Skip to content

tls

TLS is Transport Layer Security. It used to be called SSL: the Secure Sockets Layer. It has to do with encrypted IP traffic.

Apache SSL steps

  1. Generate a host key: openssl genrsa -out foo.com.key 2048
  2. Generate a CSR from that key: openssl req -new -key foo.com.key -out foo.com.csr

To set up VirtualHosts, follow this template: https://cwiki.apache.org/confluence/display/HTTPD/NameBasedSSLVHosts

Examples

Download a certificate from an https server

get_certificate_from_server() {
  hostname="$1"
  port="${2:-443}"
  ip_address="$(dig +short "$hostname")"
  echo |
    openssl s_client -servername "$hostname" -connect "${ip_address}:${port}" 2>/dev/null |
    sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
}

get_certificate_from_server github.com

Show info about a certificate file

openssl x509 -noout -text -in foo.pem

Derive the public key from the certificate

openssl x509 -in certificate.crt -pubkey -noout -out publickey.pem

Validate a keys / cert pair

To validate that a particular key was used to generate a certificate, useful for testing https key/crt files, do the following and make sure the modulus sections match:

openssl rsa  -noout -modulus -in server.key
openssl x509 -noout -modulus -in server.crt # or server.pem

Or as a function:

function crt-key-compare {
  if [ ! -f "$1" ] || [ ! -f "$2" ] ; then
    echo "ERROR: check that both files exist."
    return 1
  fi

  if [[ "$1" != *crt* ]] || [[ "$2" != *key* ]] ; then
    echo "usage: crt-key-compare <server.crt> <server.key>" ;
  else
    crt_modulus=$(openssl x509 -in "$1" -modulus | grep Modulus) || return 1
    key_modulus=$(openssl rsa  -in "$2" -modulus | grep Modulus) || return 1

    if diff <(echo "$crt_modulus") <(echo "$key_modulus") ; then
      echo "key and crt match."
    else
      echo "key and crt do not match"
    fi
  fi
}

See some information about a server's certificate

SERVER_NAME=linuxforums.org
SERVER_PORT=443
openssl s_client -connect "${SERVER_NAME}:${SERVER_PORT:-443}" -servername "${SERVER_NAME}

See just the dates of a webserver's SSL certificate

check-server-cert-dates() {
    test -z "$1" && { echo "Usage: check-server-cert-dates <servername> [port]" ; return 1 ; }
    openssl s_client -connect "${1}:${2:-443}" -servername "$1" 2>/dev/null </dev/null |
    openssl x509 -noout -dates
}

Show the issuer and dates of a certificate

This is useful when you're moving certs between issuers, for instance if you moved from letsencrypt to something else, then later get an expiration notice from letsencrypt, and want to verify that you're not using that certificate anymore:

openssl s_client -connect "${REMOTE_HOST}:443" -servername "$REMOTE_HOST" 2>/dev/null </dev/null |
openssl x509 -noout -issuer -dates

The output will be something like:

issuer= /C=US/O=DigiCert Inc/CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1
notBefore=Feb 18 00:00:00 2022 GMT
notAfter=Oct  5 23:59:59 2022 GMT

Encrypt a file

openssl enc -aes-256-cbc -salt -in yourfile -out yourfile.enc

Decrypt a file

openssl enc -aes-256-cbc -d -in encryptedfile.enc -out decryptedfile

Encrypt / Decrypt bash functions

function encrypt_file() { openssl enc -aes-256-cbc -salt -in "$1" -out "$1.enc" ; }
function decrypt_file() { openssl enc -aes-256-cbc -d -in "$1" -out "$1.dec" ; }

Perform a benchmark

You can run benchmarks on one or more ciphers or digests using openssl speed.

openssl speed -seconds 5 -evp sha256 sha512

Generate random data

openssl can generate pseudo random data faster than /dev/urandom. This generates a 1 megabyte random data file at over 3x the speed of using /dev/urandom.

openssl enc -aes-256-ctr -pbkdf2 -pass pass:"foo" < /dev/zero | dd bs=1024 count=1024 of=1_megabyte_random.dat

See Also