O

OpenSSL

Encrypt file:

openssl enc -e -aes256 -in file.ext -out file.ext.e
openssl rsa -aes256 -in private.key.plain -out private.key

Decrypt file:

openssl enc -d -aes256 -in file.ext.e -out file.ext

Options:

enc: symmetric cipher routine
-e: encrypt
-d: decrypt
-aes256: cipher
-l: list cipher

Encrypt and tar file

tar czf - * | openssl enc -e -aes256 -out file.tar.gz.e

Decrypt and untar file to folder

openssl enc -d -aes256 -in file.tar.gz.e | tar xz -C folder

Options of tar command:

-: output to stdout
-C : extract to folder
c: create archive
z: compress using gzip
f: location of file/filename
x: extract archive

View Certificate

openssl pkcs12 -info -in : view PFX file. The PKCS#12 or PFX format (stands for personal exchange format) is a binary format for storing the server certificate, any intermediate certificates, and the private key in one encryptable file
openssl x509 -in certificate.pem -text -noout: View Certificate details
openssl x509 -in certificate.pem -text: view entire certificate chain
openssl verify -CAfile ca.pem certificate.pem: Verify certificate is valid
openssl x509 -in certificate.pem -pubkey -noout: extract public key

Convert between file types

Export CRT Certificate from PFX

openssl pkcs12 -in ./YOUR-PFX-FILE.pfx -clcerts -nokeys -out domain.crt

Extracting Private Key

openssl pkcs12 -in ./YOUR-PFX-FILE.pfx -nocerts -nodes -out domain.rsa

Converting p7b to crt

openssl pkcs7 -print_certs -in old.p7b -out new.crt

Get Information from X509 Certificate File (.cer or .crt)

Some Option

-noout: don’t print cert
-enddate: print expiration date
-subject: print CN name
-issuer: print issuer
x509: X.509 certificate
pkcs12: for pfx file
-inform : format of cert if not in X.509 format, PEM, DER, NET
-text: print out as text
-h: get list of other commands

Extract expiration date

openssl x509 -in -enddate [-noout]

Extract Common Name

openssl x509 in -subject

Get Information from PKCS12 Certificate File (.pfx)

openssl pkcs12 -n
openssl pkcs12 -n -info

Generating Password

openssl passwd []
- -1: MD5
- -apr1: MD5, Apache variant
- -5: SHA256
- -6: SHA512

Generating random password

openssl rand -base64 32: password length will be 45
openssl rand -base64 16: password length will be 25
tr -dc A-Za-z0-9 < /dev/urandom | head -c 13; echo: password will be 13 char long
- For MACOS, tr by default expects UTF-8 input, but /dev/urandom is not UTF-8 encoded characters but just random bytes, so error will be a tr: Illegal byte sequence error. Solution is setting LC_ALL env variable:
- LC_ALL=C tr -dc A-Za-z0-9 < /dev/urandom | head -c 13; echo
- or set environment variable: LC_ALL=C and then run tr ... command

SSL Client

openssl s_client -connect twitter.com:443
- GET / HTTP/1.1

Create CSR

Create san.cnf config file if need SAN

[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = req_ext
[ req_distinguished_name ]
countryName                 = Country Name (2 letter code)
stateOrProvinceName         = State or Province Name (full name)
localityName               = Locality Name (eg, city)
organizationName           = Organization Name (eg, company)
commonName                 = Common Name (e.g. server FQDN or YOUR name)
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1   = ise01
DNS.2   = ise01.mydomain.com
IP.1   = 192.168.1.2

Generate Private Key and CSR

openssl genrsa -out ise01-key.pem 2048
openssl req -new -sha256 -key ise01-key.pem -out ise01-cert.csr -config san.cnf

Create PKCS12 file after getting certificate from CA

openssl pkcs12 -export -out ise01-final.pfx -inkey ise01-key.pem -in ise01-cert-with-san.pem

Reference:

https://www.openssl.org/docs/man1.1.1/man1/enc.html
SSL Certification Expiration Checker: https://github.com/Matty9191/ssl-cert-check
https://geekflare.com/monitor-ssl-certificate-expiry/
https://www.ssl247.com/knowledge-base/detail/how-do-i-verify-that-a-private-key-matches-a-certificate-openssl-1527076112539/ka03l0000015hSCAAY/
https://www.tbs-certificates.co.uk/FAQ/en/288.html
Certificates of Authority: Do you really understand how SSL / TLS works?: https://www.youtube.com/watch?v=VcV4T8cL3xw&t=812s
https://classes.pracnet.net/courses/practical-tls?affiliate=tg3Ab4&coupon=BombalTLS
https://gist.github.com/dreikanter/c7e85598664901afae03fedff308736b
https://myserverissick.com/2008/01/decrypting-a-pfx-file-with-openssl/
https://raymii.org/s/tutorials/Encrypt_and_decrypt_files_to_public_keys_via_the_OpenSSL_Command_Line.html
How to create a CSR using openssl
Converting Certificates From CRT to PEM Format

PreviousM NextR

Last updated 1 month ago

hashtagOpenSSL

hashtagEncrypt file:

hashtagDecrypt file:

hashtagOptions:

hashtagEncrypt and tar file

hashtagDecrypt and untar file to folder

hashtagView Certificate

hashtagConvert between file types

hashtagExport CRT Certificate from PFX

hashtagExtracting Private Key

hashtagConverting p7b to crt

hashtagGet Information from X509 Certificate File (.cer or .crt)

hashtagSome Option

hashtagExtract expiration date

hashtagExtract Common Name

hashtagGet Information from PKCS12 Certificate File (.pfx)

hashtagGenerating Password

hashtagGenerating random password

hashtagSSL Client

hashtagCreate CSR

hashtagCreate san.cnf config file if need SAN

hashtagGenerate Private Key and CSR

hashtagCreate PKCS12 file after getting certificate from CA

hashtagReference:

OpenSSL

Encrypt file:

Decrypt file:

Options:

Encrypt and tar file

Decrypt and untar file to folder

View Certificate

Convert between file types

Export CRT Certificate from PFX

Extracting Private Key

Converting p7b to crt

Get Information from X509 Certificate File (.cer or .crt)

Some Option

Extract expiration date

Extract Common Name

Get Information from PKCS12 Certificate File (.pfx)

Generating Password

Generating random password

SSL Client

Create CSR

Create san.cnf config file if need SAN

Generate Private Key and CSR

Create PKCS12 file after getting certificate from CA

Reference: