openssl – Generate a CSR

This command generates a private key and a csr. You can submit the csr to a CA to get the leaf certificate.

openssl req -newkey rsa:2048 -nodes \
  -out myhostname.csr -config myopenssl.cnf

For this, a config file is needed. Fill it up with details like this:

######################################################################################
[ req ]
default_bits = 2048
default_md = sha256
default_keyfile = myhostname.pem
distinguished_name = req_distinguished_name
prompt = no
req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
C=IN
ST=Karnataka
L=Bangalore
O=None
OU=None
CN=arunsr.in
[ v3_req ]
subjectAltName = @alternate_names
keyUsage = digitalSignature, keyEncipherment
[ alternate_names ]
DNS.1 = www.arunsr.in
DNS.2 = blog.arunsr.in
#######################################################################################

openssl – cipher regex check

If you’re setting a regex to block or enable certain ciphers, here’s a quick way to verify what it expands to:

$ openssl ciphers -V 'RC4-SHA:HIGH:!ADH'
RC4-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3-MD5

$ openssl ciphers -V 'ALL:!aNULL:!ADH:!eNULL:!MEDIUM:!LOW!EXP:RC4+RSA:+HIGH'
DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3-MD5

openssl – Connect and verify

To connect to a remote host and verify the TLS connection, run this command:

openssl s_client -verify -showcerts \
-connect remote-hostname.com:443 -msg \
-CAfile allca.cer -cert myhostname.cer -key myhostname.key

The example above is for a mutual TLS connection where the client offers its certs too.

To view the parsed certificate of a remote host, do this:

echo | \
openssl s_client  -connect remote-hostname.com:443 2>/dev/null | \
openssl x509 -text