2011-01-06

OpenSSL Securty - Often used commands

Commonly used file extensions



  • csr - Certificate Signing Request

  • cer, cert, pem - Public Key and/or Certificate (BASE64 encoded)

  • der - Public Key and/or Certificate (binary encoded)

  • key - Private Key

  • p12, pkcs12, pfx - Container for private keys and/or certificates/public keys

  • jks - Container for private keys and/or certificates/public keys (Java)



PEM files operations


Export public key from PEM file:
openssl rsa -in test_privkey.pem -out test_publkey.pem -outform PEM -pubout
PEM <-> DER:
openssl x509 -in apilia.der -outform PEM -out apilia.pem -inform der [-text]
openssl x509 -in apilia.pem -outform DER -out apilia.der

PKCS#12 files operations


List PKCS#12 entries
openssl pkcs12 -info -in apilia.p12
P12 <-> PEM conversion:
openssl pkcs12 -in apilia.p12 -out apilia.pem
openssl pkcs12 -export -in apilia.pem -inkey apilia.key -out apilia.p12

Encryption/Decryption


openssl rsautl -encrypt -certin -inkey apilia.pem -in a.txt -out b.txt (rsa with certificate)
openssl base64 -in b.txt -out c.txt (base64)
openssl rsautl -encrypt -inkey apilia.pem -pubin -in message.txt -out message.ssl (rsa with public key file)
openssl rsautl -decrypt -inkey apilia.key -in message.ssl -out decrypted.txt

Certificate management


create self-signed certificate:
openssl req -x509 -new -out apilia.pem -keyout apilia.key -days 365 -subj "/CN=Jakub Marciniak/O=APILIA/C=PL/L=POZNAN/emailAddress=jakub.marciniak@apilia.pl"
Generate a certificate signing request based on an existing x509 certificate
openssl x509 -x509toreq -in apilia.pem -out apilia.csr -signkey apilia.key
Sign a Certificate Signing Request
openssl x509 -req -in apilia.csr -CA apilia.pem -CAkey apilia.key -CAcreateserial -out apilia_signed.crt -days 365

Generate simple key and certificate
openssl req -new -text -x509 -subj "/CN=Jakub Marciniak/O=Apilia/C=PL/L=POZNAN/emailAddress=jakub.marciniak@apilia.pl" -keyout apilia.key -out apilia.pem
Generate a new private key and matching Certificate Signing Request (eg to send to a commercial CA)
openssl req -out apilia.csr -pubkey -new -keyout apilia.key -subj "/CN=Jakub Marciniak3/O=Apilia/C=PL/L=POZNAN/emailAddress=jakub.marciniak@apilia.pl"

Base64 encoding:


openssl base64 -in file.bin -out file.b64
openssl -base64 -d -in file.b64 -out file.bin

Keytool


Generate key
keytool -genkey -alias test -storetype JKS -keystore keystore.jks
keytool -genkey -dname "CN=Jakub Marciniak, OU=Apilia, O=Apilia, L=Poznan, S=Poznan, C=PL" -alias validator -keyalg RSA -keypass qwerty -storepass qwerty -keystore keystore.jks

Generate Certificate Signing Request
keytool -certreq -alias test -file cert.csr -keypass 1234567 -keypass 123456 -keystore keystore.jks -storetype JKS
keytool -import -alias test -file c:\ca-cert.cer -trustcacerts -v -keystore %JAVA_HOME%\jre\lib\security\cacerts

Import certificate to trusted certificates key store
keytool -import -alias apilia -file c:\ca-cert.cer -trustcacerts -v -keystore %JAVA_HOME%/jre/lib/security/cacerts -storepass changeit

Export certificate from key store
keytool -export -alias validator -storepass qwerty -file server.cer -keystore keystore.jks

Change key store password
keytool -keypasswd -alias validator -keystore e.jks

Convert PKCS#12 <-> JKS
keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore my-keystore.jks -srckeystore private-key.p12 -srcstoretype PKCS12 -srcstorepass private-key-password -alias 1

keytool -importkeystore -srckeystore signed.jks -destkeystore d.12 -deststoretype pkcs12 -destalias alias -srcalias 1
keytool -importkeystore -srckeystore d.jks -destkeystore e.p12 -deststoretype pkcs12


Sign JAR file
keytool -genkey -alias signer -keystore keystore.jks -keypass !secret -dname "CN=Jakub Marciniak/O=APILIA/C=PL/L=POZNAN/emailAddress=jakub.marciniak@apilia.pl" -storepass !secret
jarsigner -keystore keystore.jks -storepass !secret -keypass !secret jarToSign.jar signer
jarsigner -verify -certs -verbose jarToSign.jar