DEV Community

Cover image for OpenSSL a swiss army knife - part1
dejanualex
dejanualex

Posted on • Updated on

OpenSSL a swiss army knife - part1

If you ever needed to verify SSL/TLS connections or check certificate information. Then openssl is the answer...maybe.

The openssl program provides a rich variety of commands

First a small walkthrough concerning some of file extensions that we might encounter.

CER (.cer) or CRT (.crt): certificate could be PEM or DER encoded, contains certificate owner information and public and private keys.
PEM (.pem): Base64 encoded form of DER certificate. Certificate and private key are stored in different files.
DER (.der): Binary form of PEM certificate used on Java platform. Certificate and private key are stored in different files.
PKCS7 (.p7b): ASCII code. Contains the certificate but not the private key.
PKCS12 (.pfx or .p12): Binary form used on Windows platforms. Contains certificate(s) private and public key. (it's password protected)
Enter fullscreen mode Exit fullscreen mode

Going to the point, troubleshooting SSL/TLS connections and inspecting certificate:

# debug the SSL/TLS connection (view the  Handshake process)
openssl s_client -msg -debug -state -connect <host_ip>:<port>

# displays entire certificate chain in PEM format
openssl s_client -connect <host_ip>:<port> -showcerts

# check the TLS version: if you get the certificate chain and the handshake you know the system supports the TLS version in question
openssl s_client -connect <host_ip>:<port> -tls1
openssl s_client -connect <host_ip>:<port> -tls1_2
openssl s_client -connect <host_ip>:<port> -tls1_1

# check certificate expiration date 
openssl s_client -connect <hostname>:<PORT> -showcerts|openssl x509 -noout -dates

# display PEM certificate (cert.crt) content
openssl x509 -in cert.pem -noout -text
openssl x509 -in cert.crt -text
Enter fullscreen mode Exit fullscreen mode

⚠️ Where X.509 utility is a standard format for public key certificates, digital documents that securely associate cryptographic key pairs with identities such as websites, individuals, or organizations.

OpenSSL is capable of doing much more, like generating .csr or converting from one format to another e.g. from .crt to .pem, but these subjects will be address in part 2.

Discussion (0)