Contents
Certificate types
Three elements in the chain:
- Root: used to issue intermediate certificates, they are self-signed and renewed every few years
- Intermediate: used to sign leaf certificates, renewed at the same time as the root certificate
- Leaf: used for authentication and encryption, renewed every year
Certificate validation tries to check a valid chain (through iteratively comparing digital signatures) from a root certificate to the public key inside of the leaf certificate
Key operations
Generate a public/private key
openssl genrsa REPLACE_ALGORITHM -out REPLACE_PRIVATE_KEY_NAME [REPLACE_LENGTH]
Check the content of a private key
openssl rsa -in REPLACE_PRIVATE_KEY_NAME -check
Certificate generation
Generate a root certificate
req -config openssl.cfg -new -x509 -days REPLACE_EXPIRATION_DAYS -key REPLACE_PRIVATE_KEY_NAME -out REPLACE_ROOT_CERTIFICATE_NAME
Generate a self-signed certificate
openssl req -x509 -nodes -days REPLACE_EXPIRATION_DAYS -key REPLACE_PRIVATE_KEY_NAME -out REPLACE_CERTIFICATE_NAME
Generate a jks file
create-jks --ip REPLACE_SUBNETS --alias REPLACE_ALIAS --name REPLACE_CERTIFICATE_NAME --ext client --ca REPLACE_CERTIFICATE_AUTHORITY --capw REPLACE_CERTIFICATE_AUTHORITY_PASSWORD --pw REPLACE_CERTIFICATE_PASSWORD --env REPLACE_ENVIRONMENT
Generate a pem file
create-cert --dns REPLACE_DNS_OR_DEVICE_NAME --cn REPLACE_CN --name REPLACE_CERTIFICATE_NAME --ext client --ca REPLACE_CERTIFICATE_AUTHORITY --capw REPLACE_CERTIFICATE_AUTHORITY_PASSWORD --env REPLACE_ENVIRONMENT
CN: The Common Name represents the server name protected by the SSL certificate. The certificate is valid only if the request hostname matches the certificate common name.
Certificate conversion
Convert a PEM file to PKCS#12 (.pfx .p12)
openssl pkcs12 -export -inkey REPLACE_PRIVATE_KEY_NAME -in REPLACE_INPUT_CERTIFICATE -out REPLACE_OUTPUT_CERTIFICATE
To add the root CA to the final file:
openssl pkcs12 -export -inkey REPLACE_PRIVATE_KEY_NAME -in REPLACE_INPUT_CERTIFICATE -out REPLACE_OUTPUT_CERTIFICATE -certfile REPLACE_ROOT_CA_CERTIFICATE
Convert a PKCS#12 file (.pfx .p12) to PEM
openssl pkcs12 -in REPLACE_PKCS_FILE_NAME -out REPLACE_OUTPUT_CERTIFICATE -clcerts –nodes
Convert a PKCS#12 (.pfx .p12) file to JKS
keytool -importkeystore -srckeystore REPLACE_PKCS_FILE_NAME -srcstoretype pkcs12 -destkeystore REPLACE_OUTPUT_JKS -deststoretype jks
CSR operations
Create a signing request for a key
openssl req -key REPLACE_PRIVATE_KEY_NAME -new -out REPLACE_CSR_NAME
Create a signing request for a certificate
openssl x509 -x509toreq -in REPLACE_CERTIFICATE_NAME -signkey REPLACE_PRIVATE_KEY_NAME -out REPLACE_CSR_NAME
Sign a Certificate Signing Request file
openssl x509 -req -in REPLACE_CSR_NAME –CAkey REPLACE_PRIVATE_KEY_NAME –CA REPLACE_ROOT_CA_NAME -out REPLACE_SIGNED_CERTIFICATE_NAME –days REPLACE_EXPIRATION_DAYS –CAcreateserial –CAserial REPLACE_CA_SERIAL
View the content of a CSR and check its content
openssl req -text -noout -verify -in REPLACE_CSR_NAME
Other
Check which certificates are being served by an endpoint
openssl s_client -connect REPLACE_URL:REPLACE_PORT
All the certificates should be displayed, including intermediate ones
Extract public key from certificates
openssl x509 -inform pem -in REPLACE_CERTIFICATE_NAME -pubkey -noout > REPLACE_OUTPUT_KEY_NAME
openssl x509 -inform der -in REPLACE_CERTIFICATE_NAME -pubkey -noout > REPLACE_OUTPUT_KEY_NAME
Extract public key from public/private key pair
openssl rsa -in REPLACE_PRIVATE_KEY_NAME -outform pem -pubout -out REPLACE_OUTPUT_KEY_NAME
Verify keystore and truststore
To verify the credentials used to generate the JKS file and see its content:
keytool -list -keystore REPLACE_JKS_FILE
It will ask for the password used to generate the file