Cert Mgmt

Convert a certificate file (.crt) to .pem

# openssl x509 -in cert.crt -outform pem -out cert.pem

Convert a certificate file and a private key with a CA cert or intermediate bundle to PKCS#12 (.pfx .p12)

# openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

Convert a certificate file and a private key to PKCS#12 (.pfx .p12)

# openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt

Convert a certificate file and a private key to PKCS#12 (.pfx .p12) with a friendlyName (used for Remedy cert)

# openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -name mycert

Convert a certificate file, or a CA cert, or an intermediate bundle to PKCS#12 (.pfx .p12)

# openssl pkcs12 -export -out certificate.pfx -nokeys -nodes -in certificate.crt

Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM

Note: you can add -nocerts to only output the private key or add -nokeys to only output the certificates

# openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes

Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to separate .crt/.key files

# openssl pkcs12 -in keyStore.pfx -out keyStore.key -nocerts
# openssl pkcs12 -in keyStore.pfx -out keyStore.crt -nokeys

Convert a CRL/Certificate Revocation List file (.crl) to PEM (allows grep'ing for serial numbers)

# openssl crl -inform DER -text -in gds1-53.crl -out gds1-53.pem

Convert a OpenSSL >= 1.0 key file to a OpenSSL < 1.0 format key file

# openssl rsa -in privateKey.pem -des3 -out newPrivateKey.pem

Remove a passphrase from (or decrypt) a private key

# openssl rsa -in privateKey.pem -out newPrivateKey.pem

View expiry dates on a cert (works on most certs, .crt, .pem, etc.)

# openssl x509 -noout -dates -in certificate.crt

View URL/CN on a cert (works on most certs, .crt, .pem, etc.)

# openssl x509 -noout -subject -in certificate.crt

View a text dump of a cert's settings and configuration (works on most certs, .crt, .pem, etc.)

# openssl x509 -noout -text -in certificate.crt

View a text dump of a p7b cert

# openssl pkcs7 -text -noout -print_certs -in gd_iis_intermediates.p7b

View all ciphers available in the currently installed openssh

# openssl ciphers 'ALL:eNULL' | sed -e 's/:/n/g' | sort

View a cert bundle (file with many certs)

the problem with trying to query a cert bundle, openssl will only read the first cert in the bundle, so to query all of the certs, they would all need to be broken out into many files each containing only one of the certs from the bundle. But, here's how you can do that: Note: you should do this in a temp dir/temp work area. ca-bundle.crt currently has approx. 170 certs, so this will gen approx. 170 files

SCRIPT:
# cat certsplit
F=$1
csplit -k -f $F -b '-%03d' -z $F '/END CERTIFICATE/+1' {*}
# ./certsplit ca-bundle.crt
# for C in ca-bundle.crt-* ; do echo $C ; openssl x509 -noout -subject -dates -in $C ; done
OR command line:
# F=ca-bundle.crt ; csplit -k -f $F -b '-%03d' -z $F '/END CERTIFICATE/+1' {*}
# for C in ca-bundle.crt-* ; do echo $C ; openssl x509 -noout -subject -dates -in $C ; done

Certificate Authority setup

A CA tree already exists on every system under /etc/pki/CA, to generate certs;

# /etc/pki/tls/misc/CA -?

Running the CA script with a modified openssl.cnf

# SSLEAY_CONFIG="-config /tmp/openssl.cnf" /etc/pki/tls/misc/CA -newca

Generating sha256 certs Make a copy of openssl.cnf openssl.cnf, set [ CA_default ] and [ req ] sections

75c75
< default_md    = sha256                # use public key default MD
---
> default_md    = default               # use public key default MD
107c107
< default_md            = sha256
---
> default_md            = sha1

Change number of days Make a copy of the CA script and openssl.cnf openssl.cnf, set [ CA_default ] section

73c73
< default_days  = 1825          # how long to certify for
---
> default_days  = 365                   # how long to certify for

CA, set CADAYS

64c64
< CADAYS="-days 1825"   # 5 years
---
> CADAYS="-days 1095"   # 3 years

Generating certs with extended attributes

Example for multiple DNS names (CN's)

1. make a copy of the openssl config file (the changes will be specific to this one new cert being generated)

# cp /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl.cnf-www

2. modify the new config file

# vi /etc/pki/tls/openssl.cnf-www
UNDER [ req ] section, uncomment/change;
# req_extensions = v3_req # The extensions to add to a certificate request
TO
req_extensions = v3_req # The extensions to add to a certificate request
UNDER [ v3_req ] section, add your extended attributes, add the following line;
subjectAltName = DNS:www.example.com, DNS:example.com

3. run a openssl cert generation command using the new config file

# openssl req -config /etc/pki/tls/openssl.cnf-www -utf8 -new -key www.example.com.key -out www.example.com.csr

Add / Remove Certs To / From a Keystore

Note : default passwords are "changeit" or "changeme", default alias is "mykey"

# keytool -import -file cert.crt -keystore keystorefilename -alias certalias
# keytool -delete -alias certalias -keystore keystorefilename

List Certs in a Keystore

# keytool -list -keystore keystorefilename
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry

somecertalias, Dec 6, 2014, PrivateKeyEntry,
Certificate fingerprint (MD5): 8D:5F:25:16:F0:53:99:FF:35:64:9E:9B:1D:FC:27:FF

Export a Cert from a Keystore

Note : default passwords are "changeit" or "changeme", default alias is "mykey"

# keytool -export -alias certalias -file cert.crt -keystore keystorefilename
Example:
# keytool -export -alias ci-test-1 -file /tmp/ci-test.crt -keystore jssecacerts

Hint : check content of exported cert
# keytool -printcert -v -file star.example.com

Jar Signing

# jarsigner -verbose -keystore keystorefilename -storepass keystorepassword -keypass certkeypassword jarfilenametosign.jar aliasinkeystoreforcertkey

OR with Date Stamp, "-tsa" = Time Stamp Authority (below -tsa option specific for Godaddy certs)

# jarsigner -verbose -keystore keystorefilename -storepass keystorepassword -keypass certkeypassword -tsa [1] jarfilenametosign.jar aliasinkeystoreforcertkey

OR if proxy is required

# jarsigner -J-Dhttp.proxyHost=sc9-proxy.example.net -J-Dhttp.proxyPort=3128 -verbose -keystore keystorefilename -storepass keystorepassword -keypass certkeypassword -tsa [2] jarfilenametosign.jar aliasinkeystoreforcertkey

updating: META-INF/MANIFEST.MF
adding: META-INF/PRODUCTI.SF
requesting a signature timestamp
TSA location: [3]
adding: META-INF/PRODUCTI.RSA
adding: org/
adding: org/openoces/
adding: org/openoces/opensign/
adding: org/openoces/opensign/client/
adding: org/openoces/opensign/client/applet/
adding: org/openoces/opensign/wrappers/microsoftcryptoapi/
signing: org/openoces/opensign/wrappers/microsoftcryptoapi/MicrosoftCryptoApi.class
signing: it-practice.license
signing: opensign.license
signing: opensign.version

Verify Jar Signing

# jarsigner -verify signedjarfilename.jar
jar verified.
OR for more info
# jarsigner -verify -verbose -certs signedjarfilename.jar

Troubleshooting

Test a ssl connection (https/imaps/pops/etc.s)

# openssl s_client -connect 163.120.170.50:443

TXT_DB error number 2

failed to update database
TXT_DB error number 2
openssl command failed

The cert you are trying to generate was already generated and is already listed in index.txt (ca/db/index.txt), you can edit index.txt and remove the line for the cert you are trying to generate. You should only get this error if you have set up a CA, and you are signing certs under that CA.

unknown pbe algorithm: TYPE=PBES2

unable to load private key
unknown pbe algorithm: TYPE=PBES2
pkcs12 algor cipherinit error
pkcs12 pbe crypt error
ASN1 lib
PEM lib

The key file was generated with openssl >= 1.0, a program built with OpenSSL < 1.0 fails to open the key file. OpenSSL >= 1.0 uses a different format for storing private keys and earlier versions are unable to open the file. Older versions are apparently able to open OpenSSL >= 1.0 key files which are not password protected. The key file needs to be converted to the pre OpenSSL >= 1.0 key file format.