DEV Community

Cover image for OpenSSL a swiss army knife - part1
dejanualex
dejanualex

Posted on • Edited on

1 1

OpenSSL a swiss army knife - part1

#linux #devops #tutorial #bash

If you ever needed to verify SSL/TLS connections or check certificate information. Then openssl is the answer...maybe.

The openssl program provides a rich variety of commands

First a small walkthrough concerning some of file extensions that we might encounter.

CER (.cer) or CRT (.crt): certificate could be PEM or DER encoded, contains certificate owner information and public and private keys.
PEM (.pem): Base64 encoded form of DER certificate. Certificate and private key are stored in different files.
DER (.der): Binary form of PEM certificate used on Java platform. Certificate and private key are stored in different files.
PKCS7 (.p7b): ASCII code. Contains the certificate but not the private key.
PKCS12 (.pfx or .p12): Binary form used on Windows platforms. Contains certificate(s) private and public key. (it's password protected)
Enter fullscreen mode Exit fullscreen mode

Going to the point, troubleshooting SSL/TLS connections and inspecting certificate:

# debug the SSL/TLS connection (view the  Handshake process)
openssl s_client -msg -debug -state -connect <host_ip>:<port>

# displays entire certificate chain in PEM format
openssl s_client -connect <host_ip>:<port> -showcerts

# check the TLS version: if you get the certificate chain and the handshake you know the system supports the TLS version in question
openssl s_client -connect <host_ip>:<port> -tls1
openssl s_client -connect <host_ip>:<port> -tls1_2
openssl s_client -connect <host_ip>:<port> -tls1_1

# check certificate expiration date 
openssl s_client -connect <hostname>:<PORT> -showcerts|openssl x509 -noout -dates

# display PEM certificate (cert.crt) content
openssl x509 -in cert.pem -noout -text
openssl x509 -in cert.crt -text
Enter fullscreen mode Exit fullscreen mode

⚠️ Where X.509 utility is a standard format for public key certificates, digital documents that securely associate cryptographic key pairs with identities such as websites, individuals, or organizations.

OpenSSL is capable of doing much more, like generating .csr or converting from one format to another e.g. from .crt to .pem, but these subjects will be address in part 2.

profile
Sentry
 Promoted

Sentry image

Hands-on debugging session: instrument, monitor, and fix

Join Lazar for a hands-on session where you’ll build it, break it, debug it, and fix it. You’ll set up Sentry, track errors, use Session Replay and Tracing, and leverage some good ol’ AI to find and fix issues fast.

RSVP here →

Top comments (0)

profile
Pieces.app
 Promoted

The Most Contextual AI Development Assistant

Pieces.app image

Our centralized storage agent works on-device, unifying various developer tools to proactively capture and enrich useful materials, streamline collaboration, and solve complex problems through a contextual understanding of your unique workflow.

👥 Ideal for solo developers, teams, and cross-company projects

Learn more

Read next

dm8ry profile image

How to Retrieve EC2 Instances Information Using Python and Boto3

Dmitry Romanoff -

devpanch profile image

Agrupamiento de datos de una lista usando LINQ en C#

Panchi -

luca1iu profile image

SQL Performance Tuning: Best Practices for Faster Queries

Luca Liu -

stephane_noutsa profile image

Provision EKS Cluster with Terraform, Terragrunt & GitHub Actions

Stéphane Noutsa -

👋 Kindness is contagious

Please leave a ❤️ or a friendly comment on this post if you found it helpful!

Okay