Commands

View Single Cert or Key

TypeOperationCommand
P12Verifykeytool -list -v -keystore store.p12 -alias alias
JKSVerifykeytool -list -v -keystore store.jks -alias alias
PEM(Nx)View# PEM(Nx) -> PEM, Verify PEM
PEMVerify Keyopenssl rsa -in in.pem -check
Verify Certopenssl x509 -in in.pem -text
Verify Cert Chain# May fail if intermediate certs are not in your truststore
openssl verify -CAfile cacerts.pem my.pem
Hash Certopenssl x509 -noout -modulus -in incert.pem | openssl md5
Hash Keyopenssl rsa -noout -modulus -in in.key | openssl md5
Correlate Key and Cert# Hash Key and Cert, then compare hashes - if equal, they are correlated
Extract Public Keyopenssl x509 -pubkey -noout -in incert.pem -out public.key
DERVerify Eitherkeytool -printcert -v -file in.der

Convert Between Formats

FromToOperationCommand
PEMDERConvertopenssl x509 -inform PEM -in in.pem -outform DER -out out.der
DERPEMConvertopenssl x509 -inform DER -in in.der -outform PEM -out out.pem
P7BPEMConvertopenssl pkcs7 -print_certs -in in.p7b -out out.pem
PEM
(Cert)
SSH KeyConvert and Placeopenssl x509 -pubkey -noout -in cert.pem > pubkey.pem
rm /etc/ssh/*key*
ssh-keygen -f pubkey.pem -i -mPKCS8 > /etc/ssh/ssh_host_rsa_key.pub
cp key.pem /etc/ssh/ssh_host_rsa_key
PEM
(Pub Key)
Extract Public Keyopenssl x509 -pubkey -noout -in cert.pem > pubkey.pem

View Bundle Contents

TypeOperationCommand
P12Listkeytool -list -v -keystore store.p12
# OR
openssl pkcs12 -info -in store.p12
JKSListkeytool -list -v -keystore store.jks
PEMList Keyopenssl rsa -in store.pem -check
List Certopenssl x509 -in store.pem -text
PEM(Nx)List Cert Subjects/Issuersopenssl crl2pkcs7 -nocrl -certfile CHAINED.pem | openssl pkcs7 -print_certs -noout
List Cert Detailsopenssl crl2pkcs7 -nocrl -certfile CHAINED.pem | openssl pkcs7 -print_certs -text -noout
Split Certscsplit --prefix='cert.' --suffix-format='%03d.pem' --elide-empty-files multicert.pem '/-----BEGIN CERTIFICATE-----/' '{*}'
find ./cert.*.pem -print0 | xargs -0r -I {} sh -c "printf {}; openssl x509 -in {} -text"

Create Bundle

TypeOperationCommand
P12Generate/Createkeytool -genkey -alias temp -keystore store.p12
Deletekeytool -delete -alias temp -keystore store.p12
JKSGenerate/Createkeytool -genkey -alias temp -keystore store.jks
Deletekeytool -delete -alias temp -keystore store.jks
PEM (1x or Nx)Createtouch store.pem

Import to Bundle

FromToOperationCommand
PEMPEM(Nx)Import via Mergecat 1.pem >> 2.pem
P12Import Cert and Keyopenssl pkcs12 -export -out certificate.p12 -inkey inkey.pem -in incert.pem -certfile CACert.pem
JKSImport# PEM -> DER -> JKS
DERPEM(Nx)Import# DER -> PEM -> PEM
P12Import# DER -> PEM -> P12
JKSImportkeytool -import -alias alias -keystore store.jks -file in.der

Export from Bundle

FromToOperationCommand
PEM(Nx)PEMExport via Split# Use a text editor and save a new file
Cert-only csplitcsplit --prefix='cert.' --suffix-format='%03d.pem' multicert.pem '/-----BEGIN CERTIFICATE-----/' '{*}'
AWK Script#!/usr/bin/awk -f
#
# Take a PEM format file as input and split out certs and keys into separate files
#

BEGIN { n=0; cert=0; key=0; if ( ARGC < 2 ) { print "Usage: pem-split FILENAME"; exit 1 } }
/-----BEGIN PRIVATE KEY-----/ { key=1; cert=0 }
/-----BEGIN CERTIFICATE-----/ { cert=1; key=0 }
split_after == 1 { n++; split_after=0 }
/-----END CERTIFICATE-----/ { split_after=1 }
/-----END PRIVATE KEY-----/ { split_after=1 }
key == 1 { print > FILENAME "-" n ".key" }
cert == 1 { print > FILENAME "-" n ".crt" }
DERExport via Split# PEM -> PEM -> DER
P12PEMExport# P12 -> PEM -> PEM
DERExportkeytool -export -alias alias -file out.der -keystore store.p12
JKSPEMExport# JKS -> P12 -> PEM -> PEM
DERExportkeytool -export -alias alias -file out.der -keystore store.jks

Copy Between Bundles

FromToOperationCommand
PEM(Nx)P12Convertopenssl pkcs12 -export -out store.p12 -in in.pem
Import to Existingopenssl pkcs12 -export -out newstore.p12 -in in.pem
Build a full-chain P12cat cacerts.pem cert.pem >> merged.pem
openssl pkcs12 -export -inkey key.pem -in merged.pem -name myname -out mergedWithKey.pem
JKSConvert# PEM -> P12 -> JKS
Import to Existing# PEM -> P12 -> JKS
P12PEM(Nx)Convertopenssl pkcs12 -in in.p12 -out newstore.pem
Import to Existingopenssl pkcs12 -in in.p12 >> store.pem
JKSConvertkeytool -importkeystore -srckeystore in.p12 -srcstoretype PKCS12 -destkeystore newstore.jks -deststoretype JKS
Import All to Existingkeytool -importkeystore -srckeystore in.p12 -srcstoretype PKCS12 -destkeystore store.jks -deststoretype JKS
Import One to Existingkeytool -importkeystore -srckeystore in.p12 -srcstoretype PKCS12 -srcalias alias -destkeystore store.jks -deststoretype JKS
JKSP12Convertkeytool -importkeystore -srckeystore in.jks -srcstoretype JKS -destkeystore newstore.p12 -deststoretype PKCS12
Import All to Existingkeytool -importkeystore -srckeystore in.jks -srcstoretype JKS -destkeystore store.p12 -deststoretype PKCS12
Import One to Existingkeytool -importkeystore -srckeystore in.jks -srcstoretype JKS -srcalias alias -destkeystore store.p12 -deststoretype PKCS12
PEM(Nx)Convert# JKS -> P12 -> PEM
Import to Existing# JKS -> P12 -> PEM
PPKPEMExtract Public Keyputtygen in.ppk -o cert.pem -O public
Extract Private Keyputtygen in.ppk -o key.pem -O private-openssh
PEM(Nx)PPKConvertputtygen inkey.pem -o out.ppk -O private

Delete from Bundle

TypeOperationCommand
P12Deletekeytool -delete -alias temp -keystore store.p12
JKSDeletekeytool -delete -alias temp -keystore store.jks
PEM(Nx)Delete# Use a text editor

Create a Self-Signed CA

TypeOperationCommand
Set up the CACreate CA Keyopenssl genrsa -out ca.key 4096
Create CA Certopenssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "CN=yourdomain.com" \
-key ca.key \
-out ca.crt
Create the Key and CertCreate Keyopenssl genrsa -out yourdomain.com.key 4096
Create CSRopenssl req -sha512 -new \
-subj "CN=yourdomain.com" \
-key yourdomain.com.key \
-out yourdomain.com.csr
Windows: Create Policy File; Save this as something like mypolicy.inf using Notepad
[Version]
Signature="$Windows NT$"

[NewRequest]
;Change to your,country code, company name and common name
Subject = "C=US, O=Example Co, CN=something.example.com"

KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0

[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication / Token Signing
Windows: Create and Sign Requestcertreq -new policyfile.inf myrequest.req
certreq -sign myrequest.req myrequest.req
Windows: Accept/Store Cert from CSRcertreq -accept cert.pem
Create x509 v3 ext.
for SANs
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1=yourdomain.com
DNS.2=yourdomain
DNS.3=hostname
EOF

Manage Local CAs

OSOperationCommand
Red Hat / CentOS / Rocky / OracleInstall Common CA Certificatessudo yum install ca-certificates
Update Common CA Certificatessudo yum update ca-certificates
Debian / Ubuntu / PopOSInstall Common CA Certificatessudo apt update
sudo apt install ca-certificates
Update Common CA Certificatessudo apt update
sudo apt --only-upgrade install ca-certificates
Most Linux DistrosAdd a Custom CA Certficatesudo cp mycert.pem /usr/local/share/ca-certificates/mycert.pem
sudo chmod 644 /usr/local/share/ca-certificates/mycert.pem
sudo update-ca-certificates
Remove a Custom CA Certficatesudo rm /usr/local/share/ca-certificates/mycert.pem
sudo update-ca-certificates
List System CA Certsawk -v cmd='openssl x509 -noout -subject' '
/BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt
Mac OS / BSDAdd a Custom CA Certficatesudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain mycert.pem
Remove a Custom CA Certficatesudo security delete-certificate -c "<name of existing certificate>"
List System CA Certssudo security dump-trust-settings -s
List Admin CA Certssudo security dump-trust-settings -d
List User CA Certssudo security dump-trust-settings
WindowsAdd a Custom Root CA Certficatecertutil -addstore -f "ROOT" mycert.pem
Add a Custom User Intermediate CA Certficatecertutil -user -addstore -f "CA" mycert.pem
Remove a Custom Root CA Certficatecertutil -delstore "ROOT" serial-number-hex
Remove a Custom User Intermediate CA Certficatecertutil -user -delstore "CA" serial-number-hex
List User Root CA Certscertutil -user -store "ROOT"
List Enterprise/Domain Root CA Certscertutil -enterprise -store "ROOT"
List Group Policy Root CA Certscertutil -grouppolicy -store "ROOT"
List User Intermediate CA Certscertutil -user -store "CA"
List Enterprise/Domain Intermediate CA Certscertutil -enterprise -store "CA"
List Group Policy Intermediate CA Certscertutil -grouppolicy -store "CA"

Revocation

TypeOperationCommand
OCSPCheck Status via Serial (Decimal)openssl ocsp -no_nonce -serial 012345 -cert certificate.pem -text -url http://ocsp.my.ca.tld
Check Status via Serial (Hex)openssl ocsp -no_nonce -serial 0xAF1345 -cert certificate.pem -text -url http://ocsp.my.ca.tld
Check Status via Certificateopenssl ocsp -no_nonce -issuer chain.pem -cert certificate.pem -text -url http://ocsp.my.ca.tld
Save Request and Response# Add '-respout ocsp.resp -reqout ocsp.req' to save them to the current folder
Replay with Curlcurl -v -o /dev/null --data-binary @ocsp.req -H "Content-Type: application/ocsp-request" --url http://ocsp.my.ca.tld
CRL (PEM Nx)List CRL Issuerscsplit --prefix='cert.' --suffix-format='%03d.pem' --elide-empty-files multicert.pem '/-----BEGIN CERTIFICATE-----/' '{*}'
find ./cert.*.pem -print0 | xargs -0r -I {} sh -c "printf {}; openssl x509 -in {} -text"

Generate Keys

TypeOperationCommand
RSA Private KeyGenerateopenssl genrsa -des3 -out id_rsa -passout pass:mys3curep4$$w0rd 2048
Extract Public Keyopenssl rsa -in id_rsa -passin pass:mys3curep4$$w0rd -pubout -out id_rsa.pub
ECDSA Private KeyGenerateopenssl ecparam -out id_ec -name prime256v1 -genkey
Ed25519 SSH Private KeyGeneratessh-keygen -o -a 100 -t ed25519 -f id_ed25519 -C "john@example.com"
Any SSH Private KeyExtract Public Keyssh-keygen -y -e -f id_rsa
PuTTY RSA KeypairGenerateputtygen -t rsa -o out.ppk
SSH Host Key SetGeneratessh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa
ssh-keygen -f /etc/ssh/ssh_host_dsa_key -N '' -t dsa # consider skipping
ssh-keygen -f /etc/ssh/ssh_host_ecdsa_key -N '' -t ecdsa -b 521

Digest Signing

TypeOperationCommand
PEM
(Private Key)
Create Signature Fileopenssl dgst -sign privkey.pem -out sigfile.sha256 datafile
Check Signature via Private Keyopenssl dgst -prverify privkey.pem -signature sigfile.sha256 datafile
PEM
(Public Key)
Check Signature via Public Key# This MUST be a public key, not a cert, or you will receive a "unable to load key file" error
openssl dgst -verify pubkey.pem -signature sigfile.sha256 datafile

TLS Troubleshooting

TypeOperationCommand
Basic TLS HandshakeList Accepted CAs,
Confirm TLS
openssl s_client -connect remoteserver:443
Test 2-way PKIHandshake w/ Key/Certopenssl s_client -showcerts -cert cert.pem -key key.pem -CAfile cacerts.pem -connect remoteserver:443 -debug
Check TLS VulnsList Ciphers, Attacks, etc.docker run --rm -it drwetter/testssl.sh remoteserver

Passphrase Management

TypeOperationCommand
PEM(Nx)Change Passphrase# PEM(Nx) -> PEM, Change Passphrase, Re-merge
PEMChange Passphraseopenssl rsa -des3 -in id_rsa -out id_rsa.new
# OR
ssh-keygen -p -f id_rsa

Password Prompt / Generate

TypeOperationCommand
Batch/Powershell PasswordPrompt@echo off
REM See http://blogs.msdn.com/b/fpintos/archive/2009/06/12/how-to-properly-convert-securestring-to-string.aspx - this may stay in memory as an unfreed buffer
REM Still better than echoing or writing to disk
set "psCommand=powershell -Command "$pword = read-host 'Enter Password' -AsSecureString ; ^
$BSTR=[System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($pword); ^
[System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)""
for /f "usebackq delims=" %%p in (`%psCommand%`) do set password=%%p
echo %password%
*nix Bash/zshPromptunset -v password # make sure it's not exported
set +o allexport # make sure variables are not automatically exported
IFS= read -rs password < /dev/tty
Generate via opensslGenerateopenssl rand -base64 32

Guides

Managing Sensitive Keys

One of the biggest risks with cert and key stores/bundles is not managing the encryption properly.

  • It's easy to store them encrypted (with a passphrase) or unencrypted.
  • A store can contain cert(s), key(s) or both.
  • Many of the commands to do transformations aren't entirely clear to the untrained eye.
  • In some cases, you need a copy of the key that is unencrypted (for example, to plug into an app that doesn't accept a passphrase).

It's helpful to separate SENSITIVITY and SECURITY:

  • A store is SENSITIVE if it contains a private key.
  • A store is SECURE only if it is encrypted and requires a password/passphrase to decrypt any and all private keys.

As a general rule:

  • Name files to reflect their sensitivity - one easy way is to name files with private keys with 'key' in the name or extension.
  • Save an unencrypted private key to disk as rarely as possible, and only on local hardware (avoid S3, NFS, etc.)
  • Verify the contents of any transformations you apply to a store.

PEM

To make a SECURE PEM:
  • Use the open SSL commands on the next tab
  • Make sure '-nodes' is not specified on an openssl pkcs12 export
  • Make sure one of the valid encryption modes from the list below are in the command (-aes256 or -camellia256 recommended)
To make an INSECURE PEM:
  • Use the open SSL commands on the next tab
  • Ensure that you are working with a non-SENSITIVE key - ie, a public key, a limited-lifespan decrypted copy of a private key, or a single-use key.
  • Add '-nodes' to the command to skip the encryption step in an export or generate operation
  • Make sure none of the valid encryption modes from the list below are in the command
OpenSSL Encryption Flags
  • -nodes: Do not encrypt output. Only required on exports from other formats ('openssl pkcs12) or generation ('openssl req') (completely insecure!)
  • -des: Usse DES encryption (insecure)
  • -des3: Use Triple DES encryption (default on 'openssl pkcs12' export, but must be supplied in a 'openssl rsa' operation) (potentially insecure)
  • -idea: Use IDEA encryption (insecure)
  • -seed: Use SEED encryption (not recommended unless in Korea due to low interoperability)
  • -aes128, -aes192, -aes256: Use CBC AES encryption with the given key strength (aes256 recommended)
  • -camellia128, -camellia192, -camellia256: Use CBC Camellia encryption with the given key strength (camellia256 recommended)
To examine a PEM for SENSITIVITY and SECURITY:
  1. Use a text editor or known-good script to isolate the individual certs and keys within a PEM (ie, save each as a new file - recommend using name.pem for certs and number.key for keys until matches are verified)
  2. For each single PEM file (in_single.pem in our examples), verify appropriately:
  • If any PRIVATE KEYs are present, the PEM is SENSITIVE and should be encrypted in the vast majority of circumstances; verify it with openssl rsa -in in_single.pem -check. If you aren't asked for a password, it's not encrypted and is INSECURE!
  • If any CERTIFICATES are present, they should be verified to ensure validity (proper issuer, expected subject, date range) verify it with openssl x509 -in in.pem -text and verified against a private key if you hold that key (openssl x509 -noout -modulus -in incert.pem | openssl md5 on the cert and openssl rsa -noout -modulus -in in.key | openssl md5 on the key should yield the same hash);
  • If any PUBLIC KEYs or CERTIFICATES are present, they should be verified against a private key if you hold that key (openssl x509 -noout -modulus -in incert.pem | openssl md5 on the cert and openssl rsa -noout -modulus -in in.key | openssl md5 on the key should yield the same hash);
  • If you are not asked for a password for each PRIVATE key, it's likely that the PEM is INSECURE

The bag attributes in a multi-object PEM can be used to help correlate but are NOT a guarantee - these sections are not secured!

Picking a Store Type

Often, you don't get to choose a cert/key store type arbitrarily - applications typically offer support for a limited number of formats. For example:

  • Java apps: P12 unless you MUST use JKS!
  • CURL: PEM or DER
  • Firefox: P12, PEM, DER, P7B
  • IE, Windows, Edge, IIS: P12, DER, P7B
  • Chrome
    • On Windows: P12, DER, P7B
  • wget: PEM or DER
  • NGinx: PEM
  • Node.JS: PEM
  • PuTTY: PPK

But, if you get to choose:

  • PEM and P12 are the most portable
  • PEM can ber merged by hand
  • DER are typically the smallest

Reference Tables

File Types

FamilyDescriptionCommon ExtensionsIdentificationBinary?EncryptedReferences
X.690 DERDER-encoded.der .cer .crt .cert .keyBinary file/can't view in text editor, use posix file utility or keytool
keytool -printcert -v -file in.der
BINARYMaybeWikipedia
X.509 PEMX.509 Bundle.pem .cer .crt .cert .key .pub .crlASCII Text, 1+ blocks with optional 'bag info' and -----BEGINASCIIMaybeWikipedia
PKCS #7PKCS#7 Certificate.p7b .crlBINARYNoWikipedia
PKCS #12PKCS#12 Certificate Bundle.p12 .pfxVerify via keytool -list -v -keystore store.p12 -alias aliasBINARYMaybeWikipedia
JKSJava KeyStore.jks .keystore .truststore BINARYMaybeWikipedia
BKSBouncyCastle KeyStore.bksBINARYMaybeOfficial Site
PPKPutty Key File.ppkASCII Text, starts with PuTTY-User-Key-FileASCIIMaybeOfficial Site

Object Types

Object TypeWhat is it?PEM HeaderP12DERP7BJKSPPK
Public KeyA shareable key used to verify something signed with a Private Keycontains -----BEGIN PUBLIC KEY-----NYNNN
Private KeyA key used to sign or encrypt; unless kept private, the signer can be impersonatedcontains -----BEGIN PRIVATE KEY-----; may include algorithmYYNYY
CertificateA public key with identifying information bundled with itcontains -----BEGIN CERTIFICATE-----YYYYN
Signing RequestA signed set of identifying information for a CA to send you a certificate of.contains -----BEGIN CERTIFICATE REQUEST-----NYNNN
Revocation ListA list of certificates that should not be trusted, typically due to leakage.contains -----BEGIN X509 CRL-----NYNNN

Tools

NameExecutableNotes
OpenSSLopensslJack-of-all-trades Toolbox - can handle MOST tasks
Java KeytoolkeytoolWas prominent when Java KeyStores were popular; largely OBE
SSH Keygenssh-keygenA popular wrapper to quickly and easily create ssh keys
PuTTYGenputtygenThe Windows version cannot use cli flags; only the Linux package can
TestSSL.shtestssl.shCommand line tool to test TLS servers for vulnerabilities, etc.
Run via docker: docker run --rm -it drwetter/testssl.sh remoteserver
Network Security Servicesupdate-ca-certificates
(and others)
Mozilla-led project to provide common certificate capabilities, including Linux OS-level CA Certs
BSD SecuritysecurityBSD (and Mac OS) project that handles certificate management, including CA Certs
CertutilcertutilWindows command-line tool to manage certificates, CAs, etc.
Windows Certificate ManagercertmgrWindows MMC Snap-In UI to manage certificates
CertreqcertreqWindows command-line tool to request certificates

Hashing Algorithms

IdentifierAlgorithm NameDigest StrengthsSecure As of 2021-08-07References
MD2Message Digest Algorithm 2128NoWikipedia
MD4Message Digest Algorithm 4128NoWikipedia
MD5Message Digest Algorithm 5128NoWikipedia
MD6Message Digest Algorithm 60-512UnverifiedWikipedia
SHA-0Secure Hash Algorithm 0160NoWikipedia
SHA-1Secure Hash Algorithm 1160NoWikipedia
SHA-2Secure Hash Algorithm 2224, 256, 384, 512YesWikipedia
SHA-3Secure Hash Algorithm 3YesWikipedia
SHA-224Secure Hash Algorithm 2, 224-bit224YesWikipedia
SHA-256Secure Hash Algorithm 2, 256-bit256YesWikipedia
SHA-384Secure Hash Algorithm 2, 384-bit384YesWikipedia
SHA-512Secure Hash Algorithm 2, 512-bit512YesWikipedia
SHA-512/224Secure Hash Algorithm 2, 512-bit with 224-bit IV512 with 224 IVYesWikipedia
SHA-512/256Secure Hash Algorithm 2, 512-bit with 256-bit IV512 with 256 IVYesWikipedia
SHA3-224Secure Hash Algorithm 3, 224-bit224YesWikipedia
SHA3-256Secure Hash Algorithm 3, 256-bit256YesWikipedia
SHA3-384Secure Hash Algorithm 3, 384-bit384YesWikipedia
SHA3-512Secure Hash Algorithm 3, 512-bit512YesWikipedia

Encryption Algorithms

IdentifierAlgorithm NameKey TypeKey LengthsBlock SizesGenerally SecureReferences
DSADigital Signature AlgorithmAsymmetric2048NoWikipedia
RSARivest–Shamir–Adleman CipherAsymmetric1024-4096YesWikipedia
ECDSA (ECC)Elliptic Curve Digital Signature AlgorithmAsymmetric256, 521Yes, if sufficiently randomWikipedia
AESAdvanced Encryption Standard (Rijndael)Symmetric128, 192, 256128YesWikipedia
SalsaSalsa (typically 20-round Salsa20)Symmetric128, 256512YesWikipedia
ChaChaChaCha (typically 20-round ChaCha20)Symmetric128, 256512YesWikipedia
DESData Encryption StandardSymmetric5664NoWikipedia
3DESTriple Data Encryption StandardSymmetric56, 112, 16864No - Meet-in-the-middle attackWikipedia
BlowfishBlowfishSymmetric32-44864NoWikipedia
TwofishTwofishSymmetric128, 192, 256128YesWikipedia
RC2Rivest Cipher 2Symmetric8-102464NoWikipedia
RC4Rivest Cipher 4Symmetric40-2048NoWikipedia
RC5Rivest Cipher 5Symmetric0-204032, 64, 128YesWikipedia
RC6Rivest Cipher 6Symmetric128, 192, 256128YesWikipedia
ROTRotational CipherSymmetric4-161NoWikipedia
ROT13Rotational Cipher (13 moves)Symmetric41NoWikipedia
VigenereVigenere CipherSymmetricVariesVariesNoWikipedia
SEEDSEEDSymmetric128128YesWikipedia
IDEAInternational Data Encryption AlgorithmSymmetric12864No - Weak Keys, Generally ObsoleteWikipedia
CamelliaCamelliaSymmetric128, 192, 256128YesWikipedia

TLS Key Exchange

IdentifierAlgorithm NameGenerally Secure of 2021-08-07References
DHDiffie HellmanWikipedia
DHEDiffie Hellman EphemeralWikipedia
ECDHElliptic Curve Diffie HellmanWikipedia
ECDHEElliptic Curve Diffie Hellman EphemeralWikipedia

TLS Cipher Suites

NameKey ExchangeAuth TypeCrypt TypeCipher ModeHashMin TLS VersionSecurity as of 2021-08-08
TLS_AES_128_GCM_SHA256ECDHEGMACAES-128GCMSHA-256TLS 1.3High
TLS_AES_256_GCM_SHA384ECDHEGMACAES-256GCMSHA-384TLS 1.3High
TLS_CHACHA20_POLY1305_SHA256ECDHEPOLY1305ChaCha20StreamSHA-256TLS 1.3High
TLS_AES_128_CCM_SHA256ECDHECBC-MACAES-128CCMSHA-256TLS 1.3High
TLS_AES_128_CCM_8_SHA256ECDHECBC-MACAES-128CCMSHA-256TLS 1.3High
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256ECDHEGMACAES-128GCMSHA-256TLS 1.2Moderate
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256ECDHEGMACAES-128GCMSHA-256TLS 1.2Moderate
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384ECDHEGMACAES-256GCMSHA-384TLS 1.2Moderate
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384ECDHEGMACAES-256GCMSHA-384TLS 1.2Moderate
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256ECDHEECDSAChaCha20StreamSHA-256TLS 1.2Moderate
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256ECDHERSAChaCha20StreamSHA-256TLS 1.2Moderate
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHAECDHEECDSAAES-128CBCSHA-1TLS 1.0Low
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHAECDHERSAAES-128CBCSHA-1TLS 1.0Low
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHAECDHEECDSAAES-256CBCSHA-1TLS 1.0Low
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHAECDHERSAAES-256CBCSHA-1TLS 1.0Low
TLS_RSA_WITH_AES_128_GCM_SHA256RSARSAAES-128GCMSHA-256TLS 1.0Low
TLS_RSA_WITH_AES_256_GCM_SHA384RSARSAAES-256GCMSHA-384TLS 1.0Low
TLS_RSA_WITH_AES_128_CBC_SHARSARSAAES-128CBCSHA-1TLS 1.0Low
TLS_RSA_WITH_AES_256_CBC_SHARSARSAAES-256CBCSHA-1TLS 1.0Low
TLS_RSA_WITH_3DES_EDE_CBC_SHARSARSA3DESCBCSHA-1TLS 1.0Low
EVERYTHING ELSEVariesVariesVariesVariesVariesVariesDO NOT USE!

TLS and SSL Versions

IdentifierAlgorithm NameGenerally Secure of 2019-06-29References
TLS1.3Transport Layer Security v1.3YesWikipedia
TLS1.2Transport Layer Security v1.2Yes, but only if tightly configured
TLS1.1Transport Layer Security v1.1No, as no secure ciphers are guaranteed
TLS1.0Transport Layer Security v1.0No
TLSTransport Layer SecurityNo, as it allows 1.0/1.1
SSLv3Secure Sockets Layer v3No
SSLv2Secure Sockets Layer v2No
SSLSecure Sockets LayerNo

Block Cipher Modes

IdentifierAlgorithm NameAEAD (Authenticated Encryption with Associated Data)Auth TypeCrypt TypeCipher ModeParallelizableVulnerable to Padding AttackVulnerable to Chosen PlaintextVulnerable to Chosen CiphertextStatus of 2021-08-07References
GCMGalois Counter ModeY, EtMGMACAESCTRYNNNWikipedia
GCM-SIVGalois Counter Mode w/Synthetic IVY, EtMGMACAESCTRYNNNWikipedia
AES-GCM-SIVAES Galois Counter Mode w/Synthetic IVY, EtMGMACAESCTRYNNNSlightly stronger than GCM-SIV due to better IV specificationsWikipedia
CCMCipher Block Chaining - Message Authentication ModeY, MtECBC-MACAESCBCNNNWikipedia
EAXEncrypt-then-Authenticate-then-TranslateY, EtMAES-OMACAESCTRNNNSecure for messages longer than keyWikipedia
CWCCarter–Wegman + CTRY, E&MCW MACAESCTRYNNNNot heavily usedWikipedia
ECBElectronic Code BookNN/AAESECBYYYNot recommended, susceptible to pattern and rainbow attacksWikipedia
CBCCipher Block ChainingNN/AAESCBCDecrypt-OnlyYYNWikipedia
PCBCPropagating Cipher Block ChainingNN/AAESPCBCNYYNGenerally uncommonWikipedia
CFBCipher FeedbackNN/AAESCFBDecrypt-OnlyYYYNWikipedia
OFBOutput feedbackNN/AAESOFBNYNYWikipedia
CTRCounter modeNN/AAESCTRYNNNWikipedia

Common Errors

AppErrorWhat does it mean?How to address?
Javajavax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificateThe server has rejected your cert for 2-way PKI authenticationRun the following commands to get info:
Server CA list: openssl s_client -connect remoteserver:443
(Look for "Acceptible cliend certificate CA names")
Client Cert CA (PEM w/chain): openssl x509 -in my.pem -text
(Look for "Issuer")
Then check:
1) Ensure that the server accepts a cert signed by your cert's CA
2) Ensure that your cert is within the validity dates
3) Ensure that reverse DNS matches your cert's CN
Javajavax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
Your client cannot verify the server's certificate.Disable certificate verification features (not recommended!)
OR
1) Find the truststore for your application and make sure it's loaded.
This varies based on the application, but often involves the JVM setting javax.net.ssl.truststore - look in config files or use jvisualvm.
This will be a JKS or P12 store.
2) Pull the cert from the server
openssl s_client -connect remoteserver:443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > server_cert.pem
3) Check the dates
openssl x509 -noout -in server_cert.pem -subject -dates
4) Check the subject
openssl x509 -noout -in server_cert.pem -subject
vs.
nslookup remoteserver
nslookup ip_addr_from_last_command
5) Check that the issuer is in your truststore
openssl x509 -noout -in server_cert.pem -issuer
vs.
keytool -list -v -keystore truststore.p12 | grep "CN OF THE ISSUER"

Key Usages

Key Usage ExtensionValueRFC 5280 DefintionMeaningExample
Digital Signature0The digitalSignature bit is asserted when the subject public key
is used for verifying digital signatures, other than signatures on
certificates (bit 5) and CRLs (bit 6), such as those used in an
entity authentication service, a data origin authentication
service, and/or an integrity service.
- TLS/SSL Client (Browser, Email App)
- S/MIME Signing (Sign Email Encoding)
- Object Signing
Non-Repudiation1The nonRepudiation bit is asserted when the subject public key is
used to verify digital signatures, other than signatures on
certificates (bit 5) and CRLs (bit 6), used to provide a non-
repudiation service that protects against the signing entity
falsely denying some action. In the case of later conflict, a
reliable third party may determine the authenticity of the signed
data. (Note that recent editions of X.509 have renamed the
nonRepudiation bit to contentCommitment.)
Key Encipherment2The keyEncipherment bit is asserted when the subject public key is
used for enciphering private or secret keys, i.e., for key
transport. For example, this bit shall be set when an RSA public
key is to be used for encrypting a symmetric content-decryption
key or an asymmetric private key.
Assigned PKIS used for generation session keys for:
- TLS/SSL Server (Web Server, Reverse Proxy)
- S/MIME Encryption (Mail Server)
Data Encipherment3The dataEncipherment bit is asserted when the subject public key
is used for directly enciphering raw user data without the use of
an intermediate symmetric cipher. Note that the use of this bit
is extremely uncommon; almost all applications use key transport
or key agreement to establish a symmetric key.
Rarely used outside of session keys.
Key Agreement4The keyAgreement bit is asserted when the subject public key is
used for key agreement. For example, when a Diffie-Hellman key is
to be used for key management, then this bit is set.
Certificate Signing5The keyCertSign bit is asserted when the subject public key is
used for verifying signatures on public key certificates. If the
keyCertSign bit is asserted, then the cA bit in the basic
constraints extension (Section 4.2.1.9) MUST also be asserted.
Used to verify that a specific certificate was signed by a specific Certificate Authority.- A CA would use their highly secured keypair when responding to the certificate request, generating a key that is provably signed by that CA
CRL Signing6The cRLSign bit is asserted when the subject public key is used
for verifying signatures on certificate revocation lists (e.g.,
CRLs, delta CRLs, or ARLs).
Used to verify a Certifificate Revocation List from a Certificate Authority- A CA revoking a specific certifcate (due to customer expiry/contract break/etc.) or intermediary (due to compromise concern) so that it would fail verification.
Encipher Only7The meaning of the encipherOnly bit is undefined in the absence of
the keyAgreement bit. When the encipherOnly bit is asserted and
the keyAgreement bit is also set, the subject public key may be
used only for enciphering data while performing key agreement.
Modifier bit for keyAgreement limiting the public key to only encrypting data.
Decipher Only8The meaning of the decipherOnly bit is undefined in the absence of
the keyAgreement bit. When the decipherOnly bit is asserted and
the keyAgreement bit is also set, the subject public key may be
used only for deciphering data while performing key agreement.
Modifier bit for keyAgreement limiting the public key to only decrypting data.

Common Attacks

AttackScopeYearSummaryCVEsReferences
Bleichenbacher AttackProtocol1998Oracle attack that allows decryption of RSA messagesN/AOfficial Paper
Timing Attacks on PaddingProtocol2002Timing attack on TLS when using CBC ciphersCVE-2003-0078Wikipedia
SHAtteredProtocol2005SHA-1 collisions are feasible - a malicious file can be made with the same hash as a known-goodCVE-2005-4900Official Site
Renegotiation attackProtocol2009MITM attacker could downgrade sessionCVE-2009-3555Wikipedia
BEASTProtocol2011Unsafe IVs in TLS 1.0 allow MITM attacksCVE-2011-3389Wikipedia
STARTTLS Command InjectionImplementation2011Some applications that start plaintext and upgrade can either be sent malicious commands or TLS can be cancelledCVE-2011-0411IETF RFC7457 Note
CRIMEProtocol2012Attack against secure cookies on HTTPS/SPDY with TLS-level data compressionCVE-2012-4929Wikipedia
BREACHProtocol2013Attack against secure cookies on HTTPS with HTTP-level data compressionCVE-2013-3587Wikipedia, Official Site
Lucky Thirteen attackProtocol2013Timing attack on TLS when using CBC ciphersCVE-2013-0169Wikipedia
RC4 NoMoreProtocol2013Generate likely cookies via RC4 weaknessesCVE-2013-2566
CVE-2015-2808
Wikipedia, Official Site
Truncation attackProtocol2013Prevent logout requests to keep a session activeN/AWikipedia
POODLEProtocol2014Negotiate down to SSLv3 or TLS w/CBC and bad padding implementationsCVE-2014-3566Wikipedia
HeartbleedImplementation2014OpenSSL memory issue allows private key leakage.CVE-2014-0160Wikipedia, Official Site
3SHAKEProtocol2014TLS Client Authentication pre-master secret can be forwarded by malicious serverCVE-2014-1295MiTLS Article
WinshockImplementation2014Microsoft SChannel implementation allowed Remote Code ExecutionCVE-2014-6321MS Bulletin
CCSImplementation2014OpenSSL bug in ChangeCipherSpec allows attacker to force weak key material usageCVE-2014-0224Official Site
FREAKProtocol2015Force server to downgrade to old 'export-grade' RSACVE-2015-0204Wikipedia
LogjamProtocol2015Force server to downgrade to old 'export-grade' Diffie-HelmannCVE-2015-4000Wikipedia
SLOTHProtocol2015Significant collision issues in TLS 1.2 with RSA-MD5 signatures, making client auth insecure and server auth weakerCVE-2015-7575MiTLS Article
Unholy PAC attackProtocol2016Bug in proxy discovery protocol causes URL leakage.N/AWikipedia, BlackHat Presentation
Sweet32 attackProtocol2016Birthday Attack on 64-bit CBC ciphers via MITM/Injection.CVE-2016-2183
CVE-2016-6329
Wikipedia, Official Site
DROWNProtocol2016Negotiate down to SSLv2, including same cert on other serversCVE-2016-0800
CVE-2016-0703
Wikipedia, Official Site
TicketbleedImplementation2016F5 BIG-IP appliances can leak uninitialized memory during session ticket usageCVE-2016-9244Official Site
ROBOTImplementation2017TLS servers that ONLY support RSA key exchange can decrypt traffic - at will if forward secrecy isn't enabledNumerousOfficial Site
CloudbleedImplementation2017Cloudflare bug caused reverse proxies to leak secret info.N/AWikipedia
Zombie POODLEImplementation2019POODLE variant on servers that inadvertantly leak padding infoNumerousTripwire article
GOLDENDOODLEImplementation2019Accelerated POODLE variant on servers that don't pad data well, allowing MAC generationNumerousTripwire article
Raccoon attackProtocol2020TLS 1.2 and lower strip leading zeros on premaster secret, which allows careful recoveryCVE-2020-5929Official Site

About

Changelog

2021-08-25

  • Minor table cleanup
  • Switched to icon svg sprite for faster load times

2021-08-19

  • Improved styling for readability and clarity