USEFUL OPENSSL ONE-LINERS
As a follow up for the certificate authority posting, here are some (hopefully) useful openssl one-liners:
# creating a key
openssl genrsa -aes256 -out user.key 4096
# creating a certificate signing request
openssl req -sha256 -new -key user.key -out user.csr
# signing the certificate signing request with a certificate authority
openssl ca -config ca.config -out user.crt -infiles user.csr
# creating a self sigend certificate
openssl req -sha256 -new -x509 -key user.key -out user.crt
# verify if the ca.crt has really signed user.crt
openssl verify -CAfile ca.crt user.crt
# decrypting the key
openssl rsa -in user.key -out user.key.decrypted
# creating a pkcs#7 format certificate in DER format
openssl crl2pkcs7 -nocrl -certfile user.crt -certfile ca.crt -outform DER -out user.p7c
# creating a pkcs#12 format certificate (IIS)
openssl pkcs12 -export -in user.crt -inkey user.key -out server.pkcs12
# checking the data of a key
openssl rsa -noout -text -in user.key
# checking the data of the certificate request
openssl req -text -noout -in user.csr
# checking the data of a certificate
openssl x509 -noout -text -in user.crt
# checking the data of a pcks#7 certificate
openssl pkcs7 -inform DER -text -print_certs -in user.p7c
# checking the data of a pkcs#12 certificate
openssl pkcs12 -noout -info -in user.pkcs12
# showing the MD5 fingerprint of a certificate
openssl x509 -noout -fingerprint -in user.crt
# showing the SHA1 fingerprint of a certificate
openssl x509 -noout -fingerprint -sha1 -in user.crt
# converting a key from PEM to DER format
openssl rsa -inform PEM -outform DER -in user.key.decrypted -out user.der
# converting a certificate from PEM to DER format
openssl x509 -inform PEM -outform DER -in user.crt -out user.der
# check, if the certificate installation was successful
openssl s_client -connect FQDN:443 -CAfile /usr/local/lib/openssl/certs/ca-bundle.crt | openssl x509 -text | less
# provide an ssl server to test against
openssl s_server -accept 9000 -cert user.crt -key user.key
# verify a s/mime signature
openssl smime -CAfile /usr/local/lib/openssl/certs/ca-bundle.crt -verify -in messagefile >/dev/null
# extract the s/mime Certificate to something usable :-)
openssl smime -pk7out -in messagefile | openssl pkcs7 -print_certs
# show subject, startdate, enddate (validy-time / expire-date)
openssl x509 -noout -subject -startdate -enddate -in user.crt
Credit to: https://hexeract.wordpress.com/2009/04/17/useful-openssl-one-liners/
As a follow up for the certificate authority posting, here are some (hopefully) useful openssl one-liners:
# creating a key
openssl genrsa -aes256 -out user.key 4096
# creating a certificate signing request
openssl req -sha256 -new -key user.key -out user.csr
# signing the certificate signing request with a certificate authority
openssl ca -config ca.config -out user.crt -infiles user.csr
# creating a self sigend certificate
openssl req -sha256 -new -x509 -key user.key -out user.crt
# verify if the ca.crt has really signed user.crt
openssl verify -CAfile ca.crt user.crt
# decrypting the key
openssl rsa -in user.key -out user.key.decrypted
# creating a pkcs#7 format certificate in DER format
openssl crl2pkcs7 -nocrl -certfile user.crt -certfile ca.crt -outform DER -out user.p7c
# creating a pkcs#12 format certificate (IIS)
openssl pkcs12 -export -in user.crt -inkey user.key -out server.pkcs12
# checking the data of a key
openssl rsa -noout -text -in user.key
# checking the data of the certificate request
openssl req -text -noout -in user.csr
# checking the data of a certificate
openssl x509 -noout -text -in user.crt
# checking the data of a pcks#7 certificate
openssl pkcs7 -inform DER -text -print_certs -in user.p7c
# checking the data of a pkcs#12 certificate
openssl pkcs12 -noout -info -in user.pkcs12
# showing the MD5 fingerprint of a certificate
openssl x509 -noout -fingerprint -in user.crt
# showing the SHA1 fingerprint of a certificate
openssl x509 -noout -fingerprint -sha1 -in user.crt
# converting a key from PEM to DER format
openssl rsa -inform PEM -outform DER -in user.key.decrypted -out user.der
# converting a certificate from PEM to DER format
openssl x509 -inform PEM -outform DER -in user.crt -out user.der
# check, if the certificate installation was successful
openssl s_client -connect FQDN:443 -CAfile /usr/local/lib/openssl/certs/ca-bundle.crt | openssl x509 -text | less
# provide an ssl server to test against
openssl s_server -accept 9000 -cert user.crt -key user.key
# verify a s/mime signature
openssl smime -CAfile /usr/local/lib/openssl/certs/ca-bundle.crt -verify -in messagefile >/dev/null
# extract the s/mime Certificate to something usable :-)
openssl smime -pk7out -in messagefile | openssl pkcs7 -print_certs
# show subject, startdate, enddate (validy-time / expire-date)
openssl x509 -noout -subject -startdate -enddate -in user.crt
Credit to: https://hexeract.wordpress.com/2009/04/17/useful-openssl-one-liners/
Comments