Did you just find a thisserver.crt file on your machine and you want to check the details of what it’s for? In other words you have a SSL certificate that you want to decode.
You need to be on Linux and have OpenSSL installed. Then use the x509 module:
openssl x509 -text -in thisserver.crt
Today I learned something new about Fire Fox 3.6.17. I was migrating a SSL EV certificate from a IIS server onto a Virtual Server that is located on a KEMP LoadMaster. This test server on the LM is running a prototype/test site. Therefore, the domain name doesn’t match the domain name that the SSL cert was created for. This normally will create a SSL name mismatch error in the web browser. This error normally can then be bypassed by the user, this process is called “Security Exception” in Fire Fox. I went to add this exception and found that Fire Fox wouldn’t allow me to add it. What’s interesting is that the exception window tells you that the identification of the certificate is so positive that there is no reason for you to add an exception.
This site provides valid, verified identification. There is no need to add an exception.
I think this is a good thing. It really helps make the EV certificates more strong and adds value to them. I guess I’ll go back to using a self signed certificate for testing.
Often times I’ll find myself needing to do tasks with SSL certificates using OpenSSL. I always need to look up the commands again and this takes time. I became determined to not allow that to happen again. This time I decided to write this quick cheat sheet of OpenSSL commands that I use often enough. If you happen to see a command that I use here that you know of a better way to do it, please post a comment with that information for me.
Generate a private RSA key:
openssl genrsa -out host.key 1024
openssl req -new -nodes -key host.key -out host.csrNote: Make sure that the CN (Common Name) is the FQDN of the site that this certificate is for.
Self Signed Certificate:
openssl x509 -req -days 30 -in host.csr -signkey host.key -out host.cert
openssl x509 -in filename.cert -noout -text