Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [openssl]

OpenSSL: The Open Source Toolkit for SSL and TLS

OpenSSL is an open source project which develops software for Secure Sockets Layer (SSL v2/v3), Transport Layer Security (TLS v1), as well being a full-strength general purpose cryptography library.

OpenSSL provides both a library (for use within your own program), and a series of command line tools for common tasks.

1601 questions
22
votes
4 answers

How do I import a RSA SSH key into GPG as the _primary_ private key?

I currently have a SSH key that I've used for a while and I'd like to start using GnuPG with a new keyring. However, given that I've used my key for ages, I would like to still use that key in GPG as the main/primary key. I've tried importing the…
SineSwiper
  • 2,629
  • 3
  • 14
  • 10
22
votes
4 answers

How to create an SSL certificate for more than one subdomain?

I'm running a server "myserver.net", which has the subdomains "a.myserver.net" and "b.myserver.net". When creating (self-signed) SSL certificates, I have to create one for every subdomain, containing the FQDN, even though those subdomains are just…
polemon
  • 585
  • 2
  • 8
  • 21
20
votes
1 answer

What does verify return:1 mean in the openssl output

I don't understand the openssl output. Running openssl as follows: #openssl s_client -connect google.com:443 -CAfile cacert.pem < /dev/null Ultimately all is well in that the end entity's cert was verified OK: Verify return code: 0 (ok) but what…
jouell
  • 621
  • 1
  • 5
  • 20
20
votes
6 answers

How to view certificate chain using openssl

I use a mixture of Windows, Linux, and Macs and have noticed big differences in how each OS shows certificate details using the default tools available in each. The way Windows displays certificate details is very succinct. Specifically, the…
KFM
  • 321
  • 1
  • 2
  • 6
19
votes
1 answer

Does Heartbleed affect AWS Elastic Load Balancer?

The Heartbleed OpenSSL vulnerability (http://heartbleed.com/) affects OpenSSL 1.0.1 through 1.0.1f (inclusive) I use Amazon Elastic Load Balancer to terminate my SSL connections. Is ELB vulnerable?
secretmike
  • 323
  • 2
  • 8
19
votes
2 answers

Does it matter where the CSR and key files for SSL certification are generated?

I have to create a CSR for a wildcard SSL certificate. Some FAQs from SSL providers say that I should generate the CSR file on the machine where I want to install the certificate? My understanding is that it should not matter where I generate the…
Jan Deinhard
  • 2,383
  • 5
  • 26
  • 33
17
votes
1 answer

Why is my SSL certificate untrusted on Android?

The SSL certificate is trusted on most Desktop computers, but only some Android devices. However, even on Android devices where the certificate is untrusted, the root certificate is installed. I must have tried a hundered ways of resolving this…
magnus
  • 291
  • 1
  • 2
  • 7
17
votes
1 answer

OpenSSL: genrsa vs genpkey?

Why does OpenSSL provide two utilities with so much overlap genpkey: OpenSSL> genpkey - Usage: genpkey [options] where options may be -out file output file -outform X output format (DER or PEM) -pass arg output file pass…
Evan Carroll
  • 2,373
  • 10
  • 34
  • 53
16
votes
3 answers

Why is Internet Explorer 11 unable to connect to HTTPS sites when TLS 1.2 is enabled?

Normally I don't use Internet Explorer at all. I use it only in design time for interface tests (development machine and with unencrypted http). Every week I run the SSL Labs server test which says IE11 is able to access my sites. Today I discovered…
burnersk
  • 2,056
  • 5
  • 27
  • 39
16
votes
1 answer

PEM File "CERTIFICATE" vs "PUBLIC KEY"

I have a PEM file that looks like: -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- which I can convert to another PEM file using: openssl x509 -in key.crt -pubkey -noout. The new PEM file now looks like: -----BEGIN PUBLIC…
Alex Rothberg
  • 481
  • 2
  • 4
  • 8
16
votes
4 answers

How do I specify subjectAltName in the openssl cli?

I'm generating a self-signed SSL cert: $ openssl req -x509 -newkey rsa:2048 -subj 'CN=example.com' I'd like to specify a subjectAltName also at creation time, but I cannot find info in the openssl manpage on how to do this.
Travis J Webb
  • 278
  • 1
  • 2
  • 7
16
votes
3 answers

Understanding the output of openssl s_client

Ever since our email provider changed their SSL certificate, a POP3 client based on mono refuses to connect to their secure POP server to download emails. Other clients do not have an issue; e.g. Thunderbird and Outlook; neither does most SSL…
jobu1324
  • 485
  • 4
  • 9
  • 17
16
votes
2 answers

How to add extended key usage string when generating a self-signed certificate using openssl

I'm using openssl on Mac OS X 10.9 to generate a self-signed certificate for Windows Server Remote Desktop Services. Using the command below I can generate the certificate, openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout…
joshu
  • 791
  • 3
  • 12
  • 28
16
votes
5 answers

Can I use the same wildcard certification for *.domain.com and domain.com

You can make an SSL certificate by using *.domain.com as the name. But unfortunately, this doesn't cover https://domain.com Is there any fix for this?
Unknown
  • 1,685
  • 6
  • 20
  • 27
16
votes
2 answers

Can MS Certificate Services be a Subordinate to CA created with OpenSSL

I want to setup a enterprise certification authority for my domain. So I can issue certificates for various purposes. I would like to follow the best practice of having an offline CA as the root, and setup my enterprise CA as a subordinate. But…
Zoredache
  • 130,897
  • 41
  • 276
  • 420
1 2 3
99 100