How to remove Private Key Password from pkcs12 container? 
Sunday, 14 April 2024, 12:25 - OpenSSL
Posted by Administrator
- Export to temporary pem file
openssl pkcs12 -in protected.p12 -nodes -out temp.pem
# -> Enter password


- Convert pem back to p12
openssl pkcs12 -export -in temp.pem  -out unprotected.p12
# -> Just press [return] twice for no password


- Remove temporary certificate
rm temp.pem


add comment ( 295 views )   |  permalink   |  $star_image$star_image$star_image$star_image$star_image ( 3 / 592 )
How do I verify that a private key matches a certificate? 
Friday, 11 February 2022, 12:47 - Technology, OpenSSL
Posted by Administrator
To verify that an RSA private key matches the RSA public key in a certificate you need to i) verify the consistency of the private key and ii) compare the modulus of the public key in the certificate against the modulus of the private key.

To verify the consistency of the RSA private key:
openssl rsa -check -noout -in myserver.key
RSA Key is ok

If it doesn't say 'RSA key ok', it isn't OK!"

To view its modulus:
openssl rsa -modulus -noout -in myserver.key | openssl md5

To view the modulus of the RSA public key in a certificate:
openssl x509 -modulus -noout -in myserver.crt | openssl md5

If the first commands shows any errors, or if the modulus of the public key in the certificate and the modulus of the private key do not exactly match, then you're not using the correct private key.
add comment ( 1005 views )   |  permalink   |  $star_image$star_image$star_image$star_image$star_image ( 2.9 / 1391 )
Check CRL for revoked certificates and valitity of CRL itself 
Saturday, 15 January 2022, 14:23 - OpenSSL
Posted by Administrator
To find out if a client certificate was rejected or if the Certificate Revocation List itself is still valid (not older than "Next Update" attribute defined):
openssl crl -inform DER -text -noout -in mycrl.crl

Most CRLs are DER encoded, but you can use -inform PEM if your CRL is not binary. If you’re unsure if it is DER or PEM open it with a text editor. If you see —–BEGIN X509 CRL—– then it’s PEM and if you see strange binary-looking garbage characters it’s DER.
add comment ( 1095 views )   |  permalink   |  $star_image$star_image$star_image$star_image$star_image ( 2.9 / 1395 )
Turning SSLv3 off on Apache Server to mitigate "POODLE" attack (CVE-2014-3566) 
Thursday, 16 October 2014, 10:22 - Apache Stuff, OpenSSL
Posted by Administrator
Add the following to your SSL configuration section:

# Disable SSLv2 & SSLv3 against POODLE issue (CVE-2014-3566)
SSLProtocol All -SSLv2 -SSLv3

Note to insert this to all VirtualHost sections where SSL is enabled!

Check your config:
apachectl configtest

Then restart apache server:
sudo service apache2 restart

To check if SSLv3 is turned off:
openssl s_client -connect server.domain.tld:443 -ssl3

Then you shold see a message like this:
error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1260:SSL alert number 40

To disable SSLv3 within other services:
see this post
add comment ( 2535 views )   |  permalink   |  related link   |  $star_image$star_image$star_image$star_image$star_image ( 3 / 3511 )
Check certificate on a server 
Wednesday, 4 June 2014, 18:26 - Knowledge, OpenSSL
Posted by Administrator
Issue the following command:
openssl s_client -CApath /etc/ssl/certs/ -connect <host.domian.tld>:993

For testing on a mail server supporting both non-encrypted and encrypted (TLS) connections using STARTTLS method:
openssl s_client -CApath /etc/ssl/certs/ -starttls smtp -connect <host.domian.tld>:25


There should be stated quite at end of command output:
    Verify return code: 0 (ok)

before an eventual greeting message of the server.

A bit above, you can check the certificate chain completeness:
Certificate chain
0 s:/description=3UwjnK9kRZ2wUo8e/C=CH/CN=domain1.ownspace.ch/emailAddress=hostmaster@ownspace.ch
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
---

The last i(ssuer) is the root cert that most client will trust.
add comment ( 2713 views )   |  permalink   |  $star_image$star_image$star_image$star_image$star_image ( 3 / 2576 )

| 1 | 2 | Next> Last>>