Nerdy Drunk

Drunk on technology

User Tools

Site Tools

You are here: start » linux » openssl

Sidebar

Topics

Topic Search


Home Lab
About Me


Twitter @taingalls


Subject Matter Expert Specialty Advanced Networking Specialty Security Specialty Data Analytics Specialty Machine Learning Specialty Database Specialty SAP on AWS Specialty Solutions Architect Professional DevOps Engineer Professional SysOps Administrator Associate Solutions Architect Associate Developer Associate Cloud Practitioner

Mastodon twit.social/@taingalls
linux:openssl

This is an old revision of the document!

OpenSSL

,

OpenSSL Cheat Sheet

Most of this should work with LibreSSL, but you will need OpenSSL for the CSR SAN cert.


CSR SAN wild card cert
openssl req -new -sha256 -newkey rsa:4096 -keyout KEY-FILE.enc.key -out CSR-FILE.csr -addext “subjectAltName = DNS:*.DOMAIN.TLD”
Common Name (eg, your name or your server's hostname) []:DOMAIN.TLD

CSR SAN cert
openssl req -new -sha256 -newkey rsa:4096 -keyout KEY-FILE.enc.key -out CSR-FILE.csr -addext “subjectAltName = DNS:SITE1.DOMAIN.TLD,DNS:SITE2.DOMAIN.TLD”
Common Name (eg, your name or your server's hostname) []:DOMAIN.TLD

CSR with encrypted key
openssl req -new -sha256 -newkey rsa:4096 -keyout KEY-FILE.enc.key -out CSR-FILE.csr

CSR with unencrypted key
openssl req -new -sha256 -newkey rsa:4096 -nodes -keyout KEY-FILE.key -out CSR-FILE.csr

Add encryption to key
openssl rsa -aes256 -in KEY-FILE.key -out KEY-FILE.enc.key

Remove encryption from key
openssl rsa -in KEY-FILE.enc.key -out KEY-FILE.key

Self sign cert
openssh x509 -req -days 365 -in CSR-FILE.csr -signkey KEY-FILE.key -out CRT-FILE.crt

Full pem
cat KEY-FILE.key » CRT-FILE.pem
cat CRT-FILE.crt » CRT-FILE.pem
cat INT-CA-FILE.crt » CRT-FILE.pem
cat ROOT-CA-FILE.crt » CRT-FILE.pem

Export PEM to PKCS12/P12/PFX
openssl pkcs12 -export -in CRT-FILE.pem -out CRT-FILE.p12

Export P12 to PEM
openssl pkcs12 -in CRT-FILE.p12 -out CRT-FILE.pem -nodes

Export to PKCS7/P7B
openssl crl2pkcs7 -nocrl -certfile CRT-FILE.pem -out CRT-FILE.p7b

Convert from binary to base64
openssl base64 -in example_com.p12

View certificate contents
openssl x509 -in CRT-FILE.crt -text -noout -purpose

View certificate chain
openssl s_client -showcerts -connect SITE.DOMAIN.TLD:443

Specify the config file to use
*Add the following option to the end of any openssl command string*
-config openssl.cfg
*Example*
openssl req -new -sha256 -newkey rsa:4096 -nodes -keyout KEY-FILE.key -out CSR-FILE.csr -config openssl.cfg

Encrypt and decrypt file 

#generate key
openssl rand -out secret.key 32
vim passwords.txt
#encrypt file
openssl aes-256-cbc -in passwords.txt -out passwords.txt.enc -pass file:secret.key
#encrypt key
openssl rsautl -encrypt -oaep -pubin -inkey <(ssh-keygen -e -f ~/.ssh/id_rsa.pub -m PKCS8) -in secret.key -out secret.key.enc
#decrypt key
openssl rsautl -decrypt -oaep -inkey ~/.ssh/id_rsa -in secret.key.enc -out new-secret.key
#decrypt file
openssl aes-256-cbc -d -in passwords.txt.enc -out new-passwords.txt -pass file:new-secret.key
cat new-passwords.txt

From: https://bjornjohansen.no/encrypt-file-using-ssh-key

PKCS#5 vs PKCS#8
https://github.com/kjur/jsrsasign/wiki/Tutorial-for-PKCS5-and-PKCS8-PEM-private-key-formats-differences

linux/openssl.1658400099.txt.gz · Last modified: 2022/07/21 10:41 by 127.0.0.1

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki