OpenSSL CSR Examples: Self Signed Certificate and How to Start Test TLS/SSL Server/Client
How to use openssl with examples to create CSR, self signed TLS/SSL certificate. View certificate detail, start TLS/SSL test server and client.
Create TLS/SSL Certificate
Use openssl req command to create a self signed SSL certificate or Certificate Signing Request (CSR) can be sent to a Certificate Authority (CA) which will then return an signed SSL certificate.
$ openssl req -new -newkey rsa:2048 -keyout privkey.pem -nodes -out pubcert.csr
Generating a RSA private key
...................................................................+++++
........................................................................+++++
writing new private key to 'privkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:FL
Locality Name (eg, city) []:Orlando
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Foo LLC
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:www.example.com
Email Address []:email@example.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
$ file privkey.pem pubcert.csr
privkey.pem: ASCII text
pubcert.csr: PEM certificate request
Certificate subject can also passed by -subj parameter:
$ openssl req -new \
-newkey rsa:2048 -nodes -keyout privkey.pem \
-out pubcert.csr \
-subj "/C=US/ST=FL/L=Orlando/O=Foo LLC/OU=IT/CN=www.example.com"
Hint
Use-nodesparameter to NOT to encrypt the private key. This is useful when your web server starts automatically, say at boot time. If your private key is encrypted, you would be required to enter a password everytime your web server restarted. You could also omit this option to create an encrypted key and then later remove the encryption from the key.
Verify CSR
Use openssl req -verify to view CSR, -verify verify signature on CSR is not modified.
openssl req -verify example:
$ openssl req -verify -in pubcert.csr -text -noout
verify OK
Certificate Request:
Data:
Version: 1 (0x0)
Subject: C = US, ST = FL, L = Orlando, O = Foo LLC, OU = IT, CN = www.example.com, emailAddress = email@example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:96:1b:ec:3b:8c:8d:80:d9:f6:bc:e3:92:82:06:
6c:f6:97:15:56:5f:57:2e:de:7d:9c:7b:dd:a7:a4:
9f:dd:3b:b7:3d:fa:4b:20:5b:91:76:df:5c:d0:31:
fb:7c:47:c2:29:63:7b:f1:b6:92:49:72:ca:e6:4d:
d2:3e:e1:11:57:a6:a4:49:89:22:49:92:b9:76:a3:
17:a8:45:64:e7:1b:a0:f9:a8:0f:69:7e:b6:d3:ee:
42:f8:cd:b6:a2:79:fa:72:c3:5d:62:46:ed:db:29:
df:63:46:a1:c3:3b:17:7d:a7:be:f7:09:cb:6d:e6:
70:06:9f:cd:95:d8:b5:bf:d1:c0:26:88:66:57:af:
84:f2:00:49:89:c8:db:8c:7c:81:3d:0e:2e:f4:77:
d9:1c:9a:e2:78:43:98:4e:fa:b3:bf:2d:f2:2e:97:
11:17:6a:6d:ca:94:8e:2f:54:92:e7:16:25:ce:52:
46:bc:9d:98:89:d4:64:bd:ae:0a:97:72:a0:c5:73:
39:c9:87:d8:f5:97:e4:b8:3e:8d:73:d2:29:b3:4c:
fb:7e:20:5b:45:c6:83:6d:a6:53:1c:6e:5c:4a:ef:
20:08:84:59:09:f4:9c:16:79:37:27:70:b5:c1:21:
5e:5e:94:0e:59:54:ce:4f:3e:5d:34:fc:f0:e0:ce:
b4:a1
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha256WithRSAEncryption
7f:47:70:5c:1c:72:e4:c5:a4:7b:07:7c:3f:f5:ef:62:a1:c9:
8f:ae:52:35:ee:13:85:f7:ce:06:4a:b8:a1:ee:08:a2:39:f4:
90:6a:c6:4f:04:78:c3:67:22:98:97:b8:9c:c1:e6:c6:af:94:
1a:fd:f0:4c:67:34:3f:8d:05:3a:1a:8f:46:6f:0a:37:45:45:
44:7a:f9:51:1d:28:bf:53:f1:47:2c:01:73:03:42:08:0a:c3:
1f:5d:50:8a:b1:81:db:a0:df:4b:79:a1:86:2d:b1:3d:f7:2a:
4b:e2:ff:bc:0f:fc:cd:08:a7:b8:07:5d:fe:d7:b7:39:6f:7a:
f0:9c:cc:1b:e9:5d:8e:d5:0b:00:9c:81:a6:c3:f2:33:87:52:
3c:b5:4a:14:3b:7d:2a:b8:53:86:da:b0:b3:3d:6a:2d:a7:c3:
fa:1d:5f:fc:ea:37:6f:d2:44:ac:5d:a8:e5:73:43:69:a4:02:
5d:a0:08:dd:0a:59:40:fa:c9:38:00:d9:60:41:40:56:32:c0:
53:0d:97:8e:59:33:44:90:8b:48:a8:8c:c1:12:b2:60:bc:59:
0a:e8:ca:29:87:95:7f:40:fd:86:bd:f8:aa:92:c9:f0:12:cb:
82:cd:d8:5a:af:d2:3e:9a:dc:6b:f2:db:92:2d:a7:fc:6a:98:
a8:04:5e:9e
verfiy OK indicate signature verify and there is no tamper on CSR.
Subject is the most important of CSR.
Create Self Signed Certificate
pubcert.csr can be sent to public CA for signing or you can create self signed certificate.
$ openssl req -x509 -days 365 -in pubcert.csr -key privkey.pem -out pubcert.pem
$ file pubcert.pem
pubcert.pem: PEM certificate
Command line options explained:
- -x509
- output a self-signed certificate rather than a CSR.
- -days 365
- make the self-signed certificate valid for one year.
- -in pubcert.csr
- read in the CSR from the file pubcert.csr.
- -key privkey.pem
- read in the private key from the file privkey.pem.
- -out pubcert.pem
- write out the self-signed certificate to the file pubcert.pem.
You can also generated self signed certificate in a single command:
$ openssl req -x509 \
-days 365 \
-newkey rsa:2048 \
-subj "/C=US/ST=FL/L=Orlando/O=Foo LLC/OU=IT/CN=www.example.com" \
-keyout privkey2.pem \
-nodes \
-out pubcert.pem
Generating a RSA private key
..+++++
.+++++
writing new private key to 'privkey2.pem'
-----
View Certificate
View Certificate Detail
$ openssl x509 -text -noout -in pubcert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
53:20:19:3d:0f:f2:3b:b9:b0:9b:17:5e:b6:12:bd:ae:cf:31:e5:c0
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = FL, L = Orlando, O = Foo LLC, OU = IT, CN = www.example.com, emailAddress = email@example.com
Validity
Not Before: Feb 25 01:13:20 2022 GMT
Not After : Feb 25 01:13:20 2023 GMT
Subject: C = US, ST = FL, L = Orlando, O = Foo LLC, OU = IT, CN = www.example.com, emailAddress = email@example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:96:1b:ec:3b:8c:8d:80:d9:f6:bc:e3:92:82:06:
6c:f6:97:15:56:5f:57:2e:de:7d:9c:7b:dd:a7:a4:
9f:dd:3b:b7:3d:fa:4b:20:5b:91:76:df:5c:d0:31:
fb:7c:47:c2:29:63:7b:f1:b6:92:49:72:ca:e6:4d:
d2:3e:e1:11:57:a6:a4:49:89:22:49:92:b9:76:a3:
17:a8:45:64:e7:1b:a0:f9:a8:0f:69:7e:b6:d3:ee:
42:f8:cd:b6:a2:79:fa:72:c3:5d:62:46:ed:db:29:
df:63:46:a1:c3:3b:17:7d:a7:be:f7:09:cb:6d:e6:
70:06:9f:cd:95:d8:b5:bf:d1:c0:26:88:66:57:af:
84:f2:00:49:89:c8:db:8c:7c:81:3d:0e:2e:f4:77:
d9:1c:9a:e2:78:43:98:4e:fa:b3:bf:2d:f2:2e:97:
11:17:6a:6d:ca:94:8e:2f:54:92:e7:16:25:ce:52:
46:bc:9d:98:89:d4:64:bd:ae:0a:97:72:a0:c5:73:
39:c9:87:d8:f5:97:e4:b8:3e:8d:73:d2:29:b3:4c:
fb:7e:20:5b:45:c6:83:6d:a6:53:1c:6e:5c:4a:ef:
20:08:84:59:09:f4:9c:16:79:37:27:70:b5:c1:21:
5e:5e:94:0e:59:54:ce:4f:3e:5d:34:fc:f0:e0:ce:
b4:a1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
FA:AD:07:CD:B2:96:2A:D5:EF:92:EF:95:29:B7:3E:83:F7:CB:BC:AB
X509v3 Authority Key Identifier:
keyid:FA:AD:07:CD:B2:96:2A:D5:EF:92:EF:95:29:B7:3E:83:F7:CB:BC:AB
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
8d:75:b7:a1:fb:e2:76:62:24:82:83:f7:f3:dc:fc:25:de:63:
90:56:38:f3:89:c8:f0:c2:fa:e8:fc:57:7e:61:a3:ca:9e:e5:
7f:9b:f0:a9:82:44:b6:e1:09:7e:f1:b5:48:28:cf:07:fd:18:
d1:a2:b3:ad:96:2b:ac:f1:89:c2:20:ee:b6:16:54:1f:6e:32:
ca:07:9c:3b:21:01:61:48:dc:13:03:fd:d4:68:d2:da:1f:92:
d9:6d:f5:ae:08:ff:94:24:ba:e1:20:8d:fe:21:70:bd:f5:f8:
06:5a:08:69:5f:14:71:8a:84:38:e3:09:80:ec:dc:fe:78:56:
bd:e6:d3:00:7c:88:14:eb:2b:49:ae:ea:42:c5:61:4d:19:2f:
65:37:c6:33:c1:c5:0e:90:eb:43:cf:16:97:58:a7:d1:1e:37:
cb:6d:3a:34:4a:2f:93:a9:2f:fe:c2:11:d1:41:f4:d4:f8:e6:
b8:c7:bd:4f:c3:8d:fb:3d:df:5e:4c:c8:d3:69:e0:b5:71:ca:
2c:23:d3:b4:79:c7:28:8b:9e:d9:76:4c:ac:db:6d:87:02:bf:
16:a0:35:7c:74:f3:b3:ca:0a:cf:5b:cf:5c:c2:f3:1c:77:84:
a9:8f:dd:3c:76:83:6a:79:15:a4:66:9b:7f:bd:2e:94:68:96:
3c:ad:23:f0
Verify A Certificate Matches A Private Key
To verify a certificate match a private key, you can compare the modulus of the certificate with the modulus of the key.
Hint
- certificate is an X.509 PEM formatted file
- the private key is an RSA PEM formatted file,
$ openssl x509 -in pubcert2.pem -noout -modulus
Modulus=C4A33C0DD76C10B2B49DFD48727D6B55B1FB4730CD9398D2ED9BA54209403AF61815119A08EB60CD134B43487F5D3E994DBB0E47688113893F2D892EEB27F23E3A9B45F206466FC47CCC753D30A35546E372D297FB947C99C67C315CF7E89F818900FA1F4532747DA7B2FE01FE59E13BC07FF0A0E6A9C7B132271F52FDE0E11C41AB7B9E07E92CBA2A8962AC0A4CCF1D0A58091FA819311752A5281A514F7AD0BD47F4710B712193311AC3A94839A3B917E71A633D26B1870C1D7EA74220AD33E2876D7B6394961B00CB307CB2C37416DC9E017C28BBAF8D9B795C47565FC2FFD8E9C2FC9B377C67F5BB8660E833E5148DE5D0E5EBF131D1CC56CBD32BC9EFE7
$ openssl rsa -in privkey2.pem -noout -modulus
Modulus=C4A33C0DD76C10B2B49DFD48727D6B55B1FB4730CD9398D2ED9BA54209403AF61815119A08EB60CD134B43487F5D3E994DBB0E47688113893F2D892EEB27F23E3A9B45F206466FC47CCC753D30A35546E372D297FB947C99C67C315CF7E89F818900FA1F4532747DA7B2FE01FE59E13BC07FF0A0E6A9C7B132271F52FDE0E11C41AB7B9E07E92CBA2A8962AC0A4CCF1D0A58091FA819311752A5281A514F7AD0BD47F4710B712193311AC3A94839A3B917E71A633D26B1870C1D7EA74220AD33E2876D7B6394961B00CB307CB2C37416DC9E017C28BBAF8D9B795C47565FC2FFD8E9C2FC9B377C67F5BB8660E833E5148DE5D0E5EBF131D1CC56CBD32BC9EFE7
View The Signer/Issuer of a Certificate
$ openssl x509 -in pubcert.pem -noout -issuer -issuer_hash
issuer=C = US, ST = FL, L = Orlando, O = Foo LLC, OU = IT, CN = www.example.com
a20a408a
Hint
Note that this command only gives you the entity that signed this certificate. It does NOT give you the root CA, since a certificate chain can contain many entities. To get to the root CA, you have to keep running this command on the “issuer” until you find a self-signed certificate (i.e. the “issuer” equals the “subject”).Find The Hash Value Of A Certificate
$ openssl x509 -hash -in pubcert.pem -noout
a20a408a
Run TLS/SSL Server / Client with OpenSSL
First use openssl s_server to start a TLS/SSL test server on port 8443:
$ openssl s_server -accept 8443 -cert pubcert.pem -key privkey.pem
Using default temp DH parameters
ACCEPT
Note
Non-root user should use port higher than 1024, otherwise will get following error:
140588109870400:error:0200600D:system library:bind:Permission denied:../crypto/bio/b_sock2.c:161:
140588109870400:error:20093075:BIO routines:BIO_bind:unable to bind socket:../crypto/bio/b_sock2.c:162:
If pubcert.pem and privkey.pem not match, you will get following error:
error setting private key
139659904341312:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:../crypto/x509/x509_cmp.c:299:
Then use openssl s_client to connect to test server on port 8443:
$ openssl s_client -connect localhost:8443
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 C = US, ST = FL, L = Orlando, O = Foo LLC, OU = IT, CN = www.example.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = FL, L = Orlando, O = Foo LLC, OU = IT, CN = www.example.com
verify return:1
---
Certificate chain
0 s:C = US, ST = FL, L = Orlando, O = Foo LLC, OU = IT, CN = www.example.com
i:C = US, ST = FL, L = Orlando, O = Foo LLC, OU = IT, CN = www.example.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDqzCCApOgAwIBAgIURWVosx4N45OHsogu3XH+XzIW7WowDQYJKoZIhvcNAQEL
BQAwZTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkZMMRAwDgYDVQQHDAdPcmxhbmRv
MRAwDgYDVQQKDAdGb28gTExDMQswCQYDVQQLDAJJVDEYMBYGA1UEAwwPd3d3LmV4
YW1wbGUuY29tMB4XDTIyMDIyNTAxMjI1OFoXDTIzMDIyNTAxMjI1OFowZTELMAkG
A1UEBhMCVVMxCzAJBgNVBAgMAkZMMRAwDgYDVQQHDAdPcmxhbmRvMRAwDgYDVQQK
DAdGb28gTExDMQswCQYDVQQLDAJJVDEYMBYGA1UEAwwPd3d3LmV4YW1wbGUuY29t
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxKM8DddsELK0nf1Icn1r
VbH7RzDNk5jS7ZulQglAOvYYFRGaCOtgzRNLQ0h/XT6ZTbsOR2iBE4k/LYku6yfy
PjqbRfIGRm/EfMx1PTCjVUbjctKX+5R8mcZ8MVz36J+BiQD6H0UydH2nsv4B/lnh
O8B/8KDmqcexMicfUv3g4RxBq3ueB+ksuiqJYqwKTM8dClgJH6gZMRdSpSgaUU96
0L1H9HELcSGTMRrDqUg5o7kX5xpjPSaxhwwdfqdCIK0z4odte2OUlhsAyzB8ssN0
FtyeAXwou6+Nm3lcR1Zfwv/Y6cL8mzd8Z/W7hmDoM+UUjeXQ5evxMdHMVsvTK8nv
5wIDAQABo1MwUTAdBgNVHQ4EFgQUd6ojiNbdBFbkXAgwNiHuSck7XEgwHwYDVR0j
BBgwFoAUd6ojiNbdBFbkXAgwNiHuSck7XEgwDwYDVR0TAQH/BAUwAwEB/zANBgkq
hkiG9w0BAQsFAAOCAQEAZNvoERnZkIOPe7AUM27KrUnRXiv0Prr3/SGHI3dMkuqV
oGf5sZji+wkXlN+rWkP76+bwxjhv3jA569DdFdgysbQlmhDSXR8JuLY+J6nDTWfr
F22uzSyrnLX3OXOC97Wzgqm3mw6ANF4Ae2EQnSF7NveKPSU6HY7g+qUxypRbdM4Y
aUzttmn7SyYeOz3Oa018zjl8LrEjBTi4C426dTBAbGBpc9eFOHN4cadxrNxTRIIz
PqJEBKXGmjgvmtYxpK4sn1M9zuXJATIZWJMSDA1Vqkrs+QLsj/AO4efvmg/XzaaM
kNpbmiKHwWSDuljjMoCmb64iyeZhuhw2sqUjP08u0A==
-----END CERTIFICATE-----
subject=C = US, ST = FL, L = Orlando, O = Foo LLC, OU = IT, CN = www.example.com
issuer=C = US, ST = FL, L = Orlando, O = Foo LLC, OU = IT, CN = www.example.com
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1499 bytes and written 363 bytes
Verification error: self signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self signed certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 00B02A982394BB49CBB59489D250360FEB4CB7698FA063E79FFFE2D149E71B86
Session-ID-ctx:
Resumption PSK: 729D19E3DFA1C40143098ABE55DB1FEB2DA023C4344385D0871D5A52F61AD960A9DB482D5DCA1248B4607C81EF4E5415
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - f5 fe f2 bf 29 29 3b ec-1b c3 7b 2c f5 33 85 ee ....));...{,.3..
0010 - 4b 10 30 ae c3 2f df a1-79 d0 55 32 95 fc cb 1d K.0../..y.U2....
0020 - d6 5d 89 74 c8 9b 59 dc-95 5c e8 3e cf 04 7d b4 .].t..Y..\.>..}.
0030 - 39 63 be 3c 15 67 81 a9-b8 77 6a dd 1c 35 13 6d 9c.<.g...wj..5.m
0040 - b7 d6 36 e3 d6 c6 2b 47-e5 3e 8b 22 10 06 49 f0 ..6...+G.>."..I.
0050 - b8 f3 2f b1 60 25 e5 31-94 f1 bf dd ed 67 85 ce ../.`%.1.....g..
0060 - d9 34 6e 7c d9 6a 40 a1-67 b7 d6 73 f6 cf a3 2d .4n|.j@.g..s...-
0070 - 3e 86 9b d6 a4 ff 5d 6a-a1 f9 3d 1b 74 97 14 b5 >.....]j..=.t...
0080 - c4 82 fe 75 0f 29 28 7d-d1 23 72 90 3b 87 2e 97 ...u.)(}.#r.;...
0090 - cb 97 bf 79 99 20 fc d9-e4 7f 2e 82 0a d6 34 b3 ...y. ........4.
00a0 - 4e 81 92 9d 72 be 20 87-d2 dd 98 25 f2 6e fb b7 N...r. ....%.n..
00b0 - 7f 37 fd 8b e1 5a e1 f6-d1 62 39 70 70 ed ba 79 .7...Z...b9pp..y
Start Time: 1645755764
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: DAB883D6FFE06E83CCB3730949EFEC34EF2F30B84168FA7233B7B9B002DE6BDD
Session-ID-ctx:
Resumption PSK: A73F9311186AB1C0EA89C810775ACCD18B46B9CA3E93B3D3C4C077A646B5C95CE703ED39E4CC40725C0A8BEB1973BC86
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - f5 fe f2 bf 29 29 3b ec-1b c3 7b 2c f5 33 85 ee ....));...{,.3..
0010 - e8 18 b7 f7 b5 65 05 d4-05 9c 88 99 97 75 23 91 .....e.......u#.
0020 - 38 3e 83 65 0d 86 43 08-3d 8f fb b4 69 0f a4 e4 8>.e..C.=...i...
0030 - d8 0d 56 70 c4 ed 71 3b-25 0e 71 f7 db bd f3 14 ..Vp..q;%.q.....
0040 - 7b 26 07 c5 9e ef be 76-2c 40 2a a4 d5 19 a6 a7 {&.....v,@*.....
0050 - 23 bf 3f 88 d2 41 4d 70-c6 7a c8 ad 28 7c 4b 55 #.?..AMp.z..(|KU
0060 - 74 a9 30 f8 9e b1 a4 36-38 a1 69 a8 11 44 ce a8 t.0....68.i..D..
0070 - 06 7f ad 06 e6 32 1b 1e-d5 a8 8a f4 9a b2 be 3d .....2.........=
0080 - 06 71 56 c6 fa 31 cd c6-9e 74 a4 de 74 ae 02 c6 .qV..1...t..t...
0090 - 9e b8 c6 85 80 7c ae 28-ad d0 26 22 95 92 61 79 .....|.(..&"..ay
00a0 - 96 e4 e7 e7 39 4e 55 3b-31 f9 cd 36 ac ed 5c 8a ....9NU;1..6..\.
00b0 - c0 b6 2c 7b 0d 67 0d ba-01 2c a4 50 a0 62 84 f5 ..,{.g...,.P.b..
00c0 - 27 a6 73 74 e1 5b 31 02-f9 81 d9 cf 04 09 de e4 '.st.[1.........
Start Time: 1645755764
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
Hello
After TLS/SSL connection established, send Hello to server.
In server side, it also output TLS/SSL handshake process, and then see Hello from client.
$ openssl s_server -accept 8443 -cert pubcert.pem -key privkey.pem
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MH4CAQECAgMEBAITAgQgRNcxBBZoIQo4mQbsQRv7DwAadeE3rHqXOftKcd2u8mME
MKc/kxEYarHA6onIEHdazNGLRrnKPpOz08TAd6ZGtclc5wPtOeTMQHJcCovrGXO8
hqEGAgRiGD10ogQCAhwgpAYEBAEAAACuBwIFANB6X1w=
-----END SSL SESSION PARAMETERS-----
Shared ciphers:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Supported Elliptic Groups: X25519:P-256:X448:P-521:P-384
Shared Elliptic groups: X25519:P-256:X448:P-521:P-384
CIPHER is TLS_AES_256_GCM_SHA384
Secure Renegotiation IS supported
Hello
openssl req help
$ openssl req -help
Usage: req [options]
Valid options are:
-help Display this summary
-inform PEM|DER Input format - DER or PEM
-outform PEM|DER Output format - DER or PEM
-in infile Input file
-out outfile Output file
-key val Private key to use
-keyform format Key file format
-pubkey Output public key
-new New request
-config infile Request template file
-keyout outfile File to send the key to
-passin val Private key password source
-passout val Output file pass phrase source
-rand val Load the file(s) into the random number generator
-writerand outfile Write random data to the specified file
-newkey val Specify as type:bits
-pkeyopt val Public key options as opt:value
-sigopt val Signature parameter in n:v form
-batch Do not ask anything during request generation
-newhdr Output "NEW" in the header lines
-modulus RSA modulus
-verify Verify signature on REQ
-nodes Don't encrypt the output key
-noout Do not output REQ
-verbose Verbose output
-utf8 Input characters are UTF8 (default ASCII)
-nameopt val Various certificate name options
-reqopt val Various request text options
-text Text form of request
-x509 Output a x509 structure instead of a cert request
(Required by some CA's)
-subj val Set or modify request subject
-subject Output the request's subject
-multivalue-rdn Enable support for multivalued RDNs
-days +int Number of days cert is valid for
-set_serial val Serial number to use
-addext val Additional cert extension key=value pair (may be given more than once)
-extensions val Cert extension section (override value in config file)
-reqexts val Request extension section (override value in config file)
-precert Add a poison extension (implies -new)
-* Any supported digest
-engine val Use engine, possibly a hardware device
-keygen_engine val Specify engine to be used for key generation operations
Related pages:
- Jailbreak iPhone 8 iOS 16.2 with palera1n and use frida dump to decrypt ipa
- Use frida and objection to penetration test iOS app security
- testssl.sh examples command line tool check server TLS/SSL (weak) ciphers and detect TLS/SSL vulnerabilities
- ECDSA signature verify in kotlin and Golang
- Test TLS Connection Ciphers TLS Version and Certificate with OpenSSL Command Line
- Running a DoH Client to encrypt all home DNS traffic
- Secure Squid Proxy Server
References
- openssl-req - PKCS#10 certificate request and certificate generating command
- openssl-x509 - Certificate display and signing command
- openssl-s_server - SSL/TLS server program
- openssl-s_client - SSL/TLS client program
OmniLock - Block / Hide App on iOS
Block distractive apps from appearing on the Home Screen and App Library, enhance your focus and reduce screen time.
DNS Firewall for iOS and Mac OS
Encrypted your DNS to protect your privacy and firewall to block phishing, malicious domains, block ads in all browsers and apps
Ad