Imagine that you need to send a message to someone. However, you do not know where he is or what his contact detail is. You just know another man who has his contacts that can send your message to him.
Internet was designed in a way like the one describe above. The data passes through multiple nodes in the network to reach its destination. By the default, data will be a text plain and insecure. Any nodes, which you pass the message to get package to, can read these messages.
SSL and TLS are the protocols to reduce this risk. So only message owner can read message and make sure that message sender is the true person that should be. SSL and TLS are standard security protocols for establishing an encrypted communication between a server and a client.
I added a simple flow how SSL and TLS connection establish between client and server. At this flow, the key point is symmetric key exchange step.
- Client and Server agree on a common ciphers which both side are supported.
- Client uses server’s public key to create encrypted symmetric key with supported ciphers and parameters.
- Server uses its private key to decrypt the symmetric key and it uses to protect session.
An SSL Certificate (.cer, .crt) is a digital file that has two-specific purpose.
- Authentication and Verification: The SSL Certificate has information that identify of host or site. When you check certificate chain, you should probably get who issued certificate and where it can be used.
- Data Encryption: The SSL Certificate main purpose is data encryption, which means that all sensitive information will be encrypted between server and client.
OpenSSL is a powerful toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. Also it’s a free software that implements SSL and TLS protocols and enables server to send data across the internet with encrypted mode.
The OpenSSL contains tools essential for the following tasks:
- Generating private keys (RSA)
- Generating Certificate Signing Request (CSRs)
- Performing encryption/decryption
- Manage and control encrypted file
General OpenSSL commands
- Generating RSA , CSRs, CRT
Create a new private key and Certificate Signing Request (CSRs)
#openssl req -out Casesup.csr -new -newkey rsa:2048 -nodes -keyout Casesup.key
Generate a self-signed certificate (CRT)
#openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout Casesup.key -out Casesup.crt
Create a Certificate Signing Request with existing PEM file
#openssl req -out casesup.csr -key casesup.key -new
Generate a Certificate Signing Request with an existing Certificate (CSRs)
#openssl x509 -x509toreq -in casesup.crt -out casesup.csr -signkey casesup.key
- Check RSA , CSRs, CRT
Check an existing CSR file
#openssl req -text -noout -verify -in casesup.csr
Check Private key
#openssl rsa -in casesup.key -check
Check Signed Certificate
#openssl x509 -in casesup.crt -text -noout
Check PKCS#12 file (.pfx and .p12)
#openssl pkcs12 -info -in casesup.p12
- OpenSSL Debugging Commands
Use MD5 to check if certificate, private key and certificate request are matched
#openssl x509 -noout -modulus -in casesup.crt| openssl md5
#openssl rsa -noout -modulus -in casesup.key | openssl md5
#openssl req -noout -modulus -in casesup.csr | openssl md5
Check SSL connection certificate information
#openssl s_client -connect casesup.com:443
- Converting File Format
Convert DER format (.cer .crt .der) to PEM
#openssl x509 -inform der -in casesup.cer -out casesup.pem
Convert PEM to DER
#openssl x509 -outform der -in casesup.pem -out casesup.der
Convert PKCS#12(.pfx or .p12) to PEM
#openssl pkcs12 -in casesup.pfx -out casesup.pem -nodes
Convert PKCS#12(.pfx or .p12) to PEM (only export PEM)
#openssl pkcs12 -in casesup.pfx -out casesup.pem -nodes -nocerts
Convert PKCS#12(.pfx or .p12) to CRT (only export Certificate)
#openssl pkcs12 -in casesup.pfx -out casesup.crt -nodes -nokeys
Convert PEM and CRT to PKCS#12(.pfx, .p12)
#openssl pkcs12 -export -out casesup.pfx -inkey casesup.key -in casesup.crt -certfile CAcasesup.crt
Check this link for more!