openssl_command_line_troubleshooting
Differences
This shows you the differences between two versions of the page.
| openssl_command_line_troubleshooting [2025/10/09 16:02] – created sgriggs | openssl_command_line_troubleshooting [2025/10/09 16:06] (current) – sgriggs | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | = OpenSSL Command-Line Cheat Sheet | + | ====== OpenSSL Command-Line Cheat Sheet ====== |
| - | :author: Swift Griggs | + | |
| - | :date: October 9, 2025 | + | |
| - | :icons: font | + | |
| - | :toc: left | + | |
| - | :toclevels: 3 | + | |
| - | : | + | |
| - | : | + | |
| - | This cheat sheet provides OpenSSL commands for inspecting, verifying, and managing SSL/TLS certificates and CA stores, with a focus on troubleshooting certificate verification issues (e.g., `unable to get local issuer certificate`) and configuring custom CA certificates on Oracle Linux systems. | + | **Author**: Swift Griggs |
| + | **Date**: October 9, 2025 | ||
| - | == 1. Inspecting Certificates | + | This cheat sheet provides OpenSSL commands for inspecting, verifying, and managing SSL/TLS certificates and CA stores, with a focus on troubleshooting certificate verification issues (e.g., `unable to get local issuer certificate`) and configuring custom CA certificates on Oracle Linux (OEL) systems. |
| + | |||
| + | ===== 1. Inspecting Certificates | ||
| Commands to view certificate details, useful for checking subjects, issuers, validity, and extensions. | Commands to view certificate details, useful for checking subjects, issuers, validity, and extensions. | ||
| - | === 1.1 View Subject and Issuer | + | ==== 1.1 View Subject and Issuer |
| Display the subject and issuer of a certificate file. | Display the subject and issuer of a certificate file. | ||
| - | [source,bash] | + | < |
| - | ---- | + | |
| openssl x509 -in cert.pem -noout -subject -issuer | openssl x509 -in cert.pem -noout -subject -issuer | ||
| - | ---- | + | </ |
| - | * Example output: `subject=C=US, | + | |
| + | * **Example output**: `subject=C=US, | ||
| + | |||
| + | ==== 1.2 View Full Certificate Details ==== | ||
| - | === 1.2 View Full Certificate Details | ||
| Show all certificate details, including extensions (e.g., Basic Constraints, | Show all certificate details, including extensions (e.g., Basic Constraints, | ||
| - | [source,bash] | + | < |
| - | ---- | + | |
| openssl x509 -in cert.pem -noout -text | openssl x509 -in cert.pem -noout -text | ||
| - | ---- | + | </ |
| - | * Use to check if a certificate is a CA (`CA:TRUE`) or self-signed (`subject = issuer`). | + | |
| + | | ||
| + | |||
| + | ==== 1.3 Check Certificate Validity Dates ==== | ||
| - | === 1.3 Check Certificate Validity Dates | ||
| Display the certificate' | Display the certificate' | ||
| - | [source,bash] | + | < |
| - | ---- | + | |
| openssl x509 -in cert.pem -noout -dates | openssl x509 -in cert.pem -noout -dates | ||
| - | ---- | + | </ |
| - | * Example output: `notBefore=Jun 5 19:02:35 2018 GMT` | + | |
| + | * **Example output**: `notBefore=Jun 5 19:02:35 2018 GMT` | ||
| + | |||
| + | ==== 1.4 Get Certificate Fingerprint ==== | ||
| - | === 1.4 Get Certificate Fingerprint | ||
| Show the certificate' | Show the certificate' | ||
| - | [source,bash] | + | < |
| - | ---- | + | |
| openssl x509 -in cert.pem -noout -fingerprint | openssl x509 -in cert.pem -noout -fingerprint | ||
| - | ---- | + | </ |
| - | * Useful for verifying if two certificates are identical. | + | |
| + | | ||
| + | |||
| + | ==== 1.5 Convert Certificate Format (DER to PEM) ==== | ||
