OpenSSL/OpenVPN

Check certificate

$ openssl x509 -in /etc/openssl/mycertificate.crt -noout -text

Check the chain

$ openssl verify -verbose -CAfile /etc/openssl/ca.crt /etc/openssl/mycertificate.crt

Get the fingerprint

SHA1

$ openssl x509 -in /path/to/ca.crt -fingerprint -noout

SHA256

$ openssl x509 -in /path/to/ca.crt -fingerprint -noout --sha256

Check pair public/private keys

For checking the pair public/private keys, we need to compare the modulus:

# openssl rsa -noout -modulus -in /path/to/private-key.pem
Modulus=AE98BE3952449FA2CCF4E72F802B459C21158B63DC6DC6B1FFEF119BADDE2116313436AA9226E811A005EF5E6C7338B3DC57C84AEF3D4858D02ABF9EE62779118309C2E0FF04A33331692E31BE3D25A9D2BA24699A66C8686CF03A5A8D7A1D69EC4716AA30AC4B60B70E8D31A037E06B9C30A3A396F90E56B79F5400C2EE16AD940D5060CD160F3F0B0CCD5EE55EED4DE329E39699066EED257D47826015C5997E46C7685FDD226CABCF7E6A42114C0CFFC8901BD0CC93AE8030116BC7003C84D079AACC40EFC67A7838B36ACE94568BDCAD62FD09B58F6CAF0285D61DFB9B1C3C93DB1FB5F412B11DCF7AB4B0051835D477B9B07FD2096571422DBC5F050947
# openssl x509 -noout -modulus -in /path/to/public-key.pem
Modulus=AE98BE3952449FA2CCF4E72F802B459C21158B63DC6DC6B1FFEF119BADDE2116313436AA9226E811A005EF5E6C7338B3DC57C84AEF3D4858D02ABF9EE62779118309C2E0FF04A33331692E31BE3D25A9D2BA24699A66C8686CF03A5A8D7A1D69EC4716AA30AC4B60B70E8D31A037E06B9C30A3A396F90E56B79F5400C2EE16AD940D5060CD160F3F0B0CCD5EE55EED4DE329E39699066EED257D47826015C5997E46C7685FDD226CABCF7E6A42114C0CFFC8901BD0CC93AE8030116BC7003C84D079AACC40EFC67A7838B36ACE94568BDCAD62FD09B58F6CAF0285D61DFB9B1C3C93DB1FB5F412B11DCF7AB4B0051835D477B9B07FD2096571422DBC5F050947

OpenVPN

Generate new client certificate

Generate the new certificate with a passphrase:

$ cd /etc/openvpn/easy-rsa
$ ./easyrsa gen-req client1

You will have two files:

/etc/openvpn/easy-rsa/pki/private/client1.key
/etc/openvpn/easy-rsa/pki/reqs/client1.req

Now, we can generate the certificate signed by our CA:

$ ./easyrsa sign-req client client1

And the CRT file is located at: /etc/openvpn/easy-rsa/pki/issued/

You can check the certificate:

$ openssl verify -verbose -CAfile /etc/openvpn/ca.crt /etc/openvpn/easy-rsa/pki/issued/client1.crt

Keys	Action
`?`	Open this help
`n`	Next page
`p`	Previous page
`s`	Search