{"id":5587,"date":"2016-02-04T10:04:18","date_gmt":"2016-02-04T02:04:18","guid":{"rendered":"http:\/\/rmohan.com\/?p=5587"},"modified":"2016-02-04T10:04:18","modified_gmt":"2016-02-04T02:04:18","slug":"openssl-commands-2","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=5587","title":{"rendered":"OpenSSL Commands"},"content":{"rendered":"<h1 class=\"title\">OpenSSL Commands<\/h1>\n<div class=\"tabs\"><\/div>\n<div class=\"region region-content\">\n<div class=\"block-wrapper odd block_1\">\n<div id=\"block-system-main\" class=\"block block-system \">\n<div class=\"content\">\n<div id=\"node-98\" class=\"node node-page odd   full-node node-type-page clearfix\">\n<div class=\"content\">\n<div class=\"field field-name-body field-type-text-with-summary field-label-hidden\">\n<div class=\"field-items\">\n<div class=\"field-item even\">\n<p>After you applied for a personal or a host certificate, you may need to export the bundle from your browser and convert them into a different format to be able to use them in tools like GSI-SSH in order to authenticate yourself to the grid, and also to be able to install your host certificate into the host which you will be administering.<\/p>\n<p>You will need to use openssl commands after you export your personal\/host certificate bundle from your browser to convert them into different formats like &#8220;.pem&#8221; files.<\/p>\n<p>Here are some useful openssl commands for managing certificates using the <a href=\"http:\/\/www.openssl.org\/\">OpenSSL toolkit<\/a> which is available on most platforms.<a href=\"http:\/\/www.openssl.org\/related\/binaries.html\">Windows version of OpenSSL<\/a> is also available<\/p>\n<p>&nbsp;<\/p>\n<h2><strong>Converting a p12 \/ pfx bundle to a <em>user<\/em> certificate and private key file e.g. after exporting from a browser or the CertWizard<\/strong><\/h2>\n<pre>$&gt; openssl pkcs12 -clcerts -nokeys -out usercert.pem -in cert.p12<\/pre>\n<pre>$&gt; openssl pkcs12 -nocerts -out userkey.pem -in cert.p12<\/pre>\n<p>Please remember after doing this to protect your keys by running <strong>chmod 644 usercert.pem<\/strong> and <strong>chmod 400 userkey.pem<\/strong>.<\/p>\n<h2>Converting a p12 \/ pfx bundle to a <em>server\/service<\/em> certificate and private key file e.g. after exporting from a browser<\/h2>\n<pre>$&gt; openssl pkcs12 -clcerts -nokeys -out hostcert.pem -in cert.p12<\/pre>\n<pre>$&gt; openssl pkcs12 -nocerts -nodes -out hostkey.pem -in cert.p12<\/pre>\n<p>Please remember after doing this to protect your keys by running <strong>chmod 644 hostcert.pem<\/strong> and <strong>chmod 400 hostkey.pem<\/strong><\/p>\n<h2>Convert a certificate and private key file into a p12 bundle e.g. for importing into a browser<\/h2>\n<pre>$&gt; openssl pkcs12 -export -in usercert.pem -inkey userkey.pem -out cert.p12 -name \"name for certificate\"<\/pre>\n<h2>Passphrase management<\/h2>\n<p>To remove the passphrase of a server\/service private key in PEM format (note that this should only be done on server\/service certificates &#8211; user certificates must always be protected by a passphrase)<\/p>\n<pre>$&gt; openssl rsa -in hostkey.pem -out hostkey.pem.new\r\nEnter pass phrase for userkey.pem: ****************\r\nwriting RSA key\r\n$&gt; mv hostkey.pem.new hostkey.pem\r\n<\/pre>\n<h2>Checking whether a certificate is valid<\/h2>\n<p>If you have the certificate loaded into a browser, you can go to the CA Portal&#8217;s <a href=\"https:\/\/portal.ca.grid-support.ac.uk\/caportal\/cert_owner\">Login page<\/a> and it will show the status of your certificate (if valid).<\/p>\n<p>Alternatively, if you are on a system with the an up-to-date installation of the CA information in (typically) \/etc\/grid-security\/certificates, you can test your certificate like this:<\/p>\n<pre>$&gt; openssl verify -CApath \/etc\/grid-security\/certificates usercert.pem\r\n<\/pre>\n<h2>Extracting information from a certificate<\/h2>\n<p>Display the Distinguished Name (DN) from a public key in PEM format<\/p>\n<pre>$&gt; openssl x509 -in usercert.pem -noout -subject | sed 's\/subject= \/\/'<\/pre>\n<p>Display the contents of a private key in PEM format<\/p>\n<pre>$&gt; openssl des -in userkey.pem -noout -text<\/pre>\n<p>Display the Distinguished Name (DN) of a p12 file<\/p>\n<pre>$&gt; openssl pkcs12 -in cert.p12 -nokeys -clcerts | openssl x509 -noout -subject | sed 's\/subject= \/\/'<\/pre>\n<h2>Extracting information from other objects<\/h2>\n<p>Display the contents of a Certificate Revocation List (CRL) in DER format<\/p>\n<pre>$&gt;  openssl crl -inform der -noout -text &lt; importCRL<\/pre>\n<h2>Remove a passphrase from a host private key<\/h2>\n<p>To remove a passphrase from the private key of a host certificate<\/p>\n<pre>$&gt; openssl rsa -in hostkey.pem -out hostkey.pem<\/pre>\n<h2>Add a passphrase to a host private key<\/h2>\n<p>To add a passphrase to the private key of a host certificate<\/p>\n<pre>$&gt; openssl rsa -in hostkey.pem -out hostkey.pem -des3<\/pre>\n<h2>\u00a0Check whether a certificate and a private key match<\/h2>\n<p>Perhaps surprisingly, the private key contains the public key, as does the certificate. This example shows a host certificate but of course it works for all certificates:<\/p>\n<pre>$&gt; openssl rsa -in hostkey.pem -pubout\r\n<\/pre>\n<pre>$&gt; openssl x509 -in hostcert.pem -pubkey -noout\r\n<\/pre>\n<p>Now compare the public key blocks printed &#8211; do they look the same? In more advanced Unix shells like bash and zsh, you can do it in one line:<\/p>\n<pre>$&gt; diff -qs &lt;(openssl rsa -in hostkey.pem -pubout) &lt;(openssl x509 -in hostcert.pem -pubkey -noout)<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>OpenSSL Commands <\/p>\n<p>After you applied for a personal or a host certificate, you may need to export the bundle from your browser and convert them into a different format to be able to use them in tools like GSI-SSH in order to authenticate yourself to the grid, and also to be able to install your [&#8230;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[17],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/5587"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5587"}],"version-history":[{"count":1,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/5587\/revisions"}],"predecessor-version":[{"id":5588,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/5587\/revisions\/5588"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5587"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5587"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5587"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}