OpenSSL провера валидности p12 сертификата

1. Проверка срока истечения действия сертификата в формате .p12 / .pfx:

openssl pkcs12 -in testuser1.pfx -nokeys | openssl x509 -noout -enddate

Если вы желаете указать пароль в коммандной строке, добавьте -passin pass:»${pass}»

2. Экспорт ключа и сертификата из .p12 / .pfx:

openssl pkcs12 -clcerts -nokeys -in myContainer.p12 -out usercert.pem
openssl pkcs12 -nocerts  -in myContainer.p12 -out userkey.pem

3. Подключение к HTTPS серверу с использованием клиентского ключа:

openssl s_client -connect gmail.com:443 -cert usercert.pem -key userkey.pem

2 thoughts on “OpenSSL провера валидности p12 сертификата

  1. When I tried with the command:
    openssl pkcs12 -in key.p12 -nokeys | openssl x509 -noout -enddate

    it gives the following error:
    24453:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:150:
    unable to load certificate
    24454:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:648:Expecting: TRUSTED CERTIFICATE

    • I don’t think your certificate is correctly formatted. I got similar problems when I saved an x509-certificate with notepad to disk. Notepad created a BOM-character in the beginning of the file and also incorrect line endings.
      (This can be verified with vi by opening the x509 cert file with vi -b certfile.cer
      if you see strange xml-like chars in the very beginning of the file, that’s the BOM-character and it can be safely deleted.

      if you see every line end with ^M then you have windows newlines making the file base64-encoding corrupted. you can substitute them with
      :%s/^M//g
      please note that you press and hold the CTRL-key and then you press V and M in succession, this will produce ^M.

      However, I couldn’t create a p12 bundle with the aforementioned issues with the cer-file. Did you rename your file to p12 or did you bundle it using the openssl cli-tool?

      You can create a p12 from:
      * chain file containing CA root cert + intermediate CA cert(s)
      * private key, starts with ##### BEGIN PRIVATE KEY #####
      * public key, starts with ##### BEGIN CERTIFICATE #####

      openssl pkcs12 -export -out outfile.p12 -inkey keyfile.key -in publicCert.cer -certfile chainCAcerts.crt
      You will be prompted to choose a password for the p12 file, please keep that safe yet retrievable.

Добавить комментарий

Ваш e-mail не будет опубликован. Обязательные поля помечены *