Ping a Specific Port

Question

David Mackintosh

Asked: 2009-06-24 16:36:51 +0800 CST2009-06-24 16:36:51 +0800 CST 2009-06-24 16:36:51 +0800 CST

Get contents from old .CSR

772

At one of my new customer sites, I have a SSL certificate which is about to expire. I've been notified by my provider of expiry. The previous admin was pretty detailed and I've located the .CSR which was used to request the about-to-expire certificate.

However, this host is a debian host, and I've confirmed that the .CSR was generated when Debian was suffering from the OpenSSL random number generation issue.

So. Now that I've updated OpenSSL on my debian host, I presume I have to regenerate the .CSR for the renewal. Is there a way to find out what values were used in the .CSR I have, to ensure that the new .CSR is consistant?

7 Answers

Voted

Mark · Answer 1 · 2009-06-24T17:00:10+08:00

Best Answer

Mark

2009-06-24T17:00:10+08:002009-06-24T17:00:10+08:00

Try this:

openssl req -in file.csr -noout -text

6

Dan Carley · Answer 2 · 2009-06-24T22:56:58+08:00

Dan Carley

2009-06-24T22:56:58+08:002009-06-24T22:56:58+08:00

For future reference, you don't even need the original CSR.

You can create a new request from the existing x509 certificate.

openssl x509 -x509toreq -in file.crt -signkey file.key -out file.csr

As a general rule nearly all of the OpenSSL commands support the flags correctly answered by others.

-noout -text

Which simply prevent PEM output and display human readable content instead.

3

David Pashley · Answer 3 · 2009-06-24T23:02:45+08:00

David Pashley

2009-06-24T23:02:45+08:002009-06-24T23:02:45+08:00

If the key was generated on a Debian or Ubuntu server while openssl had a broken random number generator, you must regenerate the key. Do not just generate a new CSR from the old key. You are still vunerable. Once you have a new key, you can create a new CSR with the right values.

3

MikeyB · Answer 4 · 2009-06-24T17:03:34+08:00

MikeyB

2009-06-24T17:03:34+08:002009-06-24T17:03:34+08:00

openssl req -text -noout -in FILENAME.csr

should do the trick.

1

cstamas · Answer 5 · 2009-06-25T01:49:08+08:00

cstamas

2009-06-25T01:49:08+08:002009-06-25T01:49:08+08:00

I completely agree with David Pashley (but i have something to add...).

The keys itself are vulnerable not the csr! There is no point in regenerating the csr you have to regenerate you keys!

Most CA will not even accept signing requests associated with these "compromised" keys.

And here are some useful links:

replacing your keys: Debian key rollover
There was a very good Debconf7 presentation on this topic (site seems down atm.)

1

KPWINC · Answer 6 · 2009-06-24T20:07:16+08:00

KPWINC

2009-06-24T20:07:16+08:002009-06-24T20:07:16+08:00

Depending on EXACTLY what you're trying to do here but if we're talking a regular SSL certificate used with web servers sometimes the simple solution is to just pull up the site (https://www.mywebsite.com) and look at the properties of the certificate there.

Right click the "lock" in the browser while its in HTTPS/SSL mode and you should be able to see pretty much all the values entered.

Hope this helps.

0

Jason Tan · Answer 7 · 2009-06-25T07:20:41+08:00

Jason Tan

2009-06-25T07:20:41+08:002009-06-25T07:20:41+08:00

You can also probably work out what info was put into the original CSR by examining the current cert:

openssl x509 -in <certfile> -text -noout

0

Get contents from old .CSR

Ping a Specific Port

What port does SFTP use?

Resolve host name from IP address

How can I sort du -h output by size

Command line to list users in a Windows Active Directory group?

What's the command-line utility in Windows to do a reverse DNS look-up?

How to check if a port is blocked on a Windows machine?

What port should I open to allow remote desktop?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?