Skip to content

Instantly share code, notes, and snippets.

@htcholdingsvn

htcholdingsvn/OpenSSL.md

Forked from mohanpedala/OpenSSL.md
Created June 8, 2018 06:21
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save htcholdingsvn/e838a66220a77f634541dc7e4225e6a9 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save htcholdingsvn/e838a66220a77f634541dc7e4225e6a9 to your computer and use it in GitHub Desktop.
Download ZIP
OpenSSL Working with SSL Certificates, Private Keys and CSRs
Raw
OpenSSL.md

Genereating a private key and a CSR(Certificate Signing Request )

Use this method if you want to use HTTPS (HTTP over TLS) to secure your Apache HTTP or Nginx web server, and you want to use a Certificate Authority (CA) to issue the SSL certificate. The CSR that is generated can be sent to a CA to request the issuance of a CA-signed SSL certificate. If your CA supports SHA-2, add the -sha256 option to sign the CSR with SHA-2.

Creating a 2048-bit private key (domain.key) and a CSR (domain.csr) from scratch:

openssl req -newkey rsa:2048 -nodes -keyout domain.key -out domain.csr

Command Explanation:

  1. -newkey rsa: 2048 option specifies that the key should be 2048-bit, generated using the RSA algorithm.
  2. -nodes option specifies that the private key should not be encrypted with a pass phrase.
  3. -new option, which is not included here but implied, indicates that a CSR is being generated.

After running the above command answer the CSR information


Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New York
Locality Name (eg, city) []:Brooklyn
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Brooklyn Company
Organizational Unit Name (eg, section) []:Technology Division
Common Name (e.g. server FQDN or YOUR name) []:examplebrooklyn.com
Email Address []:

Non interactively answer CSR

-subj "/C=US/ST=New York/L=Brooklyn/O=Example Brooklyn Company/CN=examplebrooklyn.com"

Generate a CSR from an Existing Private Key

This command creates a new CSR (domain.csr) based on an existing private key (domain.key):

openssl req -key domain.key -new -out domain.csr

Answer the CSR information prompt to complete the process.

  1. -key option specifies an existing private key (domain.key) that will be used to generate a new CSR.
  2. -new option indicates that a CSR is being generated.

Generate a CSR from an Existing Certificate and Private Key

This command creates a new CSR (domain.csr) based on an existing certificate (domain.crt) and private key (domain.key):

openssl x509 -in domain.crt -signkey domain.key -x509toreq -out domain.csr

The -x509toreq option specifies that you are using an X509 certificate to make a CSR.

Generating SSL Certificates

Generate a Self-Signed Certificate

This command creates a 2048-bit private key (domain.key) and a self-signed certificate (domain.crt) from scratch:

openssl req -newkey rsa:2048 -nodes -keyout domain.key -x509 -days 365 -out domain.crt

Answer the CSR information prompt to complete the process.

  1. -x509 option tells req to create a self-signed cerificate.
  2. -days 365 option specifies that the certificate will be valid for 365 days. A temporary CSR is generated to gather information to associate with the certificate.

Generate a Self-Signed Certificate from an Existing Private Key

This command creates a self-signed certificate (domain.crt) from an existing private key (domain.key):

openssl req -key domain.key -new -x509 -days 365 -out domain.crt

Answer the CSR information prompt to complete the process.

  1. -x509 option tells req to create a self-signed cerificate.
  2. 365 option specifies that the certificate will be valid for 365 days.
  3. -new option enables the CSR information prompt.

Generate a Self-Signed Certificate from an Existing Private Key and CSR

This command creates a self-signed certificate (domain.crt) from an existing private key (domain.key) and (domain.csr):

openssl x509 -signkey domain.key -in domain.csr -req -days 365 -out domain.crt

View Certificates

Certificate and CSR files are encoded in PEM format, which is not readily human-readable.

This section covers OpenSSL commands that will output the actual entries of PEM-encoded files.

View CSR Entries

This command allows you to view and verify the contents of a CSR (domain.csr) in plain text:

openssl req -text -noout -verify -in domain.csr

View Certificate Entries

This command allows you to view the contents of a certificate (domain.crt) in plain text:

openssl x509 -text -noout -in domain.crt

Verify a Certificate was Signed by a CA

Use this command to verify that a certificate (domain.crt) was signed by a specific CA certificate (ca.crt):

openssl verify -verbose -CAFile ca.crt domain.crt

Private Keys

This section covers OpenSSL commands that are specific to creating and verifying private keys.

Create a Private Key

Use this command to create a password-protected, 2048-bit private key (domain.key):

openssl genrsa -des3 -out domain.key 2048

Enter a password when prompted to complete the process.

Verify a Private Key

Use this command to check that a private key (domain.key) is a valid key:

openssl rsa -check -in domain.key

If your private key is encrypted, you will be prompted for its pass phrase. Upon success, the unencrypted key will be output on the terminal.

Verify a Private Key Matches a Certificate and CSR

Use these commands to verify if a private key (domain.key) matches a certificate (domain.crt) and CSR (domain.csr):


openssl rsa -noout -modulus -in domain.key | openssl md5
openssl x509 -noout -modulus -in domain.crt | openssl md5
openssl req -noout -modulus -in domain.csr | openssl md5

If the output of each command is identical there is an extremely high probability that the private key, certificate, and CSR are related.

Encrypt a Private Key

This takes an unencrypted private key (unencrypted.key) and outputs an encrypted version of it (encrypted.key):


openssl rsa -des3 -in unencrypted.key -out encrypted.key

Enter your desired pass phrase, to encrypt the private key with.

Decrypt a Private Key

This takes an encrypted private key (encrypted.key) and outputs a decrypted version of it (decrypted.key):

openssl rsa -in encrypted.key -out decrypted.key

Enter the pass phrase for the encrypted key when prompted.

Reference link

  • To Show the certificate

openssl s_client -connect example.com:443

  • Import a certificate
openssl s_client -connect example.com:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > example.com.crt
  • If you face any issue (Ex: -bash: /dev/null : No such file or directory) try it in the below way
  1. Import the certificate
openssl s_client -connect example.com:443 > example.com.txt
  1. Check if the certificate is present or not
cat example.com.txt | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
  1. Copy the certificate part to a .crt file
cat example.com.txt | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | tee example.crt
  1. verify it
cat example.com.crt

Java keytool

Update keystore with a certificate

keytool  -import -file <cert_name>.cer -alias <alias_name_to_identify_inside_truststore.github.com> -keystore <trustorefile_name>

Delete keystore cert

keytool -delete -alias <alias_name_of_the_cert_in_keystore.github.com> -keystore <keystore_name>

List keystore

keytool -list -v -keystore <keystore_name>

Delete a certificate from a Java Keytool keystore

keytool -delete -alias mydomain -keystore keystore.jks

Change a Java keystore password

keytool -storepasswd -new new_storepass -keystore keystore.jks

Export a certificate from a keystore

keytool -export -alias mydomain -file mydomain.crt -keystore keystore.jks

Check a stand-alone certificate

keytool -printcert -v -file mydomain.crt

Generate a Java keystore and key pair

keytool -genkey -alias mydomain -keyalg RSA -keystore keystore.jks -keysize 2048
Options
-storepass xxxxxx
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment