O
OpenSSL
Encrypt file:
openssl enc -e -aes256 -in file.ext -out file.ext.e
openssl rsa -aes256 -in private.key.plain -out private.key
Decrypt file:
openssl enc -d -aes256 -in file.ext.e -out file.ext
Options:
enc: symmetric cipher routine
-e: encrypt
-d: decrypt
-aes256: cipher
-l: list cipher
Encrypt and tar file
tar czf - * | openssl enc -e -aes256 -out file.tar.gz.e
Decrypt and untar file to folder
openssl enc -d -aes256 -in file.tar.gz.e | tar xz -C folder
Options of tar command:
-: output to stdout
-C : extract to folder
c: create archive
z: compress using gzip
f: location of file/filename
x: extract archive
View Certificate
openssl pkcs12 -info -in : view PFX file. The PKCS#12 or PFX format (stands for personal exchange format) is a binary format for storing the server certificate, any intermediate certificates, and the private key in one encryptable file
openssl x509 -in certificate.pem -text -noout: View Certificate details
openssl x509 -in certificate.pem -text: view entire certificate chain
openssl verify -CAfile ca.pem certificate.pem: Verify certificate is valid
openssl x509 -in certificate.pem -pubkey -noout: extract public key
Convert between file types
Export CRT Certificate from PFX
openssl pkcs12 -in ./YOUR-PFX-FILE.pfx -clcerts -nokeys -out domain.crt
Extracting Private Key
openssl pkcs12 -in ./YOUR-PFX-FILE.pfx -nocerts -nodes -out domain.rsa
Converting p7b to crt
openssl pkcs7 -print_certs -in old.p7b -out new.crt
Get Information from X509 Certificate File (.cer or .crt)
Some Option
-noout: don’t print cert
-enddate: print expiration date
-subject: print CN name
-issuer: print issuer
x509: X.509 certificate
pkcs12: for pfx file
-inform : format of cert if not in X.509 format, PEM, DER, NET
-text: print out as text
-h: get list of other commands
Extract expiration date
openssl x509 -in -enddate [-noout]
Extract Common Name
openssl x509 in -subject
Get Information from PKCS12 Certificate File (.pfx)
openssl pkcs12 -n
openssl pkcs12 -n -info
Generating Password
openssl passwd []
-1: MD5
-apr1: MD5, Apache variant
-5: SHA256
-6: SHA512
Generating random password
openssl rand -base64 32: password length will be 45
openssl rand -base64 16: password length will be 25
tr -dc A-Za-z0-9 < /dev/urandom | head -c 13; echo: password will be 13 char long
For MACOS, tr by default expects UTF-8 input, but /dev/urandom is not UTF-8 encoded characters but just random bytes, so error will be a tr: Illegal byte sequence error. Solution is setting LC_ALL env variable:
LC_ALL=C tr -dc A-Za-z0-9 < /dev/urandom | head -c 13; echo
or set environment variable: LC_ALL=C and then run tr ... command
SSL Client
openssl s_client -connect twitter.com:443
GET / HTTP/1.1
Create CSR
Create san.cnf config file if need SAN
Generate Private Key and CSR
openssl genrsa -out ise01-key.pem 2048
openssl req -new -sha256 -key ise01-key.pem -out ise01-cert.csr -config san.cnf
Create PKCS12 file after getting certificate from CA
openssl pkcs12 -export -out ise01-final.pfx -inkey ise01-key.pem -in ise01-cert-with-san.pem
Reference:
https://www.openssl.org/docs/man1.1.1/man1/enc.html
SSL Certification Expiration Checker: https://github.com/Matty9191/ssl-cert-check
https://geekflare.com/monitor-ssl-certificate-expiry/
https://www.ssl247.com/knowledge-base/detail/how-do-i-verify-that-a-private-key-matches-a-certificate-openssl-1527076112539/ka03l0000015hSCAAY/
https://www.tbs-certificates.co.uk/FAQ/en/288.html
Certificates of Authority: Do you really understand how SSL / TLS works?: https://www.youtube.com/watch?v=VcV4T8cL3xw&t=812s
https://classes.pracnet.net/courses/practical-tls?affiliate=tg3Ab4&coupon=BombalTLS
https://gist.github.com/dreikanter/c7e85598664901afae03fedff308736b
https://myserverissick.com/2008/01/decrypting-a-pfx-file-with-openssl/
https://raymii.org/s/tutorials/Encrypt_and_decrypt_files_to_public_keys_via_the_OpenSSL_Command_Line.html
Last updated