SSL/TLS – Certificates and keystore commands
Commands for managing certificates, private keys and keystores
Useful to create, change password, remove passphrase, etc…
Create a private key without passphrase
openssl genpkey -algorithm RSA -out hostname.key -pkeyopt rsa_keygen_bits:2048
Create a private key with passphrase
openssl genpkey -algorithm RSA -out hostname.key -aes-128-cbc -pass pass:hello
You can use a file with strict permissions (600) to give the password like this : -pass file:hostname.pwd
, this is more secure as you will not see the password on the bash history nor the process list
Remove the passhphrase from a protected private key
openssl rsa -in hostname.key -out hostname_nopass.key -passin pass:hello -passout pass:""
Modify the passhphrase from a protected private key
openssl rsa -in hostname.key -out hostname.key -aes-128-cbc -passin pass:hello -passout pass:goodbye
Check the content of a private key
openssl rsa -in hostname.key -check
If this is a protected private key, you will be prompted for the passphrase
Create a Certificate Signing Request (csr)
openssl req -new -key hostname.key -out hostname.csr -subj "/C=fr/ST=77/L=Melun/OU=MyTown/O=MyAdress/CN=hostname/subjectAltName=DNS:hostname" -pass pass:hello
Check the content of a Certificate Signing Request (csr)
openssl req -text -noout -verify -in hostname.csr verify OK Certificate Request: Data: Version: 1 (0x0) Subject: C = fr, ST = 77, L = Melun, OU = MyTown, O = MyAdress, CN = hostname, subjectAltName = DNS:hostname Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus:
Create an autosigned Certificate (crt)
openssl x509 -req -days 1460 -in hostname.csr -signkey hostname.key -out hostname.crt -sha256 -passin pass:hello Signature ok subject=C = fr, ST = 77, L = Melun, OU = MyTown, O = MyAdress, CN = hostname, subjectAltName = DNS:hostname Getting Private key
Check a Certificate (crt)
openssl x509 -in hostname.crt -noout -text Certificate: Data: Version: 1 (0x0) Serial Number: bb:39:ed:26:52:3e:6c:db Signature Algorithm: sha256WithRSAEncryption Issuer: C = fr, ST = 77, L = Melun, OU = MyTown, O = MyAdress, CN = hostname, subjectAltName = DNS:hostname Validity Not Before: Sep 30 19:36:36 2018 GMT Not After : Sep 29 19:36:36 2022 GMT Subject: C = fr, ST = 77, L = Melun, OU = MyTown, O = MyAdress, CN = hostname, subjectAltName = DNS:hostname
Convert a Certificate (crt) to pem
openssl x509 -outform PEM -in hostname.crt -out hostname.pem
Reading the content of a KeyStore/TrustStore
keytool -v -list -keystore keystore.jks
You will be prompted for the KeyStore password
Changing the password of a KeyStore/TrustStore
keytool -storepasswd -keystore keystore.jks
You will be prompted for the old KeyStore password and the new one
Changing the key password of a KeyStore/TrustStore
keytool -keypasswd -alias host -keystore keystore.jks
You will be prompted for the KeyStore password, the old key password and the new key password
Checking the key password of a KeyStore/TrustStore
keytool -keypasswd -alias host -keystore keystore.jks
You will be prompted for the KeyStore password, the old key password, if you give the right one, you will be prompted for the new key password, you have to use CTRL-C for exit otherwise if you give a wrong key password you will have an error.
Adding a certificate in a KeyStore/TrustStore
keytool -importcert -keystore keystore.jks -file root-ca.crt -alias my_ca
You will be prompted for the KeyStore password