WebSphere Issues


Common OpenSSL commands

Filed under: Security — Ishtiaque @ 12:21 pm

1. Create a new public and private key using RSA:

  • openssl req -x509 -nodes -days 1825 -newkey rsa:1024 -keyout /tmp/mycert.key -out /tmp/mycert.pem -subj “/C=US/O=IBM/CN=mycert”

2. Generate a public key based upon existing private key:

  • openssl req -x509 -nodes -days 1825 -newkey rsa:1024 -key /tmp/mycert.key -out /tmp/mycert2.pem -subj¬† “/C=IN/O=IBM/CN=mycert2”
  • openssl rsa -in myprivate.key -pubout > mypubkey.pub

3. List self-signed certificate:

  • openssl x509 -in /tmp/mycert2.pem -text -noout
  • openssl x509 -inform der -in /tmp/mycert.cer -text
  • openssl pkcs12 -in /tmp/mycert.p12 -password pass:passw0rd -nokeys

4. Check private key:

  • openssl rsa -in /tmp/mycert.key -check

5. Convert pem to p12:

  • openssl pkcs12 -export -out /tmp/mycert.p12 -inkey /tmp/mycert.key -in /tmp/mycert.pem -password pass:passw0rd
  • openssl pkcs12 -info -in /tmp/mycert.p12 -password pass:passw0rd -nokeys

6. Verify server certificate:

  • curl -k -v –cert /tmp/mycert.p12 –key /tmp/mycert.pem https://myhost
  • openssl s_client -connect localhost:443 (Verify all accepted certificates)
  • echo | openssl s_client -connect localhost:443 2>/dev/null | openssl x509 -noout -dates (Verify certificate expiry date)

7. Generate a CSR:

  • openssl req -new -newkey rsa:2048 -nodes -out www_mydomain_com.csr -keyout www_mydomain_com.key -subj “/C=OM/ST=Muscat/L=Muscat/O=MyOrg/OU=IT/CN=www.mydomain.com”

8. Verify a CSR:

  • openssl req -noout -text -in www_mydomain_com.csr

9. Verify CSR, Private Key and the Certificate. If the md5 hash values are same for the following commands, then the files are compatible.

openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in privateKey.key | openssl md5
openssl req -noout -modulus -in CSR.csr | openssl md5


Blog at WordPress.com.