blog
Table des matières
3 billet(s) pour janvier 2026
| Notes rsh rcp | 2026/01/21 18:08 | Jean-Baptiste |
| Git - Duplication d'un dépôt | 2026/01/19 10:22 | Jean-Baptiste |
| Exemple simple de conf Nagios | 2026/01/14 10:07 | Jean-Baptiste |
Générer un CSR avec OpenSSL
Voir : https://www.tbs-certificats.com/FAQ/fr/192.html
Génération de la clef RSA
openssl genrsa 2048 > acme.fr.key chmod 400 acme.fr.key
Ou pour générer une clef Elliptic Curve
#openssl ecparam -genkey ....
Créez la demande de certificat (CSR)
openssl req -new -key acme.fr.key > acme.fr.csr
san.cnf
[ req ] default_bits = 2048 distinguished_name = req_distinguished_name req_extensions = req_ext [ req_distinguished_name ] countryName = Country Name (2 letter code) stateOrProvinceName = State or Province Name (full name) localityName = Locality Name (eg, city) organizationName = Organization Name (eg, company) commonName = Common Name (e.g. server FQDN or YOUR name) [ req_ext ] subjectAltName = @alt_names [alt_names] DNS.1 = acme.fr DNS.2 = www.acme.fr
openssl req -new -sha256 -nodes -out acme.fr.csr -newkey rsa:2048 -keyout acme.fr.key -config san.cnf
Voir les infos du CSR
openssl req -in acme.fr.csr -noout -text
https://raw.githubusercontent.com/openssl/openssl/master/apps/openssl.cnf
OpenSSL - Créer un certificat autosigné / create a self-signed ssl certificate
make-ssl-cert generate-default-snakeoil --force-overwrite
Les certs générées sont ici :
- /etc/ssl/certs/ssl-cert-snakeoil.pem
- /etc/ssl/private/ssl-cert-snakeoil.key
Ou
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt
ou
FQDN="plop.local" PORT=9443 # create private key for TLS openssl genrsa -out $FQDN.key 2048 # create public certificate for TLS # openssl req -new -key $FQDN.key -x509 -subj '/CN=localhost' -out $FQDN.cert openssl req -new -key $FQDN.key -x509 -days 3653 -out $FQDN.crt -subj "/C=FR/ST=FR/L=PLOP/O=myorg/CN=$FQDN" # create pem format key+cert cat $FQDN.key $FQDN.crt >$FQDN.pem
Source : https://fabianlee.org/2022/10/26/linux-socat-used-as-secure-https-web-server/
openssl - vérifier la cohérence d'un certificat entre KEY CSR CRT
openssl pkey -in privateKey.key -pubout -outform pem | sha256sum openssl x509 -in certificate.crt -pubkey -noout -outform pem | sha256sum openssl req -in CSR.csr -pubkey -noout -outform pem | sha256sum
Source https://www.sslshopper.com/certificate-key-matcher.html
OpenSSL - Quels sont les SANs (Subject Alternative Names) de mon certificat SSL/TLS
Fichier certificat
openssl x509 -text -noout -fingerprint -sha256 -in plop.cer |grep DNS
En ligne
openssl s_client -connect plop.acme.org:443 -servername plop.acme.org </dev/null | openssl x509 -text -noout -in - | grep DNS | sed -e 's/ DNS:/\n&/g'
Test
$ curl -v https://test.acme.fr 2>&1 |grep subject * subject: C=FR; O=ACME FRANCE; OU=Private Group PKI; CN=www.test.acme.fr * subjectAltName does not match test.acme.fr * SSL: no alternative certificate subject name matches target host name 'test.acme.fr' curl: (51) SSL: no alternative certificate subject name matches target host name 'test.acme.fr'
Ou encore mieux :
$ echo | openssl s_client -connect redhat.com:443 2>/dev/null | openssl x509 -noout -ext subjectAltName
X509v3 Subject Alternative Name:
DNS:*.redhat.com, DNS:redhat.com
OpenSSL - Est-ce bien le bon certificat SSL/TLS qui est installé sur le serveur Web
openssl x509 -text -noout -fingerprint -sha256 -in plop.cer | grep Fingerprint openssl s_client -connect plop.acme.org:443 -servername plop.acme.org </dev/null | openssl x509 -text -noout -fingerprint -sha256 -in - | grep Fingerprint
blog.txt · Dernière modification : de 127.0.0.1