OpenSSL notes
From Noah.org
Revision as of 17:46, 9 September 2013 by Root (talk | contribs) (→get certificate details from a remote SSL host)
Contents
External OpenSSL Command-line FAQ
This OpenSSL HowTo/FAQ deals with the command-line openssl.
Remove password from OpenVPN key
The user's client.key generated by `openvpn --genkey` is an OpenSSL RSA key. You can use `openssl` commands on the key. This will overwrite the existing user.key file:
openssl rsa -in client.key -out client.key
Encrypt output of a command to log file
It is pretty trivial to send output from a command to an encrypted log file. This is useful if running a server in debug mode where log output might contain sensitive information such as personal information or passwords.
some_command | openssl bf -e -salt -out log.bf
You can decrypt the log file while the command is still running.
cat log.bf | openssl bf -d -salt
get certificate details from a remote SSL host
This will download the SSL cert currently in use on a remote host. This uses openssl in client mode to retrieve and decode the certificate on the remote server.
openssl s_client -connect www.noah.org:443 </dev/null 2>/dev/null | openssl x509 -text -noout
Some of the more interesting fields can be parsed into variables.
NOW=$(date "+%s") CERT_INFO=$(openssl s_client -connect www.noah.org:443 </dev/null 2>/dev/null | openssl x509 -text -noout) CERT_EXPIRATION_DATE=$(echo "${CERT_INFO}" | sed -n 's/.*Not After.*: \(.*\)/\1/p') CERT_EXPIRATION_SECONDS=$(date '+%s' --date "${CERT_EXPIRATION_DATE}") CERT_EXPIRATION_DAYS=$((($CERT_EXPIRATION_SECONDS - ${NOW}) / 60 / 60 / 24)) CERT_ISSUER=$(echo "${CERT_INFO}" | sed -n 's/.*Issuer.*: \(.*\)/\1/p') CERT_ISSUER_CN=$(echo "${CERT_INFO}" | sed -n 's/.*Issuer.*:.*CN=\(.*\)/\1/p') CERT_SUBJECT=$(echo "${CERT_INFO}" | sed -n 's/.*Subject.*: \(.*\)/\1/p') CERT_SUBJECT_CN=$(echo "${CERT_INFO}" | sed -n 's/.*Subject.*:.*CN=\(.*\)/\1/p')