Working with SSL certificates


This post is about dealing with the various tasks involved in handling SSL certificates. For the moment, it only covers the tasks related to already existing certificates.

Viewing SSL certificates

Viewing the contents of a SSL certificate in human readable form can be achieved by issuing the following command:

openssl x509 -text -noout -in cert.pem

Verifying SSL keys using CA certificates

Using the openssl verify command, the chain of trust can be verified:

openssl verify -verbose -CAfile <(cat ca.pem ca-intermediate.pem) cert.pem

Please note that the order of certificates matters. First, the root certificate, then the intermediate(s) and finally the certificate to be checked are given as command-line paramters to the command.

Determining whether a SSL certificate and a key match

This can be achieved by determining the modulus of the given key-pair:

openssl rsa -noout -modulus -in key.pem | openssl md5
openssl x509 -noout -modulus -in cert.pem | openssl md5

The output of both commands must match. Furthermore, calculating the MD5 sum of the modulus reduces the amount of data that has to be compared.

Reference: How to check if the certificate matches a Private Key?

Another attempt would be to check whether a message can be encrypted using the public key and decrypted using the private key.

Encrypting and Decrypting binary files

Encrypting a binary file (using the public key of the certificate):

openssl smime -encrypt -binary -aes-256-cbc -in -out -outform DER cert.pem

Decrypting a binary file (using the private key):

openssl smime -decrypt -binary -in -inform DER -out -inkey key.pem -passin pass:your_password

If the passphrase of your private key is empty, the -passin pass:your_password parameter can be omitted.

Encrypting and Decrypting text files

Encrypting a text file (using the public key of the certificate):

openssl smime -encrypt -aes-256-cbc -in message.txt -out secret.txt -outform DER cert.pem

Decrypting a text file (using the private key):

openssl smime -decrypt -in secret.txt -inform DER -out message.txt -inkey key.pem -passin pass:your_password

Again, the -passin pass:your_password parameter can be omitted in case the private key is not secured by a password.


comments powered by Disqus