BASH - OpenSSL X509, CSR, CRL OCSP Commands
### CSRs / CERTS ### #generate CSR interactive openssl req -out csr.csr -new -newkey rsa:2048 -nodes -keyout private.key #generate CSR oneliner openssl req -new -newkey rsa:2048 -nodes -out c.csr -keyout c.key -subj "/C=US/ST=MT/L=Ulm/O=XYZ/CN=example.com" #generate private key and self signed cert oneliner openssl req -nodes -new -days 365 -newkey rsa:2048 -x509 -keyout ss.key -out ss.pem -subj "/C=CA/CN=localhost" #parse csr/cert/x509 openssl asn1parse -in file.pem #parse csr cat file.csr |openssl req -noout -text #parse cert cat file.pem |openssl x509 -noout -text #parse crl openssl crl -inform DER -text -noout -in mycrl.crl openssl asn1parse -inform DER -in mycrl.crl
### ECC ### # generate ECC CSR openssl ecparam -genkey -text -name prime256v1 -out example-ecc.key openssl req -new -key example-ecc.key -sha384 -out example-ecc.csr -subj "/C=US/ST=MT/O=OrgName/CN=example.com" #now that you have a ecc CSR, lets create a self signed cert from it openssl x509 -req -days 3650 -in example-ecc.csr -signkey example-ecc.key -out example-ecc.pem -sha384 #generate private key openssl ecparam -genkey -text -name prime256v1 -out example-ecc.key #equiv RSA 3072 openssl ecparam -genkey -text -name secp384r1 -out example-ecc.key #equiv RSA 7680 openssl ecparam -genkey -text -name secp521r1 -out example-ecc.key #equiv RSA 15360 #shows all ecc curves supported by openssl openssl ecparam -list_curves
### CLIENT CERTS ### #client cert csr openssl req -new -newkey rsa:2048 -nodes -out client.csr -keyout client.key -subj "/emailAddress=b@x.co/CN=BobJo" #generate client cert openssl x509 -req -days 365 -in client.csr -signkey client.key -out client.crt -addtrust clientAuth #view certs on chrome certutil -d sql:$HOME/.pki/nssdb -L -h "Builtin Object Token" #view certs on java keytool -list -keystore /usr/lib/jvm/java-6-sun-1.6.0.22/jre/lib/security/cacerts
### OCSP ### #check OCSP of intermediate/issuer cat root.pem|openssl x509 -noout -text |grep -i ocsp cat /etc/ssl/certs/ca-certificates.crt > b.crt openssl ocsp -issuer root.pem -CAfile b.crt -VAfile b.crt -cert issuer.pem -url <OCSPURL> -resp_text -req_text #check OCSP of end cert cat iss.pem|openssl x509 -noout -text |grep -i ocsp cat /etc/ssl/certs/ca-certificates.crt issuer.pem > b.crt openssl ocsp -issuer issuer.pem -CAfile b.crt -VAfile b.crt -cert cert.pem -url <OCSPURL> -resp_text -req_text
### CSR WITH SANS ### #make a custom openssl.conf file cat > my.cnf <<EOF [ req ] distinguished_name = req_distinguished_name [ req_distinguished_name ] commonName_max = 64 [ server_cert ] subjectAltName = DNS:test1.example.com,DNS:other1.example.com,DNS:www1.example.net EOF openssl req -new -newkey rsa:2048 -nodes -out csr -keyout key -subj "CN=ex1" -config my.cnf -reqexts server_cert
### DIGITAL SIGNATURES ### openssl dgst -sha256 -sign private_key.pem -out signature.sig message.txt openssl dgst -sha256 -verify public_key.pem -signature signature.sig message.txt ### REMOVE PASSPHRASE ### openssl rsa -in server.key -out server.key.out ### BUILD PKCS7/P7B ### openssl crl2pkcs7 -nocrl -certfile certificate.crt -certfile intermediate.crt -out certificate.p7b ### VIEW PKCS7 ### openssl pkcs7 -print_certs -in certificate.p7b -out certificate.crt ### BUILD PKCS12 / P12 ### openssl pkcs12 -export -out certificate.pfx -inkey private.key -in certificate.crt -certfile more.crt
code snippets are licensed under Creative Commons CC-By-SA 3.0 (unless otherwise specified)
|