TLS
From Vague Hope Wiki
Contents
Examine
openssl x509 -text -in client.pem openssl rsa -text -in client.pem openssl crl -text -in cacrl.pem openssl pkcs12 -nodes -in client.p12 | openssl x509 -noout -subject -enddate openssl x509 -text -in thing.der -inform der
Mangle
Change .p12 password:
openssl pkcs12 -in original.p12 -nodes -clcerts -out temp.pem openssl pkcs12 -export -in temp.pem -out new.p12
Remove RSA pem password:
openssl rsa -in rsa_key.pem -out rsa_key.clear.pem
Convert .pem to .p12
openssl pkcs12 -export -in client.pem -out client.p12
Split key:
openssl pkcs12 -nokeys -in original.p12 -out client.crt openssl pkcs12 -nocerts -in original.p12 -out client.key
or without password:
openssl pkcs12 -nocerts -nodes -in original.p12 -out client.key
Merge cert.pem and key.pem to one pem:
openssl pkcs12 -inkey key.pem -in cert.pem -export -out both.p12 openssl pkcs12 -in both.p12 -nodes -clcerts -out both.pem
Re-wrap RSA key in new x509:
cert="./x509_cert.pem" cert_key="./x509_cert_and_rsa_key.clear.pem" tmp_key="./key.tmp.pem" tmp_cert_key="./cert_key.tmp.p12" ser="$(openssl x509 -in "$cert" -noout -serial | sed -n 's/^serial=\(.*\)$/\1/p')" ser="$(hextodec "$ser")" subj="$(openssl x509 -in "$cert" -noout -subject | sed -n 's/^subject= *\(.*\)$/\1/p')" openssl rsa -in "$cert_key" -out "$tmp_key" openssl req -batch -x509 -nodes -days 90 -key "$tmp_key" -set_serial "$ser" -subj "$subj" -out "$cert" -new openssl pkcs12 -inkey "$tmp_key" -in "$cert" -export -passout 'pass:' -out "$tmp_cert_key" openssl pkcs12 -in "$tmp_cert_key" -passin 'pass:' -clcerts -nodes -out "$cert_key"
demoCA
/usr/lib/ssl/misc/CA.sh -newca
/usr/lib/ssl/misc/CA.sh -newreq /usr/lib/ssl/misc/CA.sh -sign
openssl req -new -nodes -out client2.req.pem -keyout client2.key.pem -days 365 openssl ca -out client2.cert.pem -days 365 -infiles client2.req.pem curl --insecure -E client2.cert.pem --key client2.key.pem https://localhost:8443
echo 01 > demoCA/crlnumber openssl ca -revoke client.pem -keyfile demoCA/private/cakey.pem -cert demoCA/cacert.pem openssl ca -gencrl -keyfile demoCA/private/cakey.pem -cert demoCA/cacert.pem -out cacrl.pem -crldays 30
Fields
- C=Country Name (2 letter code)
- ST=State or Province Name (full name)
- O=Organization Name (eg, company)
- OU=
- CN=
Java
Make self-signed server key.
/usr/lib/jvm/java-6-openjdk/bin/keytool -genkey -alias tomcat -keyalg RSA
List Trusted CA Certs.
keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts
Export a certificate from a keystore
keytool -export -alias tomcat -file tomcat.crt -keystore keystore.jks
Import New CA into Trusted Certs
keytool -import -trustcacerts -file tomcat.crt -alias tomcat -keystore truststore
Export private key:
keytool -importkeystore \ -noprompt \ -srcstorepass 123456 \ -storepass 123456 \ -srckeystore keystore.jks \ -srcalias tomcat \ -destkeystore key.p12 \ -deststoretype PKCS12
References:
jks to bks
keytool -importkeystore -srckeystore successwhale.jks -destkeystore successwhale.bks \ -srcstoretype JKS -deststoretype BKS -srcstorepass 123456 -deststorepass 123456 \ -provider org.bouncycastle.jce.provider.BouncyCastleProvider \ -providerpath ~/Downloads/bcprov-jdk15on-146.jar
References:
- http://www.knowledgebit.appspot.com/zahangirbd/TopicView.action?id=180008
- http://stackoverflow.com/questions/6933103/wrong-version-keystore-when-doing-https-call
AES-NI
X509
CMS
Generate RSA key:
openssl genpkey -out "${HOST}-private.pem" -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:4096
Wrap RSA key to x509
openssl req -x509 -days 365 -new -key "${HOST}-private.pem" -out "${HOST}-public.pem"
Encrypt file:
openssl cms -encrypt -binary \ -aes256 -outform der \ -in a.txt \ -out a.txt.cms \ public_key.pem
Decrypt file:
openssl cms -decrypt \ -inform der \ -in a.txt.cms \ -recip public_key.pem \ -inkey private_rsa_key_4096.pem
References
- http://wiki.openssl.org/index.php/Manual:Cms(1)
- http://security.stackexchange.com/questions/32768/converting-keys-between-openssl-and-openssh
Remote cert to trust store
echo | openssl s_client -connect api.successwhale.com:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -out remote.crt openssl x509 -text -in remote.crt keytool -import -trustcacerts -file remote.crt -alias api.successwhale.com -keystore successwhale.jks
References: http://www.madboa.com/geek/openssl/
Remote cert to pem for Postfix
echo | openssl s_client -connect sub5.homie.mail.dreamhost.com:587 -starttls smtp | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -out remote.crt
Apache
Benchmark
openssl speed openssl dhparam -out dhparam_4096.pem 4096