OpenSSL and Keytool basics

OpenSSL

  • Create a self-signed certificate:
    
    # Generate a self-signed certificate and a new private key
    openssl req -x509 -days 1825 -nodes -newkey rsa:2048 -keyout KEY.key -out CERT.crt
    -subj "/C=US/ST=Chicago/L=Town/O=Abc Inc/CN=example.com"
    
    # Generate a self-signed certificate using existing private key
    openssl req -x509 -days 365 -key KEY.key -out CERT.crt
    -subj "/C=US/O=IBM/CN=ibm.com"
    
    # Create a public key
    openssl rsa -in myprivate.key -pubout > mypubkey.pub
    
    
  • Generate a certificate CSR:
    # Generate CSR and create a new private key
    openssl req -new -nodes -newkey rsa:2048 -keyout NEW_KEY.key -out CERT.csr
    -subj "/C=OM/ST=Muscat/L=Muscat/O=Abc/OU=IT/CN=abc.com/emailAddress=admin@abc.com"
    
    # Generate CSR using an existing private key
    openssl req -new -key EXISTING_KEY.key -out CERT.csr
    -subj "/C=OM/ST=Muscat/L=Muscat/O=Abc/OU=IT/CN=abc.com"
    
    # Verify CSR
    openssl req -noout -text -in CERT.csr
    
  • List self-signed certificates:
    
    openssl x509 -in /tmp/mycert.pem -text -noout
    openssl x509 -inform der -in /tmp/mycert.cer -text
    openssl pkcs12 -in /tmp/mycert.p12 -password pass:mypass -nokeys
    
    
  • Convert pem to p12 and pfx:
    
    openssl pkcs12 -export -inkey cert.key -in cert.pem -out [cert.p12|cert.pfx]
    [-password pass:pass1234 -name mycert]
    
    openssl pkcs12 -info -in cert.p12 -password pass:pass1234 -nokeys
    
    # P.S. To import CA certs along with server cert into p12,
    # create a single pem file as
    cat cert.pem intermediate.pem root.pem > certs.pem
    
    
  • Verify server certificate expiry date and accepted client certificates:
    
    curl -k -v --cert example.p12 --key example.pem https://example.com
    
    # List all server certs
    echo|openssl s_client -connect localhost:443 -showcerts
    
    # Show expiry dates of server SSL certificate
    echo|openssl s_client -connect localhost:443 2&>/dev/null
    | openssl x509 -noout -dates
    
    # Saves sever SSL certificate
    openssl s_client -showcerts -connect www.example.com:443
     derp.der
    
    
  • Verify a CSR and private key:
    
    openssl req -noout -text -in www_mydomain_com.csr
    openssl rsa -in /tmp/mycert.key -check
    
    
  • Remove password from a private key:
    
    openssl rsa -in mykey.key -out mykey.key
    
    
  • Verify CSR, Private Key and the Certificate:
    
    openssl x509 -noout -modulus -in certificate.crt | openssl md5
    openssl rsa -noout -modulus -in privateKey.key | openssl md5
    openssl req -noout -modulus -in CSR.csr | openssl md5
    # P.S. If the md5 hash values need to be the same for all above three commands.
    
    
  • Encode username and password using base64
    # Encode username and password using base64
    echo -n 'admin:password' | openssl base64
    
    # Generate a random 32 chars key
    head -c 32 /dev/urandom | base64
    
    # Generate a random string of length 20
    openssl rand -base64 20
    
    

Keytool:

  • Convert/Import p12 certificate into JKS keystore:
    
    $JAVA_HOME/bin/keytool -importkeystore -srckeystore mycert.p12 -srcstoretype pkcs12
    -srcstorepass pass123 -destkeystore mykeystore.jks -deststorepass pass123
    [-deststoretype jks -alias mycert -destailas mycert]
    
    
  • Import trusted Intermediate or Root chain certificate into JKS keystore:
    
    $JAVA_HOME/bin/keytool -import -trustcacerts -alias intermediate
    -file intermediate.cer -keystore mykeystore.jks -storepass pass123 -noprompt
    
    
  • List certificates in a keystore:
    
    $JAVA_HOME/keytool -list -v -keystore mykeystore.jks -storepass pass123 -noprompt [-alias root]
    
    

References:

Advertisements