Certificate Generation & Checking with OpenSSL
Lecture, Dr. Lawlor
OpenSSL is a neat little
command line tool for generating and verifying certificates.
Verify a Certificate
Hit the lock icon in your browser, get info, and save the https
certificate to a Base64 .pem file. You can dump this to the
openssl x509 -in somewhere.pem -noout -text
You can verify the certificate against your system's disturbingly
long trusted certificate lists (/usr/share/ca-certificates/mozilla/
or /etc/ssl/certs/ on my machine) using:
openssl verify googleIA.pem
Generate Server Certificate
OpenSSL's "req" command can generate "self-signed"
certificates. These provide no protection against
man-in-the-middle attacks (anybody could just sign their own
certificate to impersonate the server), but are secure against
eavesdroppers who don't modify your traffic.
openssl req \
You can dump the info to the screen as before:
-x509 -nodes -days 9999 \
-subj '/C=US/ST=Alaska/L=Fairbanks/O=University of Alaska Fairbanks/OU=Really Dr. Lawlor/CN=netrun.cs.uaf.edu' \
-newkey rsa:2048 -keyout mycert.key -out mycert.crt
openssl x509 -in mycert.crt -noout -text
You can even start a simple demo HTTPS server using that
openssl s_server -cert mycert.crt -key mycert.key -www
Now you can visit https://localhost:4433
and talk to the server. You'll get a warning about the
self-signed certificate. It doesn't have any content, just
info about the ciphers used, but it is HTTPS!
The same certificate could be used with a real web server, like Apache,
using mod_ssl. The config lines are:
I really aught to do this for NetRun!