2 minutes
Openssl
Some OpenSSL useful commands
Generate cert / key stuff
Generate CSR and private key :
openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
Generate CSR from config file:
[ req ]
prompt = no
distinguished_name = dn
req_extensions = req_ext
[ dn ]
CN = exemple.com
emailAddress = ssl@exemple.com
O = Societe
OU = Departement
L = Ville
ST = Etat
C = FR
[ req_ext ]
subjectAltName = DNS: www.exemple.com, DNS: mail.exemple.com, IP: 192.168.1.1
Then generate the CSR :
openssl req -new -config exemple.conf -key exemple.key -out exemple.csr
To verify a CSR :
openssl req -text -noout -verify -in exemple.csr
Sign CSR :
openssl x509 -req -days 360 -in sha1.csr -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -out sha1.crt -sha256
Generate self-signed cert
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
Generate CSR for existing private key
openssl req -out CSR.csr -key privateKey.key -new
Remove passphrase from cert :
openssl rsa -in privateKey.pem -out newPrivateKey.pem
Checking stuff
Get the content of a cert :
openssl x509 -noout -text -in youcert.pem
Get content of a p12 cert :
openssl pkcs12 -in yourcert.p12 -nodes | openssl x509 -noout -text
Check md5 of key
openssl rsa -check -noout -in myserver.key | openssl md5
RSA Key is ok
If says OK it’s OK (Wow hard one ! )
To check the md5 of the key in the certificate :
openssl x509 -modulus -noout -in myserver.crt | openssl md5
And it should return the same as for the key.
Check that a cert is signed by the CA you think :
openssl verify -verbose -CAfile ca.pem yourcert.crt
Transformations
openssl PKCS12 to pem :
openssl pkcs12 -in path.p12 -out newfile.crt.pem -clcerts -nokeys
openssl pkcs12 -in path.p12 -out newfile.key.pem -nocerts -nodes
openssl PEM to PKCS12 :
openssl pkcs12 -export -in cert.pem -inkey key.pem -out certificate.p12 -name "certificate"
PKCS12 to keystore :
keytool -importkeystore -srckeystore certificate.p12 -srcstoretype PKCS12 -destkeystore keystore.jks -deststoretype JKS