OpenSSL - studiofu/brain GitHub Wiki

X.509 Public and Private Key - Generate the keys

single command to generate self signed certificate

openssl req -x509 -nodes -sha256 -days 365 -newkey rsa:2048 -keyout secure.key -out secure.crt

convert to PKCS12

openssl pkcs12 -export -in secure.crt -inkey secure.key -name testlocal -out secure.p12

convert to JKS

keytool -importkeystore -destkeystore secure.jks -srckeystore secure.p12 -srcstoretype pkcs12 -alias testlocal

https://stackoverflow.com/questions/16480846/x-509-private-public-key

https://community.microfocus.com/microfocus/corba/visibroker_-_world_class_middleware/w/knowledge_base/14104/how-to-generate-x509-certificates-used-in-the-bank-ssl-example

http://users.skynet.be/pascalbotte/art/server-cert.htm

openssl genrsa -out private.key 1024 openssl req -new -x509 -key private.key -out publickey.cer -days 365 openssl pkcs12 -export -out public_privatekey.pfx -inkey private.key -in publickey.cer

Generate CSR for CA to Sign

# generate ca root key
openssl genrsa -des3 -out rootCA.key 4096

# generate ca root crt
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt

# generate the required csr
openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
openssl req -x509 -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr -days 365

Self Sign the key

create v3.ext file

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment

command to use custom ca to sign

# use custom ca to sign the cert
openssl x509 -req -days 365 -in server.csr -extfile v3.ext -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out server.crt

add to windows store

certutil -addstore -f "ROOT" server.crt

Quick generate self signed Key and Certificate

openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem

openssl x509 -text -noout -in certificate.pem

https://www.ibm.com/support/knowledgecenter/en/SSWHYP_4.0.0/com.ibm.apimgmt.cmc.doc/task_apionprem_gernerate_self_signed_openSSL.html

Verify and Convert the Key Format

View PEM

openssl x509 -in cert.pem -text -noout
openssl x509 -in cert.cer -text -noout
openssl x509 -in cert.crt -text -noout

View DER

openssl x509 -in certificate.der -inform der -text -noout

PEM to DER

openssl x509 -in cert.crt -outform der -out cert.der

DER to PEM

openssl x509 -in cert.crt -inform der -outform pem -out cert.pem

convert the crt and private key to PKCS12 format

openssl pkcs12 -export -in certificate.crt -inkey private.key -name testname -out output.p12
  • Generate Key for SSH Access
    • existing key in ~/.ssh/id_*
  • it could be re-used
    • backup old ssh keys

cp id_rsa* to some backup folders

generate the key for the ssh access

ssh-keygen -t rsa -C "[email protected]"

and then copy to the required login server and added to the ~/.ssh/authorized_keys

scp -p your_pub_key.pub user@host:
ssh user@host
host$ cat id_dsa.pub>> ~/.ssh/authorized_keys

or using

cat ~/.ssh/id_rsa.pub | ssh user@hostname 'cat>> .ssh/authorized_keys'

or using

ssh-copy-id user@hostname