| - | === 1.5 Convert Certificate Format (DER to PEM) | ||
| Convert a DER certificate to PEM format. | Convert a DER certificate to PEM format. | ||
| - | [source,bash] | + | < |
| - | ---- | + | |
| openssl x509 -inform der -in cert.der -out cert.pem | openssl x509 -inform der -in cert.der -out cert.pem | ||
| - | ---- | + | </ |
| - | == 2. Verifying Certificates | + | ===== 2. Verifying Certificates |
| Commands to verify certificates against a CA store or specific CA file, including chain validation. | Commands to verify certificates against a CA store or specific CA file, including chain validation. | ||
| - | === 2.1 Verify Certificate Against System CA Store | + | ==== 2.1 Verify Certificate Against System CA Store ==== |
| - | Verify a certificate using the system\u2019s CA store directory. | + | |
| - | [source, | + | Verify a certificate using the system’s CA store directory. |
| - | ---- | + | |
| + | <code bash> | ||
| openssl verify -CApath / | openssl verify -CApath / | ||
| - | ---- | + | </ |
| - | * `-CApath`: Directory with hashed CA certificates. | + | |
| - | * `-show_chain`: | + | * `-CApath`: Directory with hashed CA certificates. |
| - | * Success: `cert.pem: OK` | + | * `-show_chain`: |
| - | * Failure: `error 20 at 0 depth lookup: unable to get local issuer certificate` | + | * **Success**: `cert.pem: OK` |
| + | * **Failure**: `error 20 at 0 depth lookup: unable to get local issuer certificate` | ||
| + | |||
| + | ==== 2.2 Verify Certificate with Specific CA File ==== | ||
| - | === 2.2 Verify Certificate with Specific CA File | ||
| Verify a certificate using a specific CA bundle file. | Verify a certificate using a specific CA bundle file. | ||
| - | [source,bash] | + | < |
| - | ---- | + | |
| openssl verify -CAfile / | openssl verify -CAfile / | ||
| - | ---- | + | </ |
| - | * Use when the CA store is a single file. | + | |
| + | | ||
| + | |||
| + | ==== 2.3 Verify with Intermediate CA ==== | ||
| - | === 2.3 Verify with Intermediate CA | ||
| Verify a certificate with an untrusted intermediate CA. | Verify a certificate with an untrusted intermediate CA. | ||
| - | [source,bash] | + | < |
| - | ---- | + | |
| openssl verify -CApath / | openssl verify -CApath / | ||
| - | ---- | + | </ |
| - | * `-untrusted`: | + | |
| + | * `-untrusted`: | ||
| + | |||
| + | ==== 2.4 Verify with CRL Checking ==== | ||
| - | === 2.4 Verify with CRL Checking | ||
| Verify a certificate with Certificate Revocation List (CRL) checking. | Verify a certificate with Certificate Revocation List (CRL) checking. | ||
| - | [source,bash] | + | < |
| - | ---- | + | |
| openssl verify -CApath / | openssl verify -CApath / | ||
| - | ---- | + | </code> |
| - | * Download CRL: `curl -o crl.pem | + | |
| - | == 3. Managing CA Stores | + | * Download CRL: `curl -o crl.pem < |
| - | Commands to locate and manage the system\u2019s CA trust store, especially for adding custom CAs. | + | ===== 3. Managing CA Stores ===== |
| - | === 3.1 Find OpenSSL Configuration and CA Store | + | Commands to locate |
| - | Show OpenSSL\u2019s configuration directory | + | |
| - | [source, | + | ==== 3.1 Find OpenSSL Configuration and CA Store ==== |
| - | ---- | + | |
| + | Show OpenSSL’s configuration directory and CA store location. | ||
| + | |||
| + | <code bash> | ||
| openssl version -a | openssl version -a | ||
| - | ---- | + | </ |
| - | * Look for `OPENSSLDIR` (e.g., `/ | + | |
| + | * Look for `OPENSSLDIR` (e.g., `/ | ||
| + | |||
| + | ==== 3.2 List CA Store Contents ==== | ||
| - | === 3.2 List CA Store Contents | ||
| List certificates in the CA store directory. | List certificates in the CA store directory. | ||
| - | [source,bash] | + | < |
| - | ---- | + | ls -l / |
| - | ls -l / | + | ls -l / |
| - | ls -l / | + | </code> |
| - | ---- | + | |
| - | * Example: `ls -l / | + | |
| - | === 3.3 Search for CA Certificate Files | + | * **Example**: |
| - | Find certificate files containing a specific string (e.g., \u201cTestCo\u201d). | + | |
| - | [source,bash] | + | ==== 3.3 Search for CA Certificate Files ==== |
| - | ---- | + | |
| + | Find certificate files containing a specific string (e.g., “TestCo”). | ||
| + | |||
| + | <code bash> | ||
| sudo find /etc -type f -name " | sudo find /etc -type f -name " | ||
| sudo find /etc -type f -name " | sudo find /etc -type f -name " | ||
| - | ---- | + | </ |
| + | |||
| + | ==== 3.4 Check CA Bundle Contents ==== | ||
| - | === 3.4 Check CA Bundle Contents | ||
| Inspect a CA bundle file for a specific CA. | Inspect a CA bundle file for a specific CA. | ||
| - | [source,bash] | + | < |
| - | ---- | + | openssl crl2pkcs7 -nocrl -certfile / |
| - | openssl crl2pkcs7 -nocrl -certfile / | + | </code> |
| - | ---- | + | |
| - | * Example: `grep -i testco` | + | * **Example**: `grep -i testco` |
| + | |||
| + | ==== 3.5 Add Custom CA to Trust Store ==== | ||
| - | === 3.5 Add Custom CA to Trust Store | + | Add a custom CA certificate to the system’s trust store (OEL10). |
| - | Add a custom CA certificate to the system\u2019s | + | |
| - | [source,bash] | + | < |
| - | ---- | + | |
| sudo cp custom_ca.crt / | sudo cp custom_ca.crt / | ||
| sudo update-ca-trust | sudo update-ca-trust | ||
| - | ---- | + | </ |
| - | * Ensure `ca-certificates` package is installed: `sudo dnf install ca-certificates` | + | |
| + | * Ensure `ca-certificates` package is installed: `sudo dnf install ca-certificates` | ||
| + | |||
| + | ==== 3.6 Manually Hash CA Store ==== | ||
| - | === 3.6 Manually Hash CA Store | ||
| Hash certificates in the CA store directory for OpenSSL. | Hash certificates in the CA store directory for OpenSSL. | ||
| - | [source,bash] | + | < |
| - | ---- | + | |
| sudo cp custom_ca.crt / | sudo cp custom_ca.crt / | ||
| sudo c_rehash / | sudo c_rehash / | ||
| - | ---- | + | </ |
| - | * Creates hashed symlinks (e.g., `6ed01128.0`). | + | |
| - | == 4. Troubleshooting Verification Issues | + | * Creates hashed symlinks (e.g., `6ed01128.0`). |
| + | |||
| + | ===== 4. Troubleshooting Verification Issues | ||
| Commands to diagnose why certificate verification fails (e.g., `SSLCertVerificationError`). | Commands to diagnose why certificate verification fails (e.g., `SSLCertVerificationError`). | ||
| - | === 4.1 Trace OpenSSL File Access | + | ==== 4.1 Trace OpenSSL File Access |
| Identify which CA files OpenSSL reads during verification. | Identify which CA files OpenSSL reads during verification. | ||
| - | [source,bash] | + | < |
| - | ---- | + | |
| strace -e open,openat openssl verify -CApath / | strace -e open,openat openssl verify -CApath / | ||
| - | ---- | + | </ |
| - | * Look for `openat` calls to files like `/ | + | |
| + | * Look for `openat` calls to files like `/ | ||
| + | |||
| + | ==== 4.2 Check Environment Variables ==== | ||
| - | === 4.2 Check Environment Variables | ||
| Verify if custom CA paths are set. | Verify if custom CA paths are set. | ||
| - | [source,bash] | + | < |
| - | ---- | + | |
| echo $SSL_CERT_FILE | echo $SSL_CERT_FILE | ||
| echo $SSL_CERT_DIR | echo $SSL_CERT_DIR | ||
| - | ---- | + | </ |
| - | * If set, these override the default CA store. | + | |
| - | === 4.3 Test Server Certificate Chain | + | * If set, these override the default CA store. |
| - | Extract and inspect a server\u2019s certificate chain (e.g., for proxy issues). | + | |
| - | [source,bash] | + | ==== 4.3 Test Server Certificate Chain ==== |
| - | ---- | + | |
| + | Extract and inspect a server’s certificate chain (e.g., for proxy issues). | ||
| + | |||
| + | <code bash> | ||
| openssl s_client -connect < | openssl s_client -connect < | ||
| - | openssl x509 -in server_certs.pem -noout -text | grep -i <name> | + | openssl x509 -in server_certs.pem -noout -text | grep -i testco |
| - | ---- | + | </code> |
| - | * Example: `openssl s_client -connect pki.testco.com: | + | |
| + | * **Example**: `openssl s_client -connect pki.testco.com: | ||
| + | |||
| + | ==== 4.4 Check OpenSSL Configuration ==== | ||
| - | === 4.4 Check OpenSSL Configuration | ||
| View the OpenSSL configuration file. | View the OpenSSL configuration file. | ||
| - | [source,bash] | + | < |
| - | ---- | + | |
| sudo cat / | sudo cat / | ||
| - | ---- | + | </code> |
| - | * Check for CA paths (e.g., `dir = /etc/ | + | |
| - | === 4.5 Check Crypto Policies | + | * Check for CA paths (e.g., `dir = /etc/pki/CA`). |
| - | Verify FIPS or crypto policy settings | + | |
| - | [source, | + | ==== 4.5 Check Crypto Policies ==== |
| - | ---- | + | |
| + | Verify FIPS or crypto policy settings (OEL10). | ||
| + | |||
| + | <code bash> | ||
| cat / | cat / | ||
| - | ---- | + | </ |
| - | * Adjust policy if needed: `sudo update-crypto-policies --set DEFAULT` | + | |
| - | == 5. Application-Specific Fixes | + | * Adjust policy if needed: `sudo update-crypto-policies --set DEFAULT` |
| + | |||
| + | ===== 5. Application-Specific Fixes ===== | ||
| Commands to address application issues (e.g., `pip` SSL errors). | Commands to address application issues (e.g., `pip` SSL errors). | ||
| - | === 5.1 Fix `pip` SSL Verification | + | ==== 5.1 Fix `pip` SSL Verification |
| Use a custom CA file or proxy for `pip`. | Use a custom CA file or proxy for `pip`. | ||
| - | [source,bash] | + | < |
| - | ---- | + | |
| pip install --cert / | pip install --cert / | ||
| export HTTPS_PROXY=" | export HTTPS_PROXY=" | ||
| pip install --proxy http:// | pip install --proxy http:// | ||
| - | ---- | + | </ |
| + | |||
| + | ==== 5.2 Temporary Trust for Testing ==== | ||
| - | === 5.2 Temporary Trust for Testing | ||
| Temporarily trust a CA file without modifying the system. | Temporarily trust a CA file without modifying the system. | ||
| - | [source,bash] | + | < |
| - | ---- | + | |
| export SSL_CERT_FILE=custom_ca.crt | export SSL_CERT_FILE=custom_ca.crt | ||
| openssl verify -CAfile custom_ca.crt cert.pem | openssl verify -CAfile custom_ca.crt cert.pem | ||
| - | ---- | + | </ |
| - | == Notes | + | ===== Notes ===== |
| - | * **10 Specifics**: | + | |
| - | * **FIPS Mode**: Ensure certificates use FIPS-compliant algorithms (e.g., SHA-256, RSA \u2265 2048 bits). | + | |
| - | * **CRL Checking**: If CRLs are required, download from URLs in certificate extensions (e.g., `http:// | + | |
| - | * **Permissions**: | + | |
| + | * **OEL10 Specifics**: | ||
| + | * **FIPS Mode**: Ensure certificates use FIPS-compliant algorithms (e.g., SHA-256, RSA ≥ 2048 bits). | ||
| + | * **CRL Checking**: If CRLs are required, download from URLs in certificate extensions (e.g., `http:// | ||
| + | * **Permissions**: | ||
openssl_command_line_troubleshooting.txt · Last modified: 2025/10/09 16:06 by sgriggs