OpenSSL
Tasks
Generate a CSR
openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
https://www.thesslstore.com/knowledgebase/ssl-generate/csr-generation-guide-for-nginx-openssl/
Decrypt PKCS12 file (to create a .ovpn file)
openssl pkcs12 -info -in clientcert.p12 -nodes
Extract the private key to key_encrypted.pem
openssl pkcs12 -nocerts -in "YourPKCSFile" -out private.key -password pass:PASSWORD -passin pass:PASSWORD -passout pass:TempPasswd
openssl pkcs12 -nocerts -in cert.p12 -out key_encrypted.pem
After giving a temp .pem password, we want decrypt the key:
openssl rsa -in private.key -out "NewKeyFile.key" -passin pass:TemporaryPassword
openssl rsa -in key_encrypted -out key.pem
Create a .pfx file from the various certs
openssl pkcs12 -export -out mywebsite.com.pfx -inkey privkey.pem -in fullchain.pem -password pass:xxx
Convert a DER file (.crt .cer .der) to PEM
openssl x509 -inform der -in certificate.cer -out certificate.pem
https://serverfault.com/questions/254627/how-do-i-convert-a-cer-certificate-to-pem
Commands
pkcs12
openssl help pkcs12
Random
X.690 – Different encodings
- BER
- CER
- DER
- more… (XER, PER etc…)
https://en.wikipedia.org/wiki/X.690
X.509 – public key certificates
There are several commonly used filename extensions for X.509 certificates. Unfortunately, some of these extensions are also used for other data such as private keys.
- .pem – (Privacy-enhanced Electronic Mail) Base64 encoded DER certificate, enclosed between “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–“
- .cer, .crt, .der – usually in binary DER form, but Base64-encoded certificates are common too (see .pem above)
- .p7b, .p7c – PKCS#7 SignedData structure without data, just certificate(s) or CRL(s)
- .p12 – PKCS#12, may contain certificate(s) (public) and private keys (password protected)
- .pfx – PFX, predecessor of PKCS#12 (usually contains data in PKCS#12 format, e.g., with PFX files generated in IIS)
PKCS#7 is a standard for signing or encrypting (officially called “enveloping”) data. Since the certificate is needed to verify signed data, it is possible to include them in the SignedData structure. A .P7C file is a degenerated SignedData structure, without any data to sign.[citation needed]
PKCS#12 evolved from the personal information exchange (PFX) standard and is used to exchange public and private objects in a single file.
https://en.wikipedia.org/wiki/X.509
https://en.wikipedia.org/wiki/X.509
** Main **
Required:
Certificate authority
Key length
Digest Algorithm
Lifetime (days)
Common Name
Optional:
Country Code
State or Province
City
Organization
Organizational Unit
** Certificate Attributes **
Certificate Type:
User Certificate
Server Certificate
Alternative Name (extension to X.509), can be more than one, can be of the following types:
FQDN or Hostname
IP Address
URI
email address
openssl pkcs12 -in my-DC-CA.p12 -nocerts -out privatekey.pem
openssl pkcs12 -in my-DC-CA.p12 -clcerts -nokeys -out publicCert.pem
openssl rsa -in privateKey.pem -out privateKey_decrypted.pem