Commands for managing certificates, private keys and keystores<\/p>\n
Useful to create, change password, remove passphrase, etc…<\/p>\n
<\/p>\n
openssl genpkey -algorithm RSA -out hostname.key -pkeyopt rsa_keygen_bits:2048\r\n<\/pre>\nCreate a private key with passphrase<\/h2>\n
openssl genpkey -algorithm RSA -out hostname.key -aes-128-cbc -pass pass:hello\r\n<\/pre>\nYou can use a file with strict permissions (600) to give the password like this :\u00a0\u00a0
-pass file:hostname.pwd<\/code>\u00a0, this is more secure as you will not see the password on the bash history nor the process list<\/p>\nRemove the passhphrase from a protected private key<\/h2>\n
openssl rsa -in hostname.key -out hostname_nopass.key -passin pass:hello -passout pass:\"\"\r\n<\/pre>\nModify the passhphrase from a protected private key<\/h2>\n
openssl rsa -in hostname.key -out hostname.key -aes-128-cbc -passin pass:hello -passout pass:goodbye\r\n<\/pre>\nCheck the content of a private key<\/h2>\n
openssl rsa -in hostname.key -check\r\n<\/pre>\nIf this is a protected private key, you will be prompted for the passphrase<\/p>\n
Create a Certificate Signing Request (csr)<\/h2>\n
openssl req -new -key hostname.key -out hostname.csr -subj \"\/C=fr\/ST=77\/L=Melun\/OU=MyTown\/O=MyAdress\/CN=hostname\/subjectAltName=DNS:hostname\" -pass pass:hello\r\n<\/pre>\nCheck the content of a Certificate Signing Request (csr)<\/h2>\n
openssl req -text -noout -verify -in hostname.csr\r\nverify OK\r\nCertificate Request:\r\n Data:\r\n Version: 1 (0x0)\r\n Subject: C = fr, ST = 77, L = Melun, OU = MyTown, O = MyAdress, CN = hostname, subjectAltName = DNS:hostname\r\n Subject Public Key Info:\r\n Public Key Algorithm: rsaEncryption\r\n Public-Key: (1024 bit)\r\n Modulus:\r\n<\/pre>\nCreate an autosigned Certificate (crt)<\/h2>\n
openssl x509 -req -days 1460 -in hostname.csr -signkey hostname.key -out hostname.crt -sha256 -passin pass:hello\r\nSignature ok\r\nsubject=C = fr, ST = 77, L = Melun, OU = MyTown, O = MyAdress, CN = hostname, subjectAltName = DNS:hostname\r\nGetting Private key\r\n<\/pre>\nCheck a Certificate (crt)<\/h2>\n
openssl x509 -in hostname.crt -noout -text\r\nCertificate:\r\n Data:\r\n Version: 1 (0x0)\r\n Serial Number:\r\n bb:39:ed:26:52:3e:6c:db\r\n Signature Algorithm: sha256WithRSAEncryption\r\n Issuer: C = fr, ST = 77, L = Melun, OU = MyTown, O = MyAdress, CN = hostname, subjectAltName = DNS:hostname\r\n Validity\r\n Not Before: Sep 30 19:36:36 2018 GMT\r\n Not After : Sep 29 19:36:36 2022 GMT\r\n Subject: C = fr, ST = 77, L = Melun, OU = MyTown, O = MyAdress, CN = hostname, subjectAltName = DNS:hostname\r\n<\/pre>\nConvert a Certificate (crt) to pem<\/h2>\n
openssl x509 -outform PEM -in hostname.crt -out hostname.pem\r\n<\/pre>\nReading the content of a KeyStore\/TrustStore<\/h2>\n
keytool -v -list -keystore keystore.jks\r\n<\/pre>\nYou will be prompted for the KeyStore password<\/p>\n
Changing the password of a KeyStore\/TrustStore<\/h2>\n
keytool -storepasswd -keystore keystore.jks\r\n<\/pre>\nYou will be prompted for the old KeyStore password and the new one<\/p>\n
Changing the key password of a KeyStore\/TrustStore<\/h2>\n
keytool -keypasswd -alias host -keystore keystore.jks\r\n<\/pre>\nYou will be prompted for the KeyStore password, the old key password and the new key password<\/p>\n
Checking the key password of a KeyStore\/TrustStore<\/h2>\n
keytool -keypasswd -alias host -keystore keystore.jks\r\n<\/pre>\nYou will be prompted for the KeyStore password, the old key password, if you give the right one, you will be prompted for the new key password, you have to use CTRL-C for exit otherwise if you give a wrong key password you will have an error.<\/p>\n
Adding a certificate in a KeyStore\/TrustStore<\/h2>\n
keytool -importcert -keystore keystore.jks -file root-ca.crt -alias my_ca\r\n<\/pre>\nYou will be prompted for the KeyStore password<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
Commands for managing certificates, private keys and keystores Useful to create, change password, remove passphrase, etc…<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"footnotes":""},"categories":[5,20],"tags":[],"class_list":["post-53","post","type-post","status-publish","format-standard","hentry","category-linux","category-ssl-tls"],"_links":{"self":[{"href":"https:\/\/deleforterie.com\/wordpress\/index.php\/wp-json\/wp\/v2\/posts\/53","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/deleforterie.com\/wordpress\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/deleforterie.com\/wordpress\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/deleforterie.com\/wordpress\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/deleforterie.com\/wordpress\/index.php\/wp-json\/wp\/v2\/comments?post=53"}],"version-history":[{"count":4,"href":"https:\/\/deleforterie.com\/wordpress\/index.php\/wp-json\/wp\/v2\/posts\/53\/revisions"}],"predecessor-version":[{"id":104,"href":"https:\/\/deleforterie.com\/wordpress\/index.php\/wp-json\/wp\/v2\/posts\/53\/revisions\/104"}],"wp:attachment":[{"href":"https:\/\/deleforterie.com\/wordