1. How to verify that a private key goes with a certificate?
The private key contains a series of numbers.Two of those numbers from the “public key”,the others are part of your private kye. The public key bits are also embedded in Certificate. To check that the public key in your cert matches the public portion of your private key,you need to view the cert and the key and compare the numbers.
$ openssl x509 -noout -text -in server.crt
$ openssl rsa -noout -text -in server.key
To avoid comparing long modulus you can use the following approch:
$ openssl x509 -noout -text -in server.crt | openssl md5
$ openssl rsa -noout -text -in server.key | openssl md5
As a one-liner:
$ openssl x509 -noout -text -in server.crt | openssl md5 ;\openssl rsa -noout -text -in server.key | openssl md5
2. How to calculate thumbprint or fingerprint of certificate?
$ openssl x509 -in cert.pem -noout -fingerprint
$ openssl x509 -in cert.pem -noout -sha1 -fingerprint
To convert a certificate from DER to PEM:
$ openssl x509 -in input.crt -inform DER -out output.key -outform PEM
To view details of a PEM certificate:
$ openssl x509 -in mainserver.pem -noout -text
To create hash:
$ openssl sha1 filename $ openssl md5 filename …
To create CSR:
$ openssl genrsa -out private_key.pem 2048
$ openssl req -new -key private_key.pem -out domainname.csr
To test ssl connection:
$ openssl s_client -cert usercert.pem -key private.pem -connect http://www.xxx.xxx:443
To check server certificate:
$ openssl s_client -showcerts -connect xxx.xxx.xxx:443
$ openssl s_client -connect <serverhost>:<port>
To export private key from pkcs12 file:
$ openssl pkcs12 -in cert.pfx -nocerts -out privateKey.pem
To remove the password from the private key file
$ openssl rsa -in privateKey.pem -out private.pem
To dump binary file:
$ openssl asn1parse -inform DER -in testFromSCEPLog.bin > logFromSCEP.bin
To check a pkcs7 file:
$ openssl asn1parse -inform der -in renew.cer
i have a signed letter,
how can i extract the certificate from it ?
and in command line i can use
openssl smime -pk7out -in messagefile | openssl pkcs7 -print_certs
but i wonder how to achieve it in program
openssl pkcs7 -in pkcsInformation.p7b -print_certs -inform DER
http://qistoph.blogspot.jp/2012/01/manual-verify-pkcs7-signed-data-with.html
Use the verify option to verify certificates.
openssl verify cert.pem