Scripts und so
The box of SSL tricks
Validating keys, certs, and requests
First up, the one I use most.
When I deal with manual certificates (as opposed to LE (LetsEncrypt)),
I like to have a directory called like the domain, with the files following the same format.
So for theod.gay, the directory tree would look like:
theod.gay |- theod.gay.crt |- theod.gay.key |- theod.gay.csr
(Remember that having plain keys in your git or IaC is bad.)
Now the command I use sanity-check that the key I generated,
the request (csr) I generated, and the certificate I got back
are actually all compliant with each other, I use the following:
DOM=${PWD##*/};\ echo -n "key: "; openssl rsa -noout -modulus -in $DOM.key | openssl md5;\ echo -n "req: ";openssl req -noout -modulus -in $DOM.csr | openssl md5;\ echo -n "crt: ";openssl x509 -noout -modulus -in $DOM.crt | openssl md5;
The modulus is the public portion of your private key, and is embedded in all
of the openssl files generated from that key.
Since a modulus is often quite long, I pipe it to an md5 function to make it easily comparable.
You can of course also modify this to use wildcards or blobs to find files in the current working directory,
However this has caused me great pain in the past, because I sometimes end up with a $DOM-ca.crt
which will make the script confused and sad.
3