Tuesday, July 20, 2021
Most common commands for openssl keytool sapgenpse orapki
Hello Everyone!! Welcome to another exciting article by PKI404, In this article we will see most common command used in openssl for pfx and key files on apache and iis web servers , keytool for java based servers like jboss, tomcat etc , sapgenpse for sap servers , orapki for oracle wallet manager. So lets start without any further due.
Most common commands for openssl keytool sapgenpse orapki
Most Common Openssl Commands
To Generate CSR and Private key
openssl req -new -newkey rsa:2048 -sha256 -nodes -out domainname.csr -keyout privatekey.key
Convert PEM to DER:
openssl x509 -outform der -in certificate.pem -out certificate.der
Convert DER to PEM:
openssl x509 -inform der -in certificate.der -out certificate.pem
Convert PEM/CRT to P7B:
openssl crl2pkcs7 -nocrl -certfile certificate.crt -out certificate.p7b -certfile CACert.crt
Convert P7B to PEM/CRT:
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.crt
Convert PEM/CRT & Private Key to PFX/P12:
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
Convert P7B to PFX: (first convert p7b to pem/crt from above commands then use below)
openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.cer
Convert PFX to PEM/CRT and Private Key
openssl pkcs12 -in certificate.pfx -out certificate.pem -nodes
OpenSSL command to remove private key password
Or
To convert simple private to RSA private.key
openssl rsa -in file.key -out newfile.key
Create RSA Private Key from PFX (private key without any password)
openssl pkcs12 -in certificate.pfx -nocerts -nodes | openssl rsa -out newrsaprivatekey.key
To View CSR contents
openssl req -in mycsr.csr -noout -text
To view Certificate X509 contents (.cer/,crt/.pem files)
openssl x509 -in certificate.crt -text -noout
To Match private key, CSR and certificate (output of all three commands should be the same)
openssl pkey -in privateKey.key -pubout -outform pem | sha256sum
openssl x509 -in domaincertificate.cer -pubkey -noout -outform pem | sha256sum
openssl req -in CSR.csr -pubkey -noout -outform pem | sha256sum
openssl command print out md5 checksums of the certificate and key
openssl x509 -noout -modulus -in server.cer| openssl md5
openssl rsa -noout -modulus -in server.key| openssl md5
Most Common Java Keytool Commands
Generate a Java keystore and key pair:
keytool -genkey -alias mydomainname -keyalg RSA -keystore keystorefilename.jks -keysize 2048
Generate a certificate signing request (CSR) for an existing Java keystore:
keytool -certreq -alias mydomainname -keystore keystorefilename.jks -file mydomainname.csr
Generate a keystore and self-signed certificate:
keytool -genkey -keyalg RSA -alias selfsigned -keystore keystorefilename.jks -storepass password -validity 360 -keysize 2048
Certificate import commands in keystore: (.crt and .cer is same even .pem can be used)
Import a root CA certificate to an existing Java keystore:
keytool -import -trustcacerts -alias root -file root.cer -keystore keystorefilename.jks
Import a intermediate CA certificate to an existing Java keystore:
keytool -import -trustcacerts -alias intermediate -file intermediate.crt -keystore keystorefilename.jks
Import a signed SSL primary certificate to an existing Java keystore:
keytool -import -trustcacerts -alias mydomainname -file mydomainname.crt -keystore keystorefilename.jks
Java Keytool Commands for Conversion:
If you need to change the type of keystore.
PFX keystore to JKS keystore:
keytool -importkeystore -srckeystore mypfxfile.pfx -srcstoretype pkcs12 -destkeystore newjkskeystore.jks -deststoretype JKS
JKS keystore to PFX keystore:
keytool -importkeystore -srckeystore myjksfile.jks -srcstoretype JKS -deststoretype PKCS12 -destkeystore newpfxkeystore.pfx
To View JKS java keystore contents
Keytool -v -list -keystore keystorefilename.jks
For only Alias name and entries
Keytool -list -keystore keystorefilename.jks
Other Java Keytool Commands:
Delete a certificate from a Java Keytool keystore:
keytool -delete -alias mydomainname -keystore keystorefilename.jks
Change a Java keystore password:
keytool -storepasswd -new newstorepass -keystore keystorefilename.jks
Export a certificate from a keystore:
keytool -export -alias mydomainname -file mydomain.crt -keystore keystorefilename.jks
List Trusted CA Certs:
keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts
Import New CA into Trusted Certs:
keytool -import -trustcacerts -file /path/to/ca/ca.pem -alias mydomain -keystore $JAVA_HOME/jre/lib/security/cacerts
Most Common Sapgenpse commands
Create server PSE and certificate request using the following commands
sapgenpse get_pse <additional_options> -p <PSE_Name> -r <cert_req_file_name> -x <PIN> <Distinguished_Name>
For Example
sapgenpse get_pse -p SAPSSLS.pse -x abcpin -r abc.req " CN=Fully Qualified Domain Name, OU=dept. name, O=Organizational Name, SP=State and Province value, L=Locality value,C=ISO country code value".
Import Certificate Using SAPGENPSE
sapgenpse import_own_cert <Additional_options> -p <PSE_file> -c <Cert_file> [-r <RootCA_cert_file>] -x <PIN>
sapgenpse Commands for Conversion:
SAPGENPSE commands to import pfx file into pse .
sapgenpse import_p12 -r intermediate.crt -r root.crt -p SAPSSLS.pse certificate.pfx
SAPGENPSE commands to export pfx file through pse .
sapgenpse export_p12 -p D:\usr\sap\ABC\PKI404\sec\filename.pse D:\usr\sap\ABC\PKI404\sec\newfilename.p12
Import Certificate Using SAPGENPSE
sapgenpse import_own_cert <Additional_options> -p <PSE_file> -c <Cert_file> [-r <RootCA_cert_file>] -x <PIN>
Most Common commands for ORAPKI-OHS
ORACLE EWALLET(OHS)
Create an auto-login wallet and use the wallet:
orapki wallet create -wallet C:\Oracle\Middleware\ssl\ohs\eWallet -auto_login -pwd Oracle123
Create selfsigned certificate command :-
orapki wallet add -wallet C:\Oracle\Middleware\ssl\ohs\eWallet -dn "CN= www.pki404.com, OU=IT, O=PKI404 PVT LTD, L=New Delhi, ST=Delhi, C=IN" -keysize 2048 -pwd Oracle123 -validity 365
Export the CSR from the wallet:
Command: orapki wallet export -wallet C:\Oracle\Middleware\ssl\ohs\eWallet -dn "CN= www.pki404.com, OU=IT, O=PKI404 PVT LTD, L=New Delhi, ST=Delhi, C=IN" -request C:\Oracle\Middleware\ssl\ohs\filename.csr
Import CA Inter, CA Root, brownbag (ohs) certificates into the wallet
Command:
orapki wallet add -wallet C:\Oracle\Middleware\ssl\ohs\eWallet -pwd Oracle123 -trusted_cert -cert C:\Oracle\Middleware\ssl\CAInter.pem
Command:
orapki wallet add -wallet C:\Oracle\Middleware\ssl\ohs\eWallet -pwd Oracle123 -trusted_cert -cert C:\Oracle\Middleware\ssl\CARoot.pem
Command:
orapki wallet add -wallet C:\Oracle\Middleware\ssl\ohs\eWallet -pwd Oracle123 -user_cert -cert C:\Oracle\Middleware\ssl\ohs\pki404.pem
Using the jks file let us create a wallet:
Create an empty wallet with auto login:
C:\Oracle\Middleware\oracle_common\bin\orapki wallet create -wallet C:\Oracle\Middleware\ssl -auto_login -pwd Oracle123
Convert the jks to a wallet:
C:\Oracle\Middleware\oracle_common\bin\orapki wallet jks_to_pkcs12 -wallet C:\Oracle\Middleware\ssl\eWallet -pwd Oracle123 -keystore C:\Oracle\Middleware\ssl\myIdentity.jks -jkspwd Oracle123
Stay tuned for more blogs:) Any suggestions are welcome on our social handles and comment section.
No comments :
Post a Comment