OpenSSL notes

External OpenSSL Command-line FAQ

This OpenSSL HowTo/FAQ deals with the command-line openssl.

Remove password from OpenVPN key

The user's client.key generated by `openvpn --genkey` is an OpenSSL RSA key. You can use `openssl` commands on the key. This will overwrite the existing user.key file:

openssl rsa -in client.key -out client.key

Encrypt output of a command to log file

It is pretty trivial to send output from a command to an encrypted log file. This is useful if running a server in debug mode where log output might contain sensitive information such as personal information or passwords.

some_command | openssl bf -e -salt -out log.bf

You can decrypt the log file while the command is still running.

cat log.bf | openssl bf -d -salt

get certificate details from a remote SSL host

This will download the SSL cert currently in use on a remote host. This uses openssl in client mode to retrieve and decode the certificate on the remote server.

openssl s_client -connect www.noah.org:443 </dev/null 2>/dev/null | openssl x509 -text -noout

Some of the more interesting fields can be parsed into variables.

NOW=$(date "+%s")
CERT_INFO=$(openssl s_client -connect www.noah.org:443 </dev/null 2>/dev/null | openssl x509 -text -noout)
CERT_EXPIRATION_DATE=$(echo "${CERT_INFO}" | sed -n 's/.*Not After.*: \(.*\)/\1/p')
CERT_EXPIRATION_SECONDS=$(date '+%s' --date "${CERT_EXPIRATION_DATE}")
CERT_EXPIRATION_DAYS=$((($CERT_EXPIRATION_SECONDS - ${NOW}) / 60 / 60 / 24))
CERT_ISSUER=$(echo "${CERT_INFO}" | sed -n 's/.*Issuer.*: \(.*\)/\1/p')
CERT_ISSUER_CN=$(echo "${CERT_INFO}" | sed -n 's/.*Issuer.*:.*CN=\(.*\)/\1/p')
CERT_SUBJECT=$(echo "${CERT_INFO}" | sed -n 's/.*Subject.*: \(.*\)/\1/p')
CERT_SUBJECT_CN=$(echo "${CERT_INFO}" | sed -n 's/.*Subject.*:.*CN=\(.*\)/\1/p')