OpenSSL basics

self-signed certificate:


# Generate a self-signed certificate and a new private key
openssl req -x509 -days 1825 -nodes -newkey rsa:2048 -keyout KEY.key \
-out CERT.crt -subj "/C=US/ST=Chicago/L=Town/O=Abc Inc/CN=example.com"

# Generate a self-signed certificate using existing private key
openssl req -x509 -days 365 -key KEY.key -out CERT.crt -subj "/C=US/O=IBM/CN=ibm.com"

# Create a public key
openssl rsa -in myprivate.key -pubout > mypubkey.pub

## List self-signed certificates
openssl x509 -text -noout -in /tmp/mycert.pem
openssl x509 -inform der -text -in /tmp/mycert.cer
openssl pkcs12 -in /tmp/mycert.p12 -password pass:mypass -nokeys

## Create self-signed certificate using CA
openssl genrsa -out user1.key 2048
openssl req -new -key user1.key -out user1.csr -subj "/CN=User1/O=development"
sudo openssl x509 -req -in user1.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out user1.crt -days 45

# Create CA key and self-signed certificate and sign it
openssl genrsa -out ca.key 2048                                     # create a private key
openssl req -new -key ca.key -out ca.csr -subj "/CN=Kubernetes-CA"  # create a certificate sign request
openssl x509 -req -in ca.csr -signkey ca.key -out ca.crt            # Create and sign a certificate using CA

openssl genrsa -out admin.key 2048
openssl req -new -key admin.key -out admin.csr -subj "/CN=kube-admin/O=system:masters"
openssl x509 -req -in admin.csr -CA ca.crt -CAKey ca.key -out admin.crt

Certificate signing request (CSR):

# Generate CSR and create a new private key
openssl req -new -nodes -newkey rsa:2048 -keyout NEW_KEY.key -out CERT.csr \
-subj "/C=OM/ST=Muscat/L=Muscat/O=Abc/OU=IT/CN=abc.com/emailAddress=admin@abc.com"

# Generate CSR using an existing private key
openssl genrsa -out MYKEY.key 2048            # Generate a private key
openssl req -new -key MYKEY.key -out CERT.csr \
-subj "/C=OM/ST=Muscat/L=Muscat/O=Abc/OU=IT/CN=abc.com"

# List CSR
openssl req -text -noout -in CERT.csr

Verify CSR, Certificate and Private key:


## Verify CSR, private key and certificate (md5 hash values must be same)
openssl req -noout -modulus -in CSR.csr | openssl md5 | cut -d' ' -f2
openssl rsa -noout -modulus -in MYKEY.key | openssl md5 | cut -d' ' -f2
openssl x509 -noout -modulus -in CERT.crt | openssl md5 | cut -d' ' -f2

## List CSR and private key
openssl req -noout -text -in www_mydomain_com.csr   # List CSR
openssl rsa -check -in /tmp/mycert.key              # List and check private key
openssl x509 -noout -text -in /tmp/mycert.pem       # List certificate

## Remove password from private key
openssl rsa -in mykey.key -out mykey.key

# Verify cert and chain
openssl verify -verbose -x509_strict -CAfile ca.pem -CApath . cert.pem
## List
openssl x509 -

pfx | p12:


## Verify pk12 or pfx cert
openssl pkcs12 -info -nodes -in cert.pfx  | openssl x509 -noout -text

## Convert pem to p12|pfx format
openssl pkcs12 -export -inkey cert.key -in cert.pem -out [cert.p12|cert.pfx] [-password pass:pass1234 -name mycert]
openssl pkcs12 -info -in cert.p12 -password pass:pass1234 -nokeys

## Convert pfx to pem (nodes: don't encrypt)
openssl pkcs12 -in CertificateBundle.p12 -out CertificateBundle.pem -nodes

## Export private key and certificate and CA chain from pfx
openssl pkcs12 -nodes -nocerts -in cert.pfx -out cert.key     # Export private key
openssl pkcs12 -nokeys -clcerts -in cert.pfx -out cert.pem    # Export certificate
openssl pkcs12 -nokeys -cacerts -in cert.pfx -out ca.pem      # Export ca certificate chain

## Verify cert and chain
openssl rsa -in cert.key -check             # List private key
openssl x509 -in cert.pem -text -noout      # List certificate
openssl x509 -in ca.pem -text -noout        # List CA
openssl verify -verbose -x509_strict -CAfile ca.pem -CApath . cert.pem

## To import CA certs along with server cert into p12, create a single pem file as
cat cert.pem intermediate.pem root.pem > ca.pem  # In cert chain file, the cert.pem need to be first, followed by intermediate.pem and Root.pem would be in the last

Verify server certificate expiry date and accepted client certificates:


curl -k -v --cert example.p12 --key example.pem https://example.com

# List all server certs
echo|openssl s_client -connect localhost:443 -showcerts
echo | openssl s_client -connect google.com:443 2>/dev/null | openssl x509 -text -noout

# Show expiry dates of server SSL certificate
echo|openssl s_client -connect localhost:443 2&> /dev/null | openssl x509 -dates -noout

# Saves sever SSL certificate
openssl s_client -showcerts -connect www.example.com:443 > cert.der

base64:

# Encode username and password using base64
echo -n 'admin:password' | base64                 # Encode data
echo "YWRtaW46cGFzc3dvcmQ=" | base64 --decode     # Decode data

# Generate a random 32 chars key
head -c 32 /dev/urandom | base64

# Generate a random string of length 20
openssl rand -base64 20

# Encode keys
grep certificate-authority-data ~/.kube/config | \
cut -d " " -f 6 | base64 -d > ca.pem

keytool:


## List certificates in a keystore
$JAVA_HOME/keytool -list -v -keystore mykeystore.jks -storepass pass123 -noprompt [-alias root]

## Convert/Import p12 certificate into JKS keystore
$JAVA_HOME/bin/keytool -importkeystore -srckeystore mycert.p12 \
-srcstoretype pkcs12 -srcstorepass pass123 -destkeystore mykeystore.jks \
-deststorepass pass123 [-deststoretype jks -alias mycert -destailas mycert]

## Import trusted Intermediate or Root chain certificate into JKS keystore
$JAVA_HOME/bin/keytool -import -trustcacerts -alias intermediate \
-file intermediate.cer -keystore mykeystore.jks -storepass pass123 -noprompt

References: