How to read certificate information automatically using OpenSSL

apache-2.4opensslubuntu-14.04

To generate an SSL certificate file for Apache, I am using the below command:

 openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.cert

And I manually feed it with these parameters:

Country Name (2 letter code) [AU]:AU
State or Province Name (full name): Myname
[Some-State]:Some-State
Locality Name (eg, city) []:City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Internet
Organizational Unit Name (eg, section) []:Section
Common Name (e.g. server FQDN or YOUR name) []:yourname
Email Address []:email@gmail.com

Is it possible to enter them from a file or right from an OpenSSL command line using options?

There is no hint from the OpenSSL man pages.

Best Answer

You can create a configuration file and use that in your command. You could for example create a config file named openssl.cnf and use it like this:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.cert -config ./openssl.cnf

In your case you can set the following parameters:

[ req_distinguished_name ]
# Variable name             Prompt string
#-------------------------    ----------------------------------
0.organizationName          = Organization Name (company)
organizationalUnitName          = Organizational Unit Name (department, division)
emailAddress                = Email Address
emailAddress_max            = 40
localityName                = Locality Name (city, district)
stateOrProvinceName         = State or Province Name (full name)
countryName             = Country Name (2 letter code)
countryName_min             = 2
countryName_max             = 2
commonName              = Common Name (hostname, IP, or your name)
commonName_max              = 64

More can be found at http://www.flatmtn.com/article/setting-openssl-create-certificates#SSLCert-4

Related Solutions

SSL Certificate – How to Download SSL Certificate from a Website

In order to download the certificate, you need to use the client built into openssl like so:

echo -n | openssl s_client -connect $HOST:$PORTNUMBER -servername $SERVERNAME \
    | openssl x509 > /tmp/$SERVERNAME.cert

That will save the certificate to /tmp/$SERVERNAME.cert.

The -servername is used to select the correct certificate when multiple are presented, in the case of SNI.

You can use -showcerts if you want to download all the certificates in the chain. But if you just want to download the server certificate, there is no need to specify -showcerts. The x509 at the end will strip out the intermediate certs, you will need to use sed -n '/-----BEGIN/,/-----END/p' instead of the x509 at the end.

echo -n gives a response to the server, so that the connection is released

openssl x509 removes information about the certificate chain and connection details. This is the preferred format to import the certificate into other keystores.

SSL Certificate – How to View Details of a .cer File

OpenSSL will allow you to look at it if it is installed on your system, using the OpenSSL x509 tool.

openssl x509 -in cerfile.cer -noout -text

The format of the .CER file might require that you specify a different encoding format to be explicitly called out.

openssl x509 -inform pem -in cerfile.cer -noout -text

openssl x509 -inform der -in cerfile.cer -noout -text

On Windows systems you can right click the .cer file and select Open. That will then let you view most of the meta data.

On Windows you run Windows certificate manager program using certmgr.msc command in the run window. Then you can import your certificates and view details.

Best Answer

Related Solutions

SSL Certificate – How to Download SSL Certificate from a Website

SSL Certificate – How to View Details of a .cer File

Related Topic