SSL/TLS – Certificates and keystore commands

30 September 2018 0 By Eric Deleforterie

Commands for managing certificates, private keys and keystores

Useful to create, change password, remove passphrase, etc…

Create a private key without passphrase

openssl genpkey -algorithm RSA -out hostname.key -pkeyopt rsa_keygen_bits:2048

Create a private key with passphrase

openssl genpkey -algorithm RSA -out hostname.key -aes-128-cbc -pass pass:hello

You can use a file with strict permissions (600) to give the password like this :  -pass file:hostname.pwd , this is more secure as you will not see the password on the bash history nor the process list

Remove the passhphrase from a protected private key

openssl rsa -in hostname.key -out hostname_nopass.key -passin pass:hello -passout pass:""

Modify the passhphrase from a protected private key

openssl rsa -in hostname.key -out hostname.key -aes-128-cbc -passin pass:hello -passout pass:goodbye

Check the content of a private key

openssl rsa -in hostname.key -check

If this is a protected private key, you will be prompted for the passphrase

Create a Certificate Signing Request (csr)

openssl req -new -key hostname.key -out hostname.csr -subj "/C=fr/ST=77/L=Melun/OU=MyTown/O=MyAdress/CN=hostname/subjectAltName=DNS:hostname" -pass pass:hello

Check the content of a Certificate Signing Request (csr)

openssl req -text -noout -verify -in hostname.csr
verify OK
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = fr, ST = 77, L = Melun, OU = MyTown, O = MyAdress, CN = hostname, subjectAltName = DNS:hostname
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:

Create an autosigned Certificate (crt)

openssl x509 -req -days 1460 -in hostname.csr -signkey hostname.key -out hostname.crt -sha256 -passin pass:hello
Signature ok
subject=C = fr, ST = 77, L = Melun, OU = MyTown, O = MyAdress, CN = hostname, subjectAltName = DNS:hostname
Getting Private key

Check a Certificate (crt)

openssl x509 -in hostname.crt -noout -text
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            bb:39:ed:26:52:3e:6c:db
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = fr, ST = 77, L = Melun, OU = MyTown, O = MyAdress, CN = hostname, subjectAltName = DNS:hostname
        Validity
            Not Before: Sep 30 19:36:36 2018 GMT
            Not After : Sep 29 19:36:36 2022 GMT
        Subject: C = fr, ST = 77, L = Melun, OU = MyTown, O = MyAdress, CN = hostname, subjectAltName = DNS:hostname

Convert a Certificate (crt) to pem

openssl x509 -outform PEM -in hostname.crt -out hostname.pem

Reading the content of a KeyStore/TrustStore

keytool -v -list -keystore keystore.jks

You will be prompted for the KeyStore password

Changing the password of a KeyStore/TrustStore

keytool -storepasswd -keystore keystore.jks

You will be prompted for the old KeyStore password and the new one

Changing the key password of a KeyStore/TrustStore

keytool -keypasswd -alias host -keystore keystore.jks

You will be prompted for the KeyStore password, the old key password and the new key password

Checking the key password of a KeyStore/TrustStore

keytool -keypasswd -alias host -keystore keystore.jks

You will be prompted for the KeyStore password, the old key password, if you give the right one, you will be prompted for the new key password, you have to use CTRL-C for exit otherwise if you give a wrong key password you will have an error.

Adding a certificate in a KeyStore/TrustStore

keytool -importcert -keystore keystore.jks -file root-ca.crt -alias my_ca

You will be prompted for the KeyStore password

 

 

 

 

Please follow and like us:
error
fb-share-icon
Tweet
CategoryLinux SSL/TLS

Leave a Reply

Your email address will not be published. Required fields are marked *