Home » Archives for December 2021
Saturday, December 11, 2021
OPENSSL MOST USEFUL COMMANDS IN PKI
Hello Everyone!! Welcome to another exciting article by PKI404, In this article we will see most common command used in openssl for pfx and key files on apache and other web servers So lets start without any further due.
OPENSSL MOST USEFUL COMMANDS
1. To Generate CSR and Private key
1. openssl req -new -newkey rsa:2048 -sha256 -nodes -out domainname.csr -keyout privatekey.key
2. openssl req -new -newkey rsa:2048 -nodes -out domainname.csr -keyout privatekey.key
Generate CSR and Private key from one command
openssl req -new -newkey rsa:2048 -nodes -out domainname.csr -keyout privatekey.key -subj "/C=IN/ST=Delhi/L=New Delhi/O=PKI404/OU=PKI/CN=www.pki404.com"
2. To Generate CSR and Encrypted Private key
openssl req -new -newkey rsa:2048 -sha256 -out domainname.csr -keyout privatekey.key
3.Convert PEM to DER
openssl x509 -outform der -in certificate.pem -out certificate.der
4.Convert DER to PEM
openssl x509 -inform der -in certificate.der -out certificate.pem
5.Convert PEM/CRT to P7B
openssl crl2pkcs7 -nocrl -certfile certificate.crt -out certificate.p7b -certfile CACert.crt
6.Convert P7B to PEM/CRT
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.crt
7.Convert PEM/CRT & Private Key to PFX/P12
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
8.Convert P7B to PFX: (first convert p7b to pem/crt from above commands then use below)
openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.cer
9.Convert PFX to PEM/CRT and Private Key
openssl pkcs12 -in certificate.pfx -out certificate.pem -nodes
10.OpenSSL command to remove private key password
openssl rsa -in file.key -out newfile.key
11.convert simple private to RSA private keyopenssl rsa -in normal.key -out newrsa.key
12.Create RSA Private Key from PFX (private key without any password)
openssl pkcs12 -in certificate.pfx -nocerts -nodes | openssl rsa -out newrsaprivatekey.key
13.View CSR contents
openssl req -in mycsr.csr -noout -text
14.View Certificate X509 contents (.cer/,crt/.pem files)
openssl x509 -in certificate.crt -text -noout
15.To Match private key, CSR and certificate (output of all three commands should be the same)
openssl pkey -in privateKey.key -pubout -outform pem | sha256sum
openssl x509 -in domaincertificate.cer -pubkey -noout -outform pem | sha256sum
openssl req -in CSR.csr -pubkey -noout -outform pem | sha256sum
16.openssl command print out md5 checksums of the certificate and key
openssl x509 -noout -modulus -in server.cer| openssl md5
openssl rsa -noout -modulus -in server.key| openssl md5
17.Check which certificate is installed on 443 or 8443 port on serveropenssl s_client -connect localhost:443
For TLS 1.1, 1.2,1.3 check (tls1_1, tls1_2, tls1_3)
openssl s_client -connect localhost or www.pki404.com:443 -tls1_2
18. Check installed SSL certificate on server with validity
openssl s_client -connect localhost:443 -showcerts | openssl x509 -noout -dates
19.Check SSL status without any CA issuer error
openssl s_client -connect localhost:443 -CApath /etc/ssl/certs/
20.Generate a Self-Signed Certificate from an Existing Private Key and CSR
openssl x509 -signkey private.key -in csrfilename.csr -req -days 365 -out certificate.crt
21.Generate a Self-Signed Certificate for 365 days
openssl req -newkey rsa:2048 -nodes -keyout newprivate.key-x509 -days 365 -out selfsigncertificate.crt
22.Generate a CSR for an Existing Certificate and Private Key
openssl x509 -x509toreq -in certificatename.crt -out csrfilename.csr -signkey privatekeyname.key
23.Encrypt an Unencrypted Private Key
openssl rsa -des3 -in unencryptedfilename.key -out encryptedfilename.key
24.Decrypt an Encrypted Private Key
openssl rsa -in encryptedfilename.key -out decryptedfilename.key
25.Generate ECC/ECDSA CSR
First Generate private key
openssl ecparam -out server.key -name prime256v1 -genkey
Next command to generate CSR using the private key
openssl req -new -key server.key -out server.csr -sha256
26.View PKCS12/pfx/p12 information
openssl pkcs12 -info -in filename.pfx
27.Check Private key status
openssl rsa -in privatekeyname.key -check
28.Check certificate public key fingerprint (Public key SHA256 in Base64 format)for pinning for RSA certificate
openssl x509 -in pki404rsa.crt -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
For ECC/ECDSA
openssl x509 -in pki404ecc.crt -pubkey | openssl ec -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
29.Check certificate hash
openssl x509 -noout -hash -in server.crt
30.Check certificate issuer hash
openssl x509 -noout -issuer -issuer_hash -in server.crt
31.Check openssl version
openssl version -a
32.Openssl encryption and decryption test with plain.txt cipher.txt
echo 'my message' > plain.txt
Encrypt plain text to cipher text
openssl enc -k yourpassword -aes256 -base64 -e -in plain.txt -out cipher.txt
cat cipher.txt
Decrypt cipher text to plain text
openssl enc -k yourpassword -aes256 -base64 -d -in cipher.txt -out plain.txt
cat plain.txt
That's all for this blog see you in next one, do leave your comments if any more command needs to be added. :)
Subscribe to:
Posts
(
Atom
)