Commands
View Single Cert or Key
Type | Operation | Command |
---|---|---|
P12 | Verify | keytool -list -v -keystore store.p12 -alias alias |
JKS | Verify | keytool -list -v -keystore store.jks -alias alias |
PEM(Nx) | View | # PEM(Nx) -> PEM, Verify PEM |
PEM | Verify Key | openssl rsa -in in.pem -check |
Verify Cert | openssl x509 -in in.pem -text | |
Verify Cert Chain | # May fail if intermediate certs are not in your truststore openssl verify -CAfile cacerts.pem my.pem | |
Hash Cert | openssl x509 -noout -modulus -in incert.pem | openssl md5 | |
Hash Key | openssl rsa -noout -modulus -in in.key | openssl md5 | |
Correlate Key and Cert | # Hash Key and Cert, then compare hashes - if equal, they are correlated | |
Extract Public Key | openssl x509 -pubkey -noout -in incert.pem -out public.key | |
DER | Verify Either | keytool -printcert -v -file in.der |
Convert Between Formats
From | To | Operation | Command |
---|---|---|---|
PEM | DER | Convert | openssl x509 -inform PEM -in in.pem -outform DER -out out.der |
DER | PEM | Convert | openssl x509 -inform DER -in in.der -outform PEM -out out.pem |
P7B | PEM | Convert | openssl pkcs7 -print_certs -in in.p7b -out out.pem |
PEM (Cert) | SSH Key | Convert and Place | openssl x509 -pubkey -noout -in cert.pem > pubkey.pem rm /etc/ssh/*key* ssh-keygen -f pubkey.pem -i -mPKCS8 > /etc/ssh/ssh_host_rsa_key.pub cp key.pem /etc/ssh/ssh_host_rsa_key |
PEM (Pub Key) | Extract Public Key | openssl x509 -pubkey -noout -in cert.pem > pubkey.pem |
View Bundle Contents
Type | Operation | Command |
---|---|---|
P12 | List | keytool -list -v -keystore store.p12 # OR openssl pkcs12 -info -in store.p12 |
JKS | List | keytool -list -v -keystore store.jks |
PEM | List Key | openssl rsa -in store.pem -check |
List Cert | openssl x509 -in store.pem -text | |
PEM(Nx) | List Cert Subjects/Issuers | openssl crl2pkcs7 -nocrl -certfile CHAINED.pem | openssl pkcs7 -print_certs -noout |
List Cert Details | openssl crl2pkcs7 -nocrl -certfile CHAINED.pem | openssl pkcs7 -print_certs -text -noout | |
Split Certs | csplit --prefix='cert.' --suffix-format='%03d.pem' --elide-empty-files multicert.pem '/-----BEGIN CERTIFICATE-----/' '{*}' find ./cert.*.pem -print0 | xargs -0r -I {} sh -c "printf {}; openssl x509 -in {} -text" |
Create Bundle
Type | Operation | Command |
---|---|---|
P12 | Generate/Create | keytool -genkey -alias temp -keystore store.p12 |
Delete | keytool -delete -alias temp -keystore store.p12 | |
JKS | Generate/Create | keytool -genkey -alias temp -keystore store.jks |
Delete | keytool -delete -alias temp -keystore store.jks | |
PEM (1x or Nx) | Create | touch store.pem |
Import to Bundle
From | To | Operation | Command |
---|---|---|---|
PEM | PEM(Nx) | Import via Merge | cat 1.pem >> 2.pem |
P12 | Import Cert and Key | openssl pkcs12 -export -out certificate.p12 -inkey inkey.pem -in incert.pem -certfile CACert.pem | |
JKS | Import | # PEM -> DER -> JKS | |
DER | PEM(Nx) | Import | # DER -> PEM -> PEM |
P12 | Import | # DER -> PEM -> P12 | |
JKS | Import | keytool -import -alias alias -keystore store.jks -file in.der |
Export from Bundle
From | To | Operation | Command |
---|---|---|---|
PEM(Nx) | PEM | Export via Split | # Use a text editor and save a new file |
Cert-only csplit | csplit --prefix='cert.' --suffix-format='%03d.pem' multicert.pem '/-----BEGIN CERTIFICATE-----/' '{*}' | ||
AWK Script | #!/usr/bin/awk -f
# # Take a PEM format file as input and split out certs and keys into separate files # BEGIN { n=0; cert=0; key=0; if ( ARGC < 2 ) { print "Usage: pem-split FILENAME"; exit 1 } } /-----BEGIN PRIVATE KEY-----/ { key=1; cert=0 } /-----BEGIN CERTIFICATE-----/ { cert=1; key=0 } split_after == 1 { n++; split_after=0 } /-----END CERTIFICATE-----/ { split_after=1 } /-----END PRIVATE KEY-----/ { split_after=1 } key == 1 { print > FILENAME "-" n ".key" } cert == 1 { print > FILENAME "-" n ".crt" } | ||
DER | Export via Split | # PEM -> PEM -> DER | |
P12 | PEM | Export | # P12 -> PEM -> PEM |
DER | Export | keytool -export -alias alias -file out.der -keystore store.p12 | |
JKS | PEM | Export | # JKS -> P12 -> PEM -> PEM |
DER | Export | keytool -export -alias alias -file out.der -keystore store.jks |
Copy Between Bundles
From | To | Operation | Command |
---|---|---|---|
PEM(Nx) | P12 | Convert | openssl pkcs12 -export -out store.p12 -in in.pem |
Import to Existing | openssl pkcs12 -export -out newstore.p12 -in in.pem | ||
Build a full-chain P12 | cat cacerts.pem cert.pem >> merged.pem openssl pkcs12 -export -inkey key.pem -in merged.pem -name myname -out mergedWithKey.pem | ||
JKS | Convert | # PEM -> P12 -> JKS | |
Import to Existing | # PEM -> P12 -> JKS | ||
P12 | PEM(Nx) | Convert | openssl pkcs12 -in in.p12 -out newstore.pem |
Import to Existing | openssl pkcs12 -in in.p12 >> store.pem | ||
JKS | Convert | keytool -importkeystore -srckeystore in.p12 -srcstoretype PKCS12 -destkeystore newstore.jks -deststoretype JKS | |
Import All to Existing | keytool -importkeystore -srckeystore in.p12 -srcstoretype PKCS12 -destkeystore store.jks -deststoretype JKS | ||
Import One to Existing | keytool -importkeystore -srckeystore in.p12 -srcstoretype PKCS12 -srcalias alias -destkeystore store.jks -deststoretype JKS | ||
JKS | P12 | Convert | keytool -importkeystore -srckeystore in.jks -srcstoretype JKS -destkeystore newstore.p12 -deststoretype PKCS12 |
Import All to Existing | keytool -importkeystore -srckeystore in.jks -srcstoretype JKS -destkeystore store.p12 -deststoretype PKCS12 | ||
Import One to Existing | keytool -importkeystore -srckeystore in.jks -srcstoretype JKS -srcalias alias -destkeystore store.p12 -deststoretype PKCS12 | ||
PEM(Nx) | Convert | # JKS -> P12 -> PEM | |
Import to Existing | # JKS -> P12 -> PEM | ||
PPK | PEM | Extract Public Key | puttygen in.ppk -o cert.pem -O public |
Extract Private Key | puttygen in.ppk -o key.pem -O private-openssh | ||
PEM(Nx) | PPK | Convert | puttygen inkey.pem -o out.ppk -O private |
Delete from Bundle
Type | Operation | Command |
---|---|---|
P12 | Delete | keytool -delete -alias temp -keystore store.p12 |
JKS | Delete | keytool -delete -alias temp -keystore store.jks |
PEM(Nx) | Delete | # Use a text editor |
Create a Self-Signed CA
Type | Operation | Command |
---|---|---|
Set up the CA | Create CA Key | openssl genrsa -out ca.key 4096 |
Create CA Cert | openssl req -x509 -new -nodes -sha512 -days 3650 \ -subj "CN=yourdomain.com" \ -key ca.key \ -out ca.crt | |
Create the Key and Cert | Create Key | openssl genrsa -out yourdomain.com.key 4096 |
Create CSR | openssl req -sha512 -new \ -subj "CN=yourdomain.com" \ -key yourdomain.com.key \ -out yourdomain.com.csr | |
Windows: Create Policy File | ; Save this as something like mypolicy.inf using Notepad [Version] Signature="$Windows NT$" [NewRequest] ;Change to your,country code, company name and common name Subject = "C=US, O=Example Co, CN=something.example.com" KeySpec = 1 KeyLength = 2048 Exportable = TRUE MachineKeySet = TRUE SMIME = False PrivateKeyArchive = FALSE UserProtected = FALSE UseExistingKeySet = FALSE ProviderName = "Microsoft RSA SChannel Cryptographic Provider" ProviderType = 12 RequestType = PKCS10 KeyUsage = 0xa0 [EnhancedKeyUsageExtension] OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication / Token Signing | |
Windows: Create and Sign Request | certreq -new policyfile.inf myrequest.req certreq -sign myrequest.req myrequest.req | |
Windows: Accept/Store Cert from CSR | certreq -accept cert.pem | |
Create x509 v3 ext. for SANs | cat > v3.ext <<-EOF authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1=yourdomain.com DNS.2=yourdomain DNS.3=hostname EOF |
Manage Local CAs
OS | Operation | Command |
---|---|---|
Red Hat / CentOS / Rocky / Oracle | Install Common CA Certificates | sudo yum install ca-certificates |
Update Common CA Certificates | sudo yum update ca-certificates | |
Debian / Ubuntu / PopOS | Install Common CA Certificates | sudo apt update sudo apt install ca-certificates |
Update Common CA Certificates | sudo apt update sudo apt --only-upgrade install ca-certificates | |
Most Linux Distros | Add a Custom CA Certficate | sudo cp mycert.pem /usr/local/share/ca-certificates/mycert.pem sudo chmod 644 /usr/local/share/ca-certificates/mycert.pem sudo update-ca-certificates |
Remove a Custom CA Certficate | sudo rm /usr/local/share/ca-certificates/mycert.pem sudo update-ca-certificates | |
List System CA Certs | awk -v cmd='openssl x509 -noout -subject' '
/BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt | |
Mac OS / BSD | Add a Custom CA Certficate | sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain mycert.pem |
Remove a Custom CA Certficate | sudo security delete-certificate -c "<name of existing certificate>" | |
List System CA Certs | sudo security dump-trust-settings -s | |
List Admin CA Certs | sudo security dump-trust-settings -d | |
List User CA Certs | sudo security dump-trust-settings | |
Windows | Add a Custom Root CA Certficate | certutil -addstore -f "ROOT" mycert.pem |
Add a Custom User Intermediate CA Certficate | certutil -user -addstore -f "CA" mycert.pem | |
Remove a Custom Root CA Certficate | certutil -delstore "ROOT" serial-number-hex | |
Remove a Custom User Intermediate CA Certficate | certutil -user -delstore "CA" serial-number-hex | |
List User Root CA Certs | certutil -user -store "ROOT" | |
List Enterprise/Domain Root CA Certs | certutil -enterprise -store "ROOT" | |
List Group Policy Root CA Certs | certutil -grouppolicy -store "ROOT" | |
List User Intermediate CA Certs | certutil -user -store "CA" | |
List Enterprise/Domain Intermediate CA Certs | certutil -enterprise -store "CA" | |
List Group Policy Intermediate CA Certs | certutil -grouppolicy -store "CA" |
Revocation
Type | Operation | Command |
---|---|---|
OCSP | Check Status via Serial (Decimal) | openssl ocsp -no_nonce -serial 012345 -cert certificate.pem -text -url http://ocsp.my.ca.tld |
Check Status via Serial (Hex) | openssl ocsp -no_nonce -serial 0xAF1345 -cert certificate.pem -text -url http://ocsp.my.ca.tld | |
Check Status via Certificate | openssl ocsp -no_nonce -issuer chain.pem -cert certificate.pem -text -url http://ocsp.my.ca.tld | |
Save Request and Response | # Add '-respout ocsp.resp -reqout ocsp.req' to save them to the current folder | |
Replay with Curl | curl -v -o /dev/null --data-binary @ocsp.req -H "Content-Type: application/ocsp-request" --url http://ocsp.my.ca.tld | |
CRL (PEM Nx) | List CRL Issuers | csplit --prefix='cert.' --suffix-format='%03d.pem' --elide-empty-files multicert.pem '/-----BEGIN CERTIFICATE-----/' '{*}' find ./cert.*.pem -print0 | xargs -0r -I {} sh -c "printf {}; openssl x509 -in {} -text" |
Generate Keys
Type | Operation | Command |
---|---|---|
RSA Private Key | Generate | openssl genrsa -des3 -out id_rsa -passout pass:mys3curep4$$w0rd 2048 |
Extract Public Key | openssl rsa -in id_rsa -passin pass:mys3curep4$$w0rd -pubout -out id_rsa.pub | |
ECDSA Private Key | Generate | openssl ecparam -out id_ec -name prime256v1 -genkey |
Ed25519 SSH Private Key | Generate | ssh-keygen -o -a 100 -t ed25519 -f id_ed25519 -C "john@example.com" |
Any SSH Private Key | Extract Public Key | ssh-keygen -y -e -f id_rsa |
PuTTY RSA Keypair | Generate | puttygen -t rsa -o out.ppk |
SSH Host Key Set | Generate | ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa ssh-keygen -f /etc/ssh/ssh_host_dsa_key -N '' -t dsa # consider skipping ssh-keygen -f /etc/ssh/ssh_host_ecdsa_key -N '' -t ecdsa -b 521 |
Digest Signing
Type | Operation | Command |
---|---|---|
PEM (Private Key) | Create Signature File | openssl dgst -sign privkey.pem -out sigfile.sha256 datafile |
Check Signature via Private Key | openssl dgst -prverify privkey.pem -signature sigfile.sha256 datafile | |
PEM (Public Key) | Check Signature via Public Key | # This MUST be a public key, not a cert, or you will receive a "unable to load key file" error openssl dgst -verify pubkey.pem -signature sigfile.sha256 datafile |
TLS Troubleshooting
Type | Operation | Command |
---|---|---|
Basic TLS Handshake | List Accepted CAs, Confirm TLS | openssl s_client -connect remoteserver:443 |
Test 2-way PKI | Handshake w/ Key/Cert | openssl s_client -showcerts -cert cert.pem -key key.pem -CAfile cacerts.pem -connect remoteserver:443 -debug |
Check TLS Vulns | List Ciphers, Attacks, etc. | docker run --rm -it drwetter/testssl.sh remoteserver |
Passphrase Management
Type | Operation | Command |
---|---|---|
PEM(Nx) | Change Passphrase | # PEM(Nx) -> PEM, Change Passphrase, Re-merge |
PEM | Change Passphrase | openssl rsa -des3 -in id_rsa -out id_rsa.new # OR ssh-keygen -p -f id_rsa |
Password Prompt / Generate
Type | Operation | Command |
---|---|---|
Batch/Powershell Password | Prompt | @echo off REM See http://blogs.msdn.com/b/fpintos/archive/2009/06/12/how-to-properly-convert-securestring-to-string.aspx - this may stay in memory as an unfreed buffer REM Still better than echoing or writing to disk set "psCommand=powershell -Command "$pword = read-host 'Enter Password' -AsSecureString ; ^ $BSTR=[System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($pword); ^ [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)"" for /f "usebackq delims=" %%p in (`%psCommand%`) do set password=%%p echo %password% |
*nix Bash/zsh | Prompt | unset -v password # make sure it's not exported set +o allexport # make sure variables are not automatically exported IFS= read -rs password < /dev/tty |
Generate via openssl | Generate | openssl rand -base64 32 |