Important SSL Commands SysAdmin Should Know

Important SSL Commands

Overview

In this article, I am going to provide some of the very important SSL commands which help you when you are working on SSL.

Wherever you have a task to implement SSL certificate on the website. You should know which commands help to implement SSL certificate.
If you don't have an idea about SSL commands then you will not able to implement SSL on site properly.

When I first implemented SSL certificate on Website face lots of issue on the website because of lack of knowledge about the SSL commands.
This guide will help you to understand each SSL commands which gives you proper way while implementing SSL certificate on any of website.

Once you understand the working of SSL commands then you can follow my previous article on SSL certificate implementation.

 

READSSL Configuration on Linux with Nginx

 

Before start with the article make sure you have already installed the OpenSSL package on your system. if not then run below command which installs OpenSSL on the system.

$ apt-get update
$ apt-get install openssl

Let's start with the article on Important SSL Commands,

1. Create SSL Key

Below OpenSSL command helps you to create SSL Key.

$ openssl genrsa -out www.crt.in.key 2048

Generating RSA private key, 2048 bit long modulus
..................................+++
..........................+++
e is 65537 (0x10001)

2. Create SSL CSR

Below command use to create Certificate Signing Request(CSR). This CSR file using when you have to request for a .crt file from any certificate provider. In this file, you need to provide information about the Company,domain name,address,email id etc.

$ openssl req -new -key www.crt.in.key -out www.crt.in.csr

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields, there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:MAHARASHTRA
Locality Name (eg, city) []:MUM
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Techthings
Organizational Unit Name (eg, section) []:TECH
Common Name (e.g. server FQDN or YOUR name) []:techthings.org
Email Address []:sysadmin@gmail.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: Enter
An optional company name []: Enter
You have new mail in /var/mail/root

Note : Keep Challenge password empty otherwise it will ask every time when you restarting the webserver.


3. Check SSL Key MD5

With this command you can check the MD5 no. of SSL Key and compare this Key no. with CSR. If MD5 no. does not match with the CSR then it not properly created. Create it again and check.

$ openssl rsa -noout -modulus -in www.crt.in.key | openssl md5

(stdin)= 806f035dd9c7dc1771fe804c7d9460fb

4. Check SSL CSR MD5

This command also uses to check the MD5 no. which should match with the SSL Key?

$ openssl req -noout -modulus -in www.crt.in.csr | openssl md5

(stdin)= 806f035dd9c7dc1771fe804c7d9460fb

5. Create SSL CRT file

This is the main file which we can use with apache or Nginx web server for implementing SSL on the website. This file created with a combination of .key and .csr file.

$ openssl x509 -req -days 365 -in www.crt.in.csr -sign key www.crt.in.key -out www.crt.in.crt

Signature ok
subject=/C=IN/ST=MAHARASHATRA/L=MUM/O=Techthings/OU=TECH/CN=techthings.org/emailAddress=sysadmin@gmail.com
Getting Private key

6. Check SSL CRT MD5

Now like above we checked .key and .csr MD5. You need to check .crt MD5 no. as well to make sure .crt file generated properly.

$ openssl x509 -noout -modulus -in www.crt.in.crt | openssl md5

(stdin)= 806f035dd9c7dc1771fe804c7d9460fb

When you get the same MD5 no. for all .key, .csr, .crt file which means certificate generated properly.

7. Check SSL CRT Expiration Date

You can also check the expiry date of CRT file with below OpenSSL command.

$ openssl x509 -noout -in www.crt.in.crt -dates

notBefore=Oct 11 12:27:26 2016 GMT
notAfter=Oct 11 12:27:26 2017 GMT

8. Decrypt CSR Certificate

You can decrypt CSR certificate with below command. You can able to check the information inside the .csr file.

$ openssl req -in www.crt.in.csr -noout -text

Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=IN, ST=MAHARASHATRA, L=MUM, O=Techthings, OU=TECH, CN= techthings.org/emailAddress=sysadmin@gmail.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)

9. Verify the signature

You can verify used a signature on the .csr file using below command. If you get the output ok which means certificate verified successfully.

$ openssl req -in www.crt.in.csr -noout -verify

verify OK

10. Check Certificate issued

With this command, you can check who is the owner of the certificate.

$ openssl req -in www.crt.in.csr -noout -subject

subject=/C=IN/ST=MAHARASHATRA/L=MUM/O=Techthings/OU=TECH/CN=techthings.org/emailAddress=sysadmin@gmail.com

11. Remove a passphrase key

If you are using a passphrase for private key and now you don't want passphrase on the key then use below command to remove the passphrase from the key.

Copy .key file as backup

$ cp www.crt.in.key www.crt.in.key-orig

Then unencrypt the key with OpenSSL. You’ll need the passphrase for the removing passphrase.

$ openssl rsa -in www.crt.in.key -out new.www.crt.in.key

We have tried our best to include almost all of ‘ Important SSL Commands‘ with their examples in this article which are use by SysAdmins while working on OpenSSL, If still, we have missed anything, please do let us know via comments and don’t forget to share with your friends.

Leave a Reply

Your email address will not be published. Required fields are marked *