OpenSSL

How do you verify a certificate of a given mail server?

Check the IMAPS service:

echo | openssl s_client -connect mail.example.com:imaps 2>&1 | \
sed --quiet '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | \
openssl x509 -text

Check SMTP/TLS:

echo | openssl s_client -connect mail.example.com:smtp -starttls smtp 2>&1 | \
sed --quiet '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | \
openssl x509 -text

You'll also see when the cert was issued as well as the expiration date. That's quite useful if you just replaced your cert and want to verify if the new one loads as desired.



Create a new private key:

openssl genrsa -aes128 -out www.example.com.key 2048

Create a CSR with SHA-2:

openssl req -new -sha256 -key www.example.com.key -out www.example.com.csr

View a CSR:

openssl req -in www.example.com.csr -text -verify -noout

Show Cert:

openssl x509 -text -in www.example.com.crt -noout

Show Fingerprint:

openssl x509 -noout -in www.example.com.crt -fingerprint -sha1

Bundle Intermediate with Cert
With some services, e.g. Postfix it is required to establish a trust chain with intermediate certificates. That's easy to acomplish: just cat (i.e. combine) the certs together with yours top, then intermediate and root bottom.

Here is an example with StartSSL's Class 1 Certs (which are free):

# your cert:
cp example.com.crt example.com-bundle.pem
 
# intermediate class 1, sha256
wget https://www.startssl.com/certs/class1/sha2/pem/sub.class1.server.sha2.ca.pem
 
# root ca, sha256
wget https://www.startssl.com/certs/ca-sha2.pem
 
# concatenate (chain) the certs:
cat sub.class1.server.sha2.ca.pem >> example.com-bundle.pem
cat ca-sha2.pem >> example.com-bundle.pem
networking/openssl.txt · Last modified: 2015-12 by tb
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0 ipv6 ready