This is an automated archive.

The original was posted on /r/openssl by /u/NfinityParad0x on 2023-07-27 15:04:16+00:00.

---

Ok, not going to lie, this might be a bit of a dumb question.

I'm using OpenSSL version 3.0.8 on a CentOS 7 VMWare VM.

I know that I can use it through a proxy like so:

openssl s_client -proxy myproxyinfo:1234 -connect website/on-otherside-of/proxy:443

What I'm trying to figure out is whether there is a way to have openssl use either the HTTPS_PROXY environment variable or modify the openssl.cnf to use the specific proxy for EVERY connection attempt?

I'm not sure if this can be done, I've tried looking online and haven't turned anything other than the '-proxy' flag up.

Any thoughts would be greatly appreciated!

This is an automated archive.

The original was posted on /r/openssl by /u/Awkward_Tomatillo845 on 2023-07-25 06:43:09+00:00.

---

Hi, i spent quite a lot of hours trying to figure this out but unfortunately to no avail and I hope to get some guidance here. I am using R to curl a website with a certificate attached and unfortunately I keep getting the error as per the title. I have tried to downgrade OpenSSL to 1.1.1s and Curl to what my Git uses which is 7.86.0. The website supports TLS 1.2 that I checked on the openssl analysis website: https://www.ssllabs.com/ssltest/ - Signature algorithmSHA256withRSA

I have also tried to disable firewall and does not work.

Any ideas, what else I can try to make it work? thanks.

This is an automated archive.

The original was posted on /r/openssl by /u/kevkevverson on 2023-07-18 15:58:28+00:00.

---

My program is spending most of its CPU time in openssl functions (servicing curl https requests) and it looks like it is not using any hardware acceleration. Do I have to explicitly enable this somehow? I have a standard Ubuntu 22 installation with curl/openssl installed via apt.

$ uname -a
Linux 5.19.0-35-generic #36~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Feb 17 15:17:25 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
$ openssl version
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)

It seems like the machine can do it:

$ grep aes /proc/cpuinfo | wc -l
28

But the metrics are the same with and without -evp:

$ openssl speed -elapsed aes-128-cbc 
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-128-cbc for 3s on 16 size blocks: 263113079 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 64 size blocks: 79169247 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 256 size blocks: 20252411 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 1024 size blocks: 5108777 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 8192 size blocks: 631382 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 16384 size blocks: 321626 aes-128-cbc's in 3.00s
version: 3.0.2
built on: Wed May 24 17:12:55 2023 UTC
options: bn(64,64)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 -ffile-prefix-map=/build/openssl-Z1YLmC/openssl-3.0.2=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_TLS_SECURITY_LEVEL=2 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
CPUINFO: OPENSSL_ia32cap=0x7ffef3bfffebffff:0x800d39ef7eb
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
aes-128-cbc    1403269.75k  1688943.94k  1728205.74k  1743795.88k  1724093.78k  1756506.79k

$ openssl speed -elapsed -evp aes-128-cbc 
You have chosen to measure elapsed time instead of user CPU time.
Doing AES-128-CBC for 3s on 16 size blocks: 214679139 AES-128-CBC's in 3.00s
Doing AES-128-CBC for 3s on 64 size blocks: 78848087 AES-128-CBC's in 3.00s
Doing AES-128-CBC for 3s on 256 size blocks: 20372792 AES-128-CBC's in 3.00s
Doing AES-128-CBC for 3s on 1024 size blocks: 4986893 AES-128-CBC's in 3.00s
Doing AES-128-CBC for 3s on 8192 size blocks: 618327 AES-128-CBC's in 3.00s
Doing AES-128-CBC for 3s on 16384 size blocks: 316746 AES-128-CBC's in 3.00s
version: 3.0.2
built on: Wed May 24 17:12:55 2023 UTC
options: bn(64,64)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 -ffile-prefix-map=/build/openssl-Z1YLmC/openssl-3.0.2=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_TLS_SECURITY_LEVEL=2 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
CPUINFO: OPENSSL_ia32cap=0x7ffef3bfffebffff:0x800d39ef7eb
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
AES-128-CBC    1144955.41k  1682092.52k  1738478.25k  1702192.81k  1688444.93k  1729855.49k

What have I missed? Thanks in advance

This is an automated archive.

The original was posted on /r/openssl by /u/spekt909 on 2023-07-12 19:00:57+00:00.

---

I am not sure it is possible?

openssl ecparam -out test.key -name prime256v1 -genkey

openssl req -new -sha256 -key test.key -nodes -out request.csr -subj '/O=Test/C=US'

This is an automated archive.

The original was posted on /r/openssl by /u/BarberImmediate5554 on 2023-07-06 06:52:10+00:00.

---

This is the first time I am publishing data over mqtt with SSL/tos and I am stuck at this error when I enable SSL/tls , please help.( Using esp32)

include <SPI.h>

include <WiFi.h>

include <SSLClient.h>

include "certificates.h"

include <PubSubClient.h>

const char* ssid = "blah blah"; const char* password = "blah blah"; const char* mqttBroker = "blah blah"; const char* mqttUsername = "blah blah"; const char* mqttPassword = ""; int rand_pin = 5; const char my_cert[] =
"-----BEGIN CERTIFICATE-----\n" "blah blah" "-----END CERTIFICATE-----"; const char my_key[] =
"-----BEGIN CERTIFICATE-----\n" "blah blah" "-----END CERTIFICATE-----";

WiFiClient wifiClient; SSLClient wifiClientSSL(wifiClient, TAs, (size_t)TAs_NUM, rand_pin); PubSubClient client(wifiClientSSL);

void callback(char* topic, byte* payload, unsigned int length) { Serial.print("Message arrived ["); Serial.print(topic); Serial.print("] "); for (int i=0;i<length;i++) { Serial.print((char)payload[i]); } Serial.println(); }

void reconnect() { while (!client.connected()) { Serial.println("Connecting to MQTT server..."); if (client.connect("ESP32Client", mqttUsername, mqttPassword)) { Serial.println("Connected to MQTT server"); } else { Serial.print("Failed to connect to MQTT server, rc="); Serial.print(client.state()); Serial.println(" Retrying in 5 seconds..."); delay(5000); } } }

void setup() { Serial.begin(19200); delay(4000); WiFi.begin(ssid, password); while (WiFi.status() != WL_CONNECTED) { delay(1000); Serial.println("Connecting to WiFi.."); } Serial.println("Connected to the WiFi network");

bool EnableSSL = true;

if (EnableSSL) { callMQTTS(); } else { callMQTT(); } }

void callMQTTS() { SSLClientParameters mTLS = SSLClientParameters::fromPEM(my_cert, sizeof my_cert, my_key, sizeof my_key); wifiClientSSL.setMutualAuthParams(mTLS); client.setServer(mqttBroker, 8883); client.setCallback(callback); }

void callMQTT() { client.setServer(mqttBroker, 1883); client.setCallback(callback); }

void publishToServer(const char* variable, float value) { char payload[50]; sprintf(payload, "{"%s": %.2f}", variable, value); client.publish("blah blah", payload); }

void loop() { if (!client.connected()) { reconnect(); } client.loop();

float MQTTtest_var = 99999;

publishToServer("mqttsTest_var", MQTTtest_var); Serial.print("Published data: mqttsTest_var = "); Serial.println(MQTTtest_var); delay(10000);

}

certificates.h:-

ifndef CERTIFICATES_H

define CERTIFICATES_H

ifdef __cplusplus

extern "C" {

endif

define TAs_NUM 1

static const unsigned char TA_DN0[] = { //blah blah };

static const unsigned char TA_RSA_N0[] = { //blah blah };

static const unsigned char TA_RSA_E0[] = { //blah blah };

static const br_x509_trust_anchor TAs[] = { { { (unsigned char *)TA_DN0, sizeof TA_DN0 }, BR_X509_TA_CA, { BR_KEYTYPE_RSA, { .rsa = { (unsigned char *)TA_RSA_N0, sizeof TA_RSA_N0, (unsigned char *)TA_RSA_E0, sizeof TA_RSA_E0, } } } }, };

ifdef __cplusplus

}

endif

endif

Serial Monitor:-

Connecting to WiFi.. Connected to the WiFi network Connecting to MQTT server... (SSLClient)(SSL_WARN)(m_run_until): Terminating because the ssl engine closed (SSLClient)(SSL_ERROR)(m_start_ssl): Failed to initlalize the SSL layer (SSLClient)(SSL_ERROR)(m_print_br_error): Chain could not be linked to a trust anchor. See https://github.com/OPEnSLab-OSU/SSLClient/blob/master/TrustAnchors.md Failed to connect to MQTT server, rc=-2 Retrying in 5 seconds...

This is an automated archive.

The original was posted on /r/openssl by /u/xaetlas on 2023-07-04 09:09:25+00:00.

---

I was wondering if i want to implement triplle DES EDE with the openssl library in c - what would i have to do to decrypt a file. I found the method "EVP_des_ede_cfb()", would i have to use this 3 times to implement 3DES or is once enough?

This is an automated archive.

The original was posted on /r/openssl by /u/BeepityBoopityBot on 2023-07-04 08:18:19+00:00.

---

I have a PHP application (running on Amazon Linux via Bref on Lambda) which has been signing Apple passbooks no problem. I've trying to do various upgrades which includes moving to AWS Linux 2023 which uses OpenSSL 3.

Since then I've been getting these errors when I try to sign passbooks. It seems I get the first one first, then I refresh a few times and it becomes the second error.

error:0308010C:digital envelope routines::unsupported
error:0480006C:PEM routines::no start line

There is a "Apple Worldwide Developer Relations Certificate" which is a .pem file, and I've confirmed the start line with "BEGIN CERTIFICATE" is there. The signature algorithm of the certificate I'm using to sign is SHA-256 with RSA Encryption ( 1.2.840.113549.1.1.11 ).

I'm using this package to create the passbooks and this is the line which is failing.

I've tried updating the openSSL config in various ways (e.g. extending and including the original .cnf, copying the entire content in to a new one) and adding the following lines. This hasn't made any difference.

[ provider_sect ]
default = default_sect
legacy = legacy_sect

[ default_sect ]
activate = 1

[legacy_sect]
activate = 1

Do I maybe need to add/change more of the config to support these? Could the algorithms maybe not be installed?

I've been struggling with this for days, so any help would be very much appreciated!

This is an automated archive.

The original was posted on /r/openssl by /u/FixYourOwnStates on 2023-06-02 16:57:20+00:00.

---

I am using openssl with des-ede3-cbc and a given password to decrypt some files. The command used is:

openssl.exe enc -d -des-ede3-cbc -pass pass:<password> -salt -in infile -out outfile -P

Using openssl-1.1.1t it generates one Key/IV pair, and using openssl-1.0.2u it generates totally different Key/IV pair even though I am using the exact same command. The decryption only works with 1.0.2u and fails with the newer version.

What is the reason behind this?

This is an automated archive.

The original was posted on /r/openssl by /u/Troubleshooter5000 on 2023-06-01 18:29:36+00:00.

---

My org has been using certreq with an inf file to generate CSRs. I want to make this process work with OpenSSL instead. I though I remember seeing something about using a CFG file or CONF file or something. How can I make this inf file work with OpenSSL?

Edit for posterity:

I was able to resolve my issue without having to translate this INF file into an OpenSSL format. But as u/NL_Gray-Fox said, it probably wouldn't take much time. See my post here for my solution.

[Version]
Signature="$Windows NT$"

[NewRequest]
Subject = "C=US, ST=XX, L=My City, OU=My OU, O=My Org, CN=EXAMPLE-CERT.replace.myorg.com"
Exportable = TRUE
KeyLength = 2048
KeySpec = 1
KeyUsage = 0xA0
MachineKeySet = True
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
SMIME = FALSE
RequestType = CMC
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
RequestType = PKCS10
HashAlgorithm = SHA256

; At least certreq.exe shipping with Windows Vista/Server 2008 is required to interpret the [Strings] and [Extensions] sections below

[Strings]
szOID_SUBJECT_ALT_NAME2 = "2.5.29.17"
szOID_ENHANCED_KEY_USAGE = "2.5.29.37"
szOID_PKIX_KP_SERVER_AUTH = "1.3.6.1.5.5.7.3.1"
szOID_PKIX_KP_CLIENT_AUTH = "1.3.6.1.5.5.7.3.2"

[Extensions]
%szOID_SUBJECT_ALT_NAME2% = "{text}dns=myservername1.myorg.com&dns=myservername2.myorg.com"
%szOID_ENHANCED_KEY_USAGE% = "{text}%szOID_PKIX_KP_SERVER_AUTH%,%szOID_PKIX_KP_CLIENT_AUTH%"

[RequestAttributes]
CertificateTemplate= WebServer

This is an automated archive.

The original was posted on /r/openssl by /u/Inevitable_Ad8679 on 2023-05-29 21:28:35+00:00.

---

Hi everyone! I am currently trying to modify some settings within OpenSSL. My goal is to change the default algorithms that OpenSSL uses for generating certificates and signatures, as well as the key exchange method. Specifically, I want OpenSSL to default to the ones provided by OQS (https://openquantumsafe.org/), Dilithium and Kyber.

I have already added the OQS version of OpenSSL to my computer and respective Docker containers. I have also confirmed that I can establish test connections between a client and server using Post-Quantum Cryptography (PQC) algorithms.

Here's what I used:

openssl s_server -key key.pem -cert cert.pem -tls1_3 -accept 443 (certificates are made with dilithium)

openssl s_client -groups kyber512 -connect 127.0.0.1:443 -tls1_3

However, if I do not explicitly mention '-groups kyber512', OQS defaults to using elliptic curves for the key exchange, which is not what I want because it is not quantum safe.

Ultimately, I plan to use this customized list (featuring Dilithium and Kyber) to establish a connection between a web server (equipped with OQS OpenSSL) and my computer (also with OQS OpenSSL), and hopefully to using dilithium and kyber as the default preferred options. Does anyone have any suggestions on how to accomplish this?

For context, to avoid breaking anything, both the web server and "my computer" are implemented in Docker containers, where I replace the default OpenSSL library.

As a result, if I inspect the communications with Wireshark, I expect to see that the algorithms I selected (Dilithium and Kyber) are indeed used for both signatures and key exchange.

Unfortunately, I haven't had any luck so far. Does anyone have any experience with this or any ideas on how to proceed?

Thank you in advance!

This is an automated archive.

The original was posted on /r/openssl by /u/ligonsker on 2023-05-26 08:07:08+00:00.

---

Hello

When using the openssl 1.1.1 that comes with Git or XAMPP, then it opens a terminal when I type "openssl":

https://imgur.com/a/jQatlN5

But when I installed openssl 3.1.0 from source, it just shows a list of commands:

https://imgur.com/a/khWZF1o

What is this terminal used for? And the fact that I don't have it when I built it from source is related to the versions difference? (1.1.1 vs 3.1.0), or because of the way I installed openssl?

thanks

This is an automated archive.

The original was posted on /r/openssl by /u/ligonsker on 2023-05-25 07:57:53+00:00.

---

Hello,

So far I've been using OpenSSL on Windows via the OpenSSL that comes bundled with XAMPP.

But what if I want to install OpenSSL myself on Windows? I could not find a way to do it directly from the official OpenSSL source.

That's because I want the newest OpenSSL version 3 instead of 1.1.1 that comes with XAMPP

How can I do it?

Thanks

This is an automated archive.

The original was posted on /r/openssl by /u/thekobaz on 2023-05-18 15:54:09+00:00.

---

Having an issue...

Server is reporting:

SSL_ERROR_SSL (Handshake): Level: 0 err: <337092801> <SSL routines-tls\_post\_process\_client\_hello-no shared cipher>

Flow:

Client (voip phone) successfully makes the TCP connection and starts with a TLS Client Hello. Certificates are not exchanged at this point

https://dpaste.com/FS4YHL9TQ

Server Responds with

TLS Handshake Failure

Here is a session going the other way: Server sending a Client Hello

https://dpaste.com/CQAPFU5MP

You can see there are plenty of overlaps with ciphers and signature algorithims.

Here's the Server Certificate:

https://dpaste.com/4EMXFYC3M

I'm baffled why the Server rejects the Client Hello due to 'no shared cipher'

This is an automated archive.

The original was posted on /r/openssl by /u/vasthavk on 2023-05-14 10:14:50+00:00.

---

I'm working on OPENSSL Client Server application using the utilities provided by OpenSSL.

Open SSL Server utility current implementation handles each SSL handshake one after the other. So I've modified this by creating a new thread for each and every newly received TCP connection. Main thread listens for new connections and newly created thread does ssl handshake(SSL_accept).

The s_server just accepts the connection and closes it.

When creating multiple connections using s_time application. One SSL connection is tearing down successfully but for the next connection it is not gng through.

On server side in gdb mode I'm receiving SIGPIPE when server is trying to write some data. Any idea how to fix this?

This is an automated archive.

The original was posted on /r/openssl by /u/Raregolddragon on 2023-05-08 15:01:32+00:00.

---

I feel like I am driving my self crazy but there is no 3.1.1 out yet correct? I we have 3rd party security scans and they go the extra mile of telling us what to try and resolve the issue. And the alert keeps saying to upgrade from 3.1.0 to 3.1.1 but as far as I can find and tell it has not been released on the github or any other source I can find.

This is an automated archive.

The original was posted on /r/openssl by /u/DarkSchneider7 on 2023-05-02 00:28:00+00:00.

---

so finally found out why I couldn't find any info with the .3ssl extension apparently it was only used from 2010-2011.. soo now i am at this point to locate my encrypted file that forgot what named and the extension given.. I went full retard being smart and not given it a proper identifier. From searching online I was told maybe f-secure file scanner can detect file signatures encrypted in openssl.

Long story short I was in Iraq 2010 encrypted files in openssl place it in some random unknown directory don't know why I did this maybe I left this note to look here if something happen to me... yeah that info is pretty much lost. So I am off with this hunt to find this ellusive encrypted file ... yeah I got the keys thats cross off.. and the password is so generic for me.. so the pw wont be a issue

in 2010 was bored af found about btc - https://www.youtube.com/watch?v=YmPg4V-YE0k&t=3s I was there .."a little humor i put dont my home address for the btc address" so the guy called me and spent over 5 hours with me on skype trying to teach me about encrypting files. he refused to give the data upfront with no wallet btc address, since my connection speed via internet was slow being in satellite, I think we waited over 3 hrs and we went off doing a paper wallet format and thats what I got encrypted

This is an automated archive.

The original was posted on /r/openssl by /u/bradscript on 2023-04-10 13:47:47+00:00.

---

I have checked the docs and there are no mentions of what algorithm it uses. I am trying to generate a CryptoKey in javascript to decrypt the RSA key but I have no idea how to generate the secret key from the passphrase without knowing what algorithm and parameter it uses.

This is an automated archive.

The original was posted on /r/openssl by /u/DarkSchneider7 on 2023-04-08 18:22:21+00:00.

---

I have this time capsule MacBook from 2010, I found pub keys and private keys both have extensions .3ssl .. being on mac I know some stuff are done differently , 2010 was the last time I owned a MacBook so I lost what ever I knew back then.. I went off having a conversation with chat ai trying to figure out what .3ssl extension is and it gave me a lecture on its not a known extension then I found some manpages with manuals using .3ssl and it said 3 stands for verison 3 ? but when I look up what was the release date of opnessl version 3 it said 2018. any og provide any info on files using .3ssl or using openssl in mac .. my wife refuses to help me since from her own words >lvl 1 noob beggar< be nice to keep ingame trolling in games.

This is an automated archive.

The original was posted on /r/openssl by /u/mfaridi1978 on 2023-04-04 13:34:00+00:00.

---

I run this command on Fedora server

sudo openssl req -out tls.crt -new -keyout tls.key -newkey rsa:4096 -nodes -sha256 -x509 -subj "/O=HashiCorp/CN=Vault" -addext "subjectAltName =IP:127.0.0.1,IP:192.168.56.70,DNS:core" -days 3650

and this command generate tls.key and tls.crt for me

but when I run this command on oracle Linux

sudo openssl req -out tls.crt -new -keyout tls.key -newkey rsa:4096 -nodes -sha256 -x509 -subj "/O=HashiCorp/CN=Vault" -addext "subjectAltName =IP:127.0.0.1,IP:192.168.56.70,DNS:uid_core" -days 3650

I see this error

unknown option -addext
req [options] <infile >outfile
where options  are
 -inform arg    input format - DER or PEM
 -outform arg   output format - DER or PEM
 -in arg        input file
 -out arg       output file
 -text          text form of request
 -pubkey        output public key
 -noout         do not output REQ
 -verify        verify signature on REQ
 -modulus       RSA modulus

and can not make key

This is an automated archive.

The original was posted on /r/openssl by /u/__pk on 2023-04-02 20:04:23+00:00.

---

I am trying to setup a mutual TLS authentication scheme between two VMs with self-signed certificates. SANs & CNs point to IPs (the VMs are not exposed to browsers and they do not have domain names).

I have failed to establish a connection between a gRPC Python server and a gRPC Tonic Rust client. I am trying to understand if there is a language or a protocol-dependent error.

I used the commands listed in the .sh file here: https://github.com/rustls/rustls/tree/main/test-ca

to generate keys/certs for a server and a client (with IP.1 records for SANs). I have added the local root CA to the trust store of each VM.

Error in Rust client: presented server name type wasn't supported'

Error in Python server: SSLV3_ALERT_BAD_CERTIFICATE

What CN/SAN/domain would you choose for this case? Is this scenario possible or I am missing something?

This is an automated archive.

The original was posted on /r/openssl by /u/eyal_cohen_m on 2023-04-01 22:53:35+00:00.

---

Hello, im trying to send email using openssl through gmail with port 587.

When using the -starttls smtp flag, the connection simply halt after the tcp handshake. The openssl client dont try to upgrade the connection.

What can be the reason?

Ive tried this not only with openssl but with python which wraps openssl basically as well.

Thanks!

This is an automated archive.

The original was posted on /r/openssl by /u/config_wizard on 2023-03-29 13:30:45+00:00.

---

I am learning about mutual TLS for GRPC connections. I know that the objective is to create a self-signed certificate authority, then create server cert/key and client cert/key and sign each of these with the certificate authority.

I have got _close_ in that I managed to generate the certs but they didn't work in all scenarios (different languages accepted the keys while others didn't - multiple reasons why that might be, but I'm trying to learn the mtls mechanism not debug language specific issues).

So I found some certs online in an example, and tested them - and they seem to work across the board. Using openssl x509 -in XXXXXXX -text -noout I can look at the certs. So I am hoping you might be able to help me generate the three sets of keys/certs that match this structure using openssl so that I can generate my own. These are 256 bit - I was hoping for something more like 4096 bit if I can.

For brevity I have removed the fingerprints from the output

server.crt

Certificate:

Data:

Version: 3 (0x2)

Serial Number:

79:a0:b4:6a:38:92:77:c8:62:f2:33:57:a8:15:1a:22:f1:48:a8:82

Signature Algorithm: ecdsa-with-SHA256

Issuer: CN=RootCA

Validity

Not Before: Dec 23 09:00:00 2019 GMT

Not After : Nov 29 09:00:00 2119 GMT

Subject: CN=server

Subject Public Key Info:

Public Key Algorithm: id-ecPublicKey

Public-Key: (256 bit)

pub:

ASN1 OID: prime256v1

NIST CURVE: P-256

X509v3 extensions:

X509v3 Key Usage: critical

Digital Signature, Key Encipherment

X509v3 Extended Key Usage:

TLS Web Client Authentication, TLS Web Server Authentication

X509v3 Basic Constraints: critical

CA:FALSE

X509v3 Subject Key Identifier:

DB:C6:0C:40:C9:60:E7:5D:29:D4:6A:C8:FD:2A:7A:7B:CF:68:F1:92

X509v3 Authority Key Identifier:

keyid:D4:39:2D:E2:14:32:00:E6:85:AE:A6:1E:55:B9:62:D7:B6:B6:B9:F2

X509v3 Subject Alternative Name:

DNS:localhost, IP Address:127.0.0.1

Signature Algorithm: ecdsa-with-SHA256

client.crt

Certificate:

Data:

Version: 3 (0x2)

Serial Number:

56:48:5a:17:4a:24:3d:c1:09:68:a6:0a:25:1c:93:1d:4f:9a:40:cc

Signature Algorithm: ecdsa-with-SHA256

Issuer: CN=RootCA

Validity

Not Before: Dec 23 08:59:00 2019 GMT

Not After : Nov 29 08:59:00 2119 GMT

Subject: CN=client

Subject Public Key Info:

Public Key Algorithm: id-ecPublicKey

Public-Key: (256 bit)

pub:

ASN1 OID: prime256v1

NIST CURVE: P-256

X509v3 extensions:

X509v3 Key Usage: critical

Digital Signature, Key Encipherment

X509v3 Extended Key Usage:

TLS Web Client Authentication, TLS Web Server Authentication

X509v3 Basic Constraints: critical

CA:FALSE

X509v3 Subject Key Identifier:

AD:13:49:56:68:A3:DF:1C:22:43:23:5F:CC:AB:A1:70:22:A7:02:D0

X509v3 Authority Key Identifier:

keyid:D4:39:2D:E2:14:32:00:E6:85:AE:A6:1E:55:B9:62:D7:B6:B6:B9:F2

X509v3 Subject Alternative Name:

DNS:localhost, IP Address:127.0.0.1

Signature Algorithm: ecdsa-with-SHA256

ca.crt

Certificate:

Data:

Version: 3 (0x2)

Serial Number: 4065117815530809070 (0x386a331d84d366ee)

Signature Algorithm: ecdsa-with-SHA256

Issuer: CN=RootCA

Validity

Not Before: Dec 23 08:56:37 2019 GMT

Not After : Nov 29 09:01:37 2119 GMT

Subject: CN=RootCA

Subject Public Key Info:

Public Key Algorithm: id-ecPublicKey

Public-Key: (256 bit)

pub:

ASN1 OID: prime256v1

NIST CURVE: P-256

X509v3 extensions:

X509v3 Key Usage: critical

Digital Signature, Key Encipherment, Certificate Sign, CRL Sign

X509v3 Extended Key Usage:

TLS Web Server Authentication, TLS Web Client Authentication

X509v3 Basic Constraints: critical

CA:TRUE

X509v3 Subject Key Identifier:

D4:39:2D:E2:14:32:00:E6:85:AE:A6:1E:55:B9:62:D7:B6:B6:B9:F2

Signature Algorithm: ecdsa-with-SHA256

If anyone can help me with the openssl commands to generate these so that they will be valid for mutual TLS that would be amazing. The main things I'm interested in are increasing the size of the keys, and changing the server DNS/IP off of localhost.

Thank you.

P.S I am on OSX, where openssl is LibreSSL 2.8.3 or I have a linux machine with openssl is OpenSSL 1.1.1

Thanks again

This is an automated archive.

The original was posted on /r/openssl by /u/maggiminutes on 2023-03-27 16:38:06+00:00.

This is an automated archive.

The original was posted on /r/openssl by /u/unixbhaskar on 2023-03-24 21:07:16+00:00.

This is an automated archive.

The original was posted on /r/openssl by /u/maxcoder88 on 2023-03-21 14:15:03+00:00.

---

Hi,

I have certificate is exported with DER encoding. I want to get CRT , KEY , PEM file from CER file.

Could not read key from certificate.pem

I will convert from CER to PEM via below command.

openssl x509 -inform der -in certificate.cer -out certificate.pem

openssl pkey -in certificate.pem -out certificate.key

openssl crl2pkcs7 -nocrl -certfile certificate.pem | openssl pkcs7 -print_certs -out certificate.crt

openssl pkcs12 -export -out certificate.pfx -inkey certificate.key -in certificate.crt -certfile CACert.crt

or , I will convert Key files from PFX file?

openssl x509 -inform der -in certificate.cer -out certificate.pem
openssl pkcs12 -in certificate.pfx -nocerts -out certificate.key
openssl rsa -in certificate.key -out certificate_private.key
openssl rsa -in certificate.key -pubout -out  certificate_public.key
openssl pkcs12 -in certificate.pfx -clcerts -nokeys -out certificate.crt

Thanks,