This post is about dealing with the various tasks involved in handling SSL certificates. For the moment, it only covers the tasks related to already existing certificates.
Viewing SSL certificates
Viewing the contents of a SSL certificate in human readable form can be achieved by issuing the following command:
openssl x509 -text -noout -in cert.pem
Verifying SSL keys using CA certificates
openssl verify command, the chain of trust can be verified:
openssl verify -verbose -CAfile <(cat ca.pem ca-intermediate.pem) cert.pem
Please note that the order of certificates matters. First, the root certificate, then the intermediate(s) and finally the certificate to be checked are given as command-line paramters to the command.
Determining whether a SSL certificate and a key match
This can be achieved by determining the modulus of the given key-pair:
openssl rsa -noout -modulus -in key.pem | openssl md5 openssl x509 -noout -modulus -in cert.pem | openssl md5
The output of both commands must match. Furthermore, calculating the MD5 sum of the modulus reduces the amount of data that has to be compared.
Another attempt would be to check whether a message can be encrypted using the public key and decrypted using the private key.
Encrypting and Decrypting binary files
Encrypting a binary file (using the public key of the certificate):
openssl smime -encrypt -binary -aes-256-cbc -in plainfile.zip -out encrypted.zip.enc -outform DER cert.pem
Decrypting a binary file (using the private key):
openssl smime -decrypt -binary -in encrypted.zip.enc -inform DER -out decrypted.zip -inkey key.pem -passin pass:your_password
If the passphrase of your private key is empty, the
-passin pass:your_password parameter can be omitted.
Encrypting and Decrypting text files
Encrypting a text file (using the public key of the certificate):
openssl smime -encrypt -aes-256-cbc -in message.txt -out secret.txt -outform DER cert.pem
Decrypting a text file (using the private key):
openssl smime -decrypt -in secret.txt -inform DER -out message.txt -inkey key.pem -passin pass:your_password
-passin pass:your_password parameter can be omitted in case the private key is not secured by a password.