Some frequently used SSL commands

Some frequently used SSL commands

Generate a new private key and matching Certificate Signing Request (eg to send to a commercial CA)

openssl req -out MYCSR.csr -pubkey -new -keyout MYKEY.key

Generate a certificate siging request for an existing private key

openssl req -out MYCSR.csr -key MYKEY.key -new

Generate a certificate signing request based on an existing x509 certificate

openssl x509 -x509toreq -in MYCRT.crt -out MYCSR.csr -signkey MYKEY.key

Create self-signed certificate (can be used to sign other certificates)

openssl req -x509 -new -out MYCERT.crt -keyout MYKEY.key -days 365

Sign a Certificate Signing Request

openssl x509 -req -in MYCSR.csr -CA MY-CA-CERT.crt -CAkey MY-CA-KEY.key -CAcreateserial -out MYCERT.crt -days 365

Oneliner selfsign for apache

openssl req -new -x509 -nodes -days 365 -newkey rsa:2048 -subj \'/C=US/ST=NC/L=Asheville/O=PEAKOX/CN=zenteric.com\' -keyout /etc/httpd/pki/tls/private/zenteric.key -out /etc/httpd/pki/tls/certs/zenteric.crt

Convert DER (.crt .cer .der) to PEM

openssl x509 -inform der -in MYCERT.cer -out MYCERT.pem

Convert PEM to DER

openssl x509 -outform der -in MYCERT.pem -out MYCERT.der

Convert PKCS#12 (.pfx .p12) to PEM containing both private key and certificates

openssl pkcs12 -in KEYSTORE.pfx -out KEYSTORE.pem -nodes

Add -nocerts for private key only; add -nokeys for certificates only
Aonvert (add) a seperate key and certificate to a new keystore of type PKCS#12

openssl pkcs12 -export -in MYCERT.crt -inkey MYKEY.key -out KEYSTORE.p12 -name "tomcat"

Convert (add) a seperate key and certificate to a new keystore of type PKCS#12 for use with a server that should send the chain too (eg Tomcat)

openssl pkcs12 -export -in MYCERT.crt -inkey MYKEY.key -out KEYSTORE.p12 -name "tomcat" -CAfile MY-CA-CERT.crt -caname myCA -chain

Check a private key

openssl rsa -in MYKEY.key -check

Add -noout to not disclose the key
check a Certificate Signing Request

openssl req -text -noout -verify -in MYCSR.csr

Check a certificate

openssl x509 -in MYCERT.crt -text -noout

Check a PKCS#12 keystore

openssl pkcs12 -info -in KEYSTORE.p12

Check a trust chain of a certificate

openssl verify -CAfile MYCHAINFILE.pem -verbose MYCERT.crt

Trust chain is in directory (hash format): replace -CAfile with -CApath /path/to/CAchainDir/
to check for server usage: -purpose sslserver
to check for client usage: -purpose sslient
Check if public key matches the private key

openssl rsa -in MYKEY.key -modulus -noout | openssl md5; / 
openssl x509 -in MYCERT.crt -modulus -noout | openssl md5

This should return the same two md5-hashes

Zenteric

Do not SSH and drive

[Lvl 42 Human]