• Tweet

• Tweet

Certificate types

Three elements in the chain:

• Root: used to issue intermediate certificates, they are self-signed and renewed every few years
• Intermediate: used to sign leaf certificates, renewed at the same time as the root certificate
• Leaf: used for authentication and encryption, renewed every year

Certificate validation tries to check a valid chain (through iteratively comparing digital signatures) from a root certificate to the public key inside of the leaf certificate

Key operations

Generate a public/private key

openssl genrsa REPLACE_ALGORITHM -out REPLACE_PRIVATE_KEY_NAME [REPLACE_LENGTH]

Check the content of a private key

openssl rsa -in REPLACE_PRIVATE_KEY_NAME -check

Certificate generation

Generate a root certificate

req -config openssl.cfg -new -x509 -days REPLACE_EXPIRATION_DAYS -key REPLACE_PRIVATE_KEY_NAME -out REPLACE_ROOT_CERTIFICATE_NAME

Generate a self-signed certificate

openssl req -x509 -nodes -days REPLACE_EXPIRATION_DAYS -key REPLACE_PRIVATE_KEY_NAME -out REPLACE_CERTIFICATE_NAME

Generate a jks file

create-jks --ip REPLACE_SUBNETS --alias REPLACE_ALIAS --name REPLACE_CERTIFICATE_NAME --ext client --ca REPLACE_CERTIFICATE_AUTHORITY --capw REPLACE_CERTIFICATE_AUTHORITY_PASSWORD --pw REPLACE_CERTIFICATE_PASSWORD --env REPLACE_ENVIRONMENT

Generate a pem file

create-cert --dns REPLACE_DNS_OR_DEVICE_NAME --cn REPLACE_CN --name REPLACE_CERTIFICATE_NAME --ext client --ca REPLACE_CERTIFICATE_AUTHORITY --capw REPLACE_CERTIFICATE_AUTHORITY_PASSWORD --env REPLACE_ENVIRONMENT

CN: The Common Name represents the server name protected by the SSL certificate. The certificate is valid only if the request hostname matches the certificate common name.

Certificate conversion

Convert a PEM file to PKCS#12 (.pfx .p12)

openssl pkcs12 -export -inkey REPLACE_PRIVATE_KEY_NAME -in REPLACE_INPUT_CERTIFICATE -out REPLACE_OUTPUT_CERTIFICATE

To add the root CA to the final file:

openssl pkcs12 -export -inkey REPLACE_PRIVATE_KEY_NAME -in REPLACE_INPUT_CERTIFICATE -out REPLACE_OUTPUT_CERTIFICATE -certfile REPLACE_ROOT_CA_CERTIFICATE

Convert a PKCS#12 file (.pfx .p12) to PEM

openssl pkcs12 -in REPLACE_PKCS_FILE_NAME -out REPLACE_OUTPUT_CERTIFICATE -clcerts –nodes

Convert a PKCS#12 (.pfx .p12) file to JKS

keytool -importkeystore -srckeystore REPLACE_PKCS_FILE_NAME -srcstoretype pkcs12 -destkeystore  REPLACE_OUTPUT_JKS -deststoretype jks

CSR operations

Create a signing request for a key

openssl req -key REPLACE_PRIVATE_KEY_NAME -new -out REPLACE_CSR_NAME

Create a signing request for a certificate

openssl x509 -x509toreq -in REPLACE_CERTIFICATE_NAME -signkey REPLACE_PRIVATE_KEY_NAME -out REPLACE_CSR_NAME

Sign a Certificate Signing Request file

openssl x509 -req -in REPLACE_CSR_NAME –CAkey REPLACE_PRIVATE_KEY_NAME –CA REPLACE_ROOT_CA_NAME -out REPLACE_SIGNED_CERTIFICATE_NAME –days REPLACE_EXPIRATION_DAYS –CAcreateserial –CAserial REPLACE_CA_SERIAL

View the content of a CSR and check its content

openssl req -text -noout -verify -in REPLACE_CSR_NAME

Other

Check which certificates are being served by an endpoint

openssl s_client -connect REPLACE_URL:REPLACE_PORT

All the certificates should be displayed, including intermediate ones

Extract public key from certificates

openssl x509 -inform pem -in REPLACE_CERTIFICATE_NAME -pubkey -noout > REPLACE_OUTPUT_KEY_NAME

openssl x509 -inform der -in REPLACE_CERTIFICATE_NAME -pubkey -noout > REPLACE_OUTPUT_KEY_NAME

Extract public key from public/private key pair

openssl rsa -in REPLACE_PRIVATE_KEY_NAME -outform pem -pubout -out REPLACE_OUTPUT_KEY_NAME

Verify keystore and truststore

To verify the credentials used to generate the JKS file and see its content:

keytool -list -keystore REPLACE_JKS_FILE

It will ask for the password used to generate the file