Support: Created page with "==== Convert a certificate file (.crt) to .pem ==== # openssl x509 -in cert.crt -outform pem -out cert.pem ==== Convert a certificate file and a private key with a CA cert..."

2017-05-09T18:16:40Z

Created page with "==== Convert a certificate file (.crt) to .pem ==== # openssl x509 -in cert.crt -outform pem -out cert.pem ==== Convert a certificate file and a private key with a CA cert..."

New page

==== Convert a certificate file (.crt) to .pem ====
# openssl x509 -in cert.crt -outform pem -out cert.pem

==== Convert a certificate file and a private key with a CA cert or intermediate bundle to PKCS#12 (.pfx .p12) ====
# openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

==== Convert a certificate file and a private key to PKCS#12 (.pfx .p12) ====
# openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt

==== Convert a certificate file and a private key to PKCS#12 (.pfx .p12) with a friendlyName (used for Remedy cert) ====
# openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -name mycert

==== Convert a certificate file, or a CA cert, or an intermediate bundle to PKCS#12 (.pfx .p12) ====
# openssl pkcs12 -export -out certificate.pfx -nokeys -nodes -in certificate.crt

==== Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM ====
Note: you can add -nocerts to only output the private key or add -nokeys to only output the certificates
# openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes

==== Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to separate .crt/.key files ====
# openssl pkcs12 -in keyStore.pfx -out keyStore.key -nocerts
# openssl pkcs12 -in keyStore.pfx -out keyStore.crt -nokeys

==== Convert a CRL/Certificate Revocation List file (.crl) to PEM (allows grep'ing for serial numbers) ====
# openssl crl -inform DER -text -in gds1-53.crl -out gds1-53.pem

==== Convert a OpenSSL >= 1.0 key file to a OpenSSL < 1.0 format key file ====
# openssl rsa -in privateKey.pem -des3 -out newPrivateKey.pem

==== Remove a passphrase from (or decrypt) a private key ====
# openssl rsa -in privateKey.pem -out newPrivateKey.pem

==== View expiry dates on a cert (works on most certs, .crt, .pem, etc.) ====
# openssl x509 -noout -dates -in certificate.crt

==== View URL/CN on a cert (works on most certs, .crt, .pem, etc.) ====
# openssl x509 -noout -subject -in certificate.crt

==== View a text dump of a cert's settings and configuration (works on most certs, .crt, .pem, etc.) ====
# openssl x509 -noout -text -in certificate.crt

==== View a text dump of a p7b cert ====
# openssl pkcs7 -text -noout -print_certs -in gd_iis_intermediates.p7b

==== View all ciphers available in the currently installed openssh ====
# openssl ciphers 'ALL:eNULL' | sed -e 's/:/n/g' | sort

==== View a cert bundle (file with many certs) ====
the problem with trying to query a cert bundle, openssl will only read the first cert in the bundle, so to query all of the certs, they would all need to be broken out into many files each containing only one of the certs from the bundle. But, here's how you can do that:
Note: you should do this in a temp dir/temp work area. ca-bundle.crt currently has approx. 170 certs, so this will gen approx. 170 files
SCRIPT:
# cat certsplit
F=$1
csplit -k -f $F -b '-%03d' -z $F '/END CERTIFICATE/+1' {*}
# ./certsplit ca-bundle.crt
# for C in ca-bundle.crt-* ; do echo $C ; openssl x509 -noout -subject -dates -in $C ; done
OR command line:
# F=ca-bundle.crt ; csplit -k -f $F -b '-%03d' -z $F '/END CERTIFICATE/+1' {*}
# for C in ca-bundle.crt-* ; do echo $C ; openssl x509 -noout -subject -dates -in $C ; done

==== Certificate Authority setup ====
A CA tree already exists on every system under /etc/pki/CA, to generate certs;
# /etc/pki/tls/misc/CA -?

Running the CA script with a modified openssl.cnf
# SSLEAY_CONFIG="-config /tmp/openssl.cnf" /etc/pki/tls/misc/CA -newca

Generating sha256 certs
Make a copy of openssl.cnf
openssl.cnf, set [ CA_default ] and [ req ] sections
75c75
< default_md = sha256 # use public key default MD
---
> default_md = default # use public key default MD
107c107
< default_md = sha256
---
> default_md = sha1

Change number of days
Make a copy of the CA script and openssl.cnf
openssl.cnf, set [ CA_default ] section
73c73
< default_days = 1825 # how long to certify for
---
> default_days = 365 # how long to certify for

CA, set CADAYS

64c64
< CADAYS="-days 1825" # 5 years
---
> CADAYS="-days 1095" # 3 years

==== Generating certs with extended attributes ====
Example for multiple DNS names (CN's)

1. make a copy of the openssl config file (the changes will be specific to this one new cert being generated)
# cp /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl.cnf-www

2. modify the new config file
# vi /etc/pki/tls/openssl.cnf-www
UNDER [ req ] section, uncomment/change;
# req_extensions = v3_req # The extensions to add to a certificate request
TO
req_extensions = v3_req # The extensions to add to a certificate request
UNDER [ v3_req ] section, add your extended attributes, add the following line;
subjectAltName = DNS:www.example.com, DNS:example.com

3. run a openssl cert generation command using the new config file
# openssl req -config /etc/pki/tls/openssl.cnf-www -utf8 -new -key www.example.com.key -out www.example.com.csr

==== Add / Remove Certs To / From a Keystore ====
Note : default passwords are "changeit" or "changeme", default alias is "mykey"
# keytool -import -file cert.crt -keystore keystorefilename -alias certalias
# keytool -delete -alias certalias -keystore keystorefilename

==== List Certs in a Keystore ====
# keytool -list -keystore keystorefilename
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry

somecertalias, Dec 6, 2014, PrivateKeyEntry,
Certificate fingerprint (MD5): 8D:5F:25:16:F0:53:99:FF:35:64:9E:9B:1D:FC:27:FF

==== Export a Cert from a Keystore ====
Note : default passwords are "changeit" or "changeme", default alias is "mykey"
# keytool -export -alias certalias -file cert.crt -keystore keystorefilename
Example:
# keytool -export -alias ci-test-1 -file /tmp/ci-test.crt -keystore jssecacerts

Hint : check content of exported cert
# keytool -printcert -v -file star.example.com

==== Jar Signing ====
# jarsigner -verbose -keystore keystorefilename -storepass keystorepassword -keypass certkeypassword jarfilenametosign.jar aliasinkeystoreforcertkey
OR with Date Stamp, "-tsa" = Time Stamp Authority (below -tsa option specific for Godaddy certs)
# jarsigner -verbose -keystore keystorefilename -storepass keystorepassword -keypass certkeypassword -tsa [http://tsa.starfieldtech.com/] jarfilenametosign.jar aliasinkeystoreforcertkey
OR if proxy is required
# jarsigner -J-Dhttp.proxyHost=sc9-proxy.example.net -J-Dhttp.proxyPort=3128 -verbose -keystore keystorefilename -storepass keystorepassword -keypass certkeypassword -tsa [http://tsa.starfieldtech.com/] jarfilenametosign.jar aliasinkeystoreforcertkey

updating: META-INF/MANIFEST.MF
adding: META-INF/PRODUCTI.SF
requesting a signature timestamp
TSA location: [http://tsa.starfieldtech.com/]
adding: META-INF/PRODUCTI.RSA
adding: org/
adding: org/openoces/
adding: org/openoces/opensign/
adding: org/openoces/opensign/client/
adding: org/openoces/opensign/client/applet/
adding: org/openoces/opensign/wrappers/microsoftcryptoapi/
signing: org/openoces/opensign/wrappers/microsoftcryptoapi/MicrosoftCryptoApi.class
signing: it-practice.license
signing: opensign.license
signing: opensign.version

==== Verify Jar Signing ====
# jarsigner -verify signedjarfilename.jar
jar verified.
OR for more info
# jarsigner -verify -verbose -certs signedjarfilename.jar

==== Troubleshooting ====

===== Test a ssl connection (https/imaps/pops/etc.s) =====
# openssl s_client -connect 163.120.170.50:443

===== TXT_DB error number 2 =====
failed to update database
TXT_DB error number 2
openssl command failed

The cert you are trying to generate was already generated and is already listed in index.txt (ca/db/index.txt), you can edit index.txt and remove the line for the cert you are trying to generate. You should only get this error if you have set up a CA, and you are signing certs under that CA.

===== unknown pbe algorithm: TYPE=PBES2 =====
unable to load private key
unknown pbe algorithm: TYPE=PBES2
pkcs12 algor cipherinit error
pkcs12 pbe crypt error
ASN1 lib
PEM lib

The key file was generated with openssl >= 1.0, a program built with OpenSSL < 1.0 fails to open the key file. OpenSSL >= 1.0 uses a different format for storing private keys and earlier versions are unable to open the file. Older versions are apparently able to open OpenSSL >= 1.0 key files which are not password protected. The key file needs to be converted to the pre OpenSSL >= 1.0 key file format.

Cert Mgmt - Revision history

Support: Created page with "==== Convert a certificate file (.crt) to .pem ==== # openssl x509 -in cert.crt -outform pem -out cert.pem ==== Convert a certificate file and a private key with a CA cert..."