OpenSSL

Tasks

Generate a CSR

openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

https://www.thesslstore.com/knowledgebase/ssl-generate/csr-generation-guide-for-nginx-openssl/

Decrypt PKCS12 file (to create a .ovpn file)

openssl pkcs12 -info -in clientcert.p12 -nodes

Extract the private key to key_encrypted`.pem`

openssl pkcs12 -nocerts -in "YourPKCSFile" -out private.key -password pass:PASSWORD -passin pass:PASSWORD -passout pass:TempPasswd

openssl pkcs12 -nocerts -in cert.p12 -out key_encrypted.pem

After giving a temp .pem password, we want decrypt the key:

openssl rsa -in private.key -out "NewKeyFile.key" -passin pass:TemporaryPassword

openssl rsa -in key_encrypted -out key.pem

Create a .pfx file from the various certs

openssl pkcs12 -export -out mywebsite.com.pfx -inkey privkey.pem -in fullchain.pem -password pass:xxx

Convert a DER file (.crt .cer .der) to PEM

openssl x509 -inform der -in certificate.cer -out certificate.pem

https://serverfault.com/questions/254627/how-do-i-convert-a-cer-certificate-to-pem

Commands

pkcs12

openssl help pkcs12

Random

X.690 – Different encodings

BER
CER
DER
more… (XER, PER etc…)

https://en.wikipedia.org/wiki/X.690

X.509 – public key certificates

There are several commonly used filename extensions for X.509 certificates. Unfortunately, some of these extensions are also used for other data such as private keys.

.pem – (Privacy-enhanced Electronic Mail) Base64 encoded DER certificate, enclosed between “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–“
.cer, .crt, .der – usually in binary DER form, but Base64-encoded certificates are common too (see .pem above)
.p7b, .p7c – PKCS#7 SignedData structure without data, just certificate(s) or CRL(s)
.p12 – PKCS#12, may contain certificate(s) (public) and private keys (password protected)
.pfx – PFX, predecessor of PKCS#12 (usually contains data in PKCS#12 format, e.g., with PFX files generated in IIS)

PKCS#7 is a standard for signing or encrypting (officially called “enveloping”) data. Since the certificate is needed to verify signed data, it is possible to include them in the SignedData structure. A .P7C file is a degenerated SignedData structure, without any data to sign.[citation needed]

PKCS#12 evolved from the personal information exchange (PFX) standard and is used to exchange public and private objects in a single file.

https://en.wikipedia.org/wiki/X.509

https://en.wikipedia.org/wiki/X.509

** Main **

Required:
Certificate authority
Key length
Digest Algorithm
Lifetime (days)
Common Name

Optional:
Country Code
State or Province
City
Organization
Organizational Unit

** Certificate Attributes **

Certificate Type:
User Certificate
Server Certificate

Alternative Name (extension to X.509), can be more than one, can be of the following types:
FQDN or Hostname
IP Address
URI
email address

openssl pkcs12 -in my-DC-CA.p12 -nocerts -out privatekey.pem
openssl pkcs12 -in my-DC-CA.p12 -clcerts -nokeys -out publicCert.pem
openssl rsa -in privateKey.pem -out privateKey_decrypted.pem