity period, and more). A self signed certificate to use for website development needs a root certificate and has to be an X509 version 3 certificate. Creating one take about 5 terminal command, see at the bottom for a list.

EXTRACT CLIENT CERTIFICATE

The goal is to determine the signing authority hosts and grab the Root certificate and Intermmediate Certificate. Syntax: openssl x509 - in myClientCert.crt - text - noout. NOTE: The above command will fail if the cert file is in DER format (binary) TO READ CERTIFICATES IN DER FORMAT: openssl x509 - in myClientCert.crt - inform DER - text. Now I am trying to convert this to a certificate: openssl x509 -outform der -in publickey.pem -out public.cer. Expecting: TRUSTED CERTIFICATE All tutorials show that I have to convert pem to crt before adding to a truststore. For creating a simple self-signed certificate which is not trusted by any browser see How to create a self.


The following extracts only the client certificate and omitting the inclusion of private key (-nokeys) which supposedly not to be shared to the client users.


Syntax:


openssl pkcs12 -in myCertificates.pfx -out myClientCert.crt -clcerts -nokeys


Example:

[[email protected]]$ openssl pkcs12 -in lxnode15.vlabs.net.pfx -out lxnode15_client.crt -clcerts -nokeys

Enter Import Password:

MAC verified OK

[[email protected]]$



READING THE CERTIFICATE

The goal is to determine the signing authority hosts and grab the Root certificate and Intermmediate Certificate.


Syntax:


openssl x509 -in myClientCert.crt -text -noout


NOTE: The above command will fail if the cert file is in DER format (binary)

TO READ CERTIFICATES IN DER FORMAT:

openssl x509 -in myClientCert.crt -inform DER -text



CHECK IF THE CLIENT CERT BELONGS TO THE CORRECT HOST

Proceed to read the certifiacte and look for the values indicated by the Subject CN and Alternative Name if they match the hostnames that this client cert is supposed to be installed.


CHECK CLIENT CERT EXPIRATION

Read the certficate and look for Validity section that describes the 'Before' and 'After' duration of the certificate.


[[email protected]]$ openssl x509 -in lxnode15_client.crt -text -noout grep -i not

Not Before: Nov 16 22:32:13 2018 GMT

Not After : Nov 15 22:32:13 2020 GMT

[[email protected]]$


GET THE CA ISSUERS

From the client certificate, we'll grab all issuer certificates (intermmediate and root).

First, we need to get the certificate that signed the client cert (which is either an intermmediate cert or the root cert itself).


Syntax:

openssl x509 -in myClientCert.crt -text -noout grep -i 'issuer'


Example:

[[email protected]]$ openssl x509 -in lxnode15_client.crt -text -noout grep -i 'issuer'

Issuer: C=US, O=Chads Technoworks, CN=Chads Technoworks IC

CA Issuers - URI:http://cert1.vlabs.net/pki/Chads%20Technoworks%20IC.crt

CA Issuers - URI:http://cert2.vlabs.net/pki/Chads%20Technoworks%20IC.crt

[[email protected]]$


The example above provides the URI of the signing certificate hosted by multiple servers.

Proceed to download this cert.


curl -O http://{cadomain.com}/{pkipath}/{name.cert}


or you may rename the download file with something meaningful:


curl -o {caSigningCert.crt} http://{cadomain.com}/{pkipath}/{name.cert}


sample:

[[email protected]]$ curl -o caSigningCert.crt http://cert1.vlabs.net/pki/Chads%20Technoworks%20IC.crt

% Total % Received % Xferd Average Speed Time Time Time Current

Dload Upload Total Spent Left Speed

101 2128 101 2128 0 0 35135 0 --:--:-- --:--:-- --:--:-- 76000

[[email protected]]$


Now that we have the signing cert, let's examine if this is the root cert by checking the common names (CN) used by the Issuer and the Subject CN.

If the CN doesn't match, this means that this is an intermmediate certificate. You might then proceed to grab the signing cert of this intermmediary certificate which most likely is the root.


example:

[[email protected]]$ openssl x509 -in caSigningCert.crt -text -noout grep -i CN=

Issuer: CN=Chads Technoworks Root

Subject: C=US, O=Chads Technoworks, CN=Chads Technoworks IC

[[email protected]]$


Note that the above CN didn't match, therefore this is an intermmediate cert. Let's go ahead and grab the signing certificate of this which most likely is the root cert.


[[email protected]]$ openssl x509 -in caSigningCert.crt -text -noout grep -i issuer

Issuer: CN=Chads Technoworks Root

CA Issuers - URI:http://cert1.vlabs.net/pki/Chads%20Technoworks%20Root.crt

CA Issuers - URI:http://cert2.vlabs.net/pki/Chads%20Technoworks%20Root.crt

[[email protected]]$


[[email protected]]$ curl -o caRoot.crt http://cert1.vlabs.net/pki/Chads%20Technoworks%20Root.crt

% Total % Received % Xferd Average Speed Time Time Time Current

Dload Upload Total Spent Left Speed

101 1317 101 1317 0 0 19549 0 --:--:-- --:--:-- --:--:-- 42483

[[email protected]]$


Let's read the cert to verify if this is the root cert:


[[email protected]]$ openssl x509 -in caRoot.crt -text -noout grep -i CN=

unable to load certificate

140639392556872:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE

[[email protected]]$


Openssl X509 Pem

Error above indicates that this is in DER format, thus let's read it correctly using DER extraction.


Openssl X509 Extfile

[[email protected]]$ openssl x509 -in caRoot.crt -inform DER -text -noout grep -i CN=

Issuer: CN=Chads Technoworks Root

Subject: CN=Chads Technoworks Root

[[email protected]]$


The CN above matches both the Issuer and the CN of this certificate itself, which proves this is the root cert.


You may optionally convert the root cert into PEM format which can be helpful in building the chain cert.

Expecting


Example:

openssl x509 -inform DER -in caRoot.crt -outform PEM -out caRoot.pem



CREATE A FULL CHAIN CERTIFICATE

A full chain certificate is a client certificate that has additional information of the lineage of the signing hosts tracing it back to the root.

Now that we have completed the extraction of the client cert (node cert), the intermmediate cert and root cert, we can now proceed to build the chain certificate with the following content sequence:


NODE CERT -> INTERMMEDIATE CERT -> ROOT CERT

Openssl X509 Command


You may use a text editor to append these certifiactes in sequence to a file.


cat lxnode15_client.crt caSigningCert.crt caRoot.pem > chainCert.pem


Note that you need to examine the chain file and remove unneccessary bag attributes and ensuring only the contents starting with '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----' exists.


Also remove any ^M characters if you find any.


Openssl X509 Expecting Trusted Certificate

sed -e 's/^M//' file.txt > newFile.txt

Openssl Expecting Any Private Key


Use [ctrl] + [v] + [m] keys to generate the special char ^M.

Coments are closed

Most Viewed Posts

  • Merge Multiple Cells Into One
  • Mgm Prime Video
  • Please Find My Address
  • Sigil Of Moloch

Scroll to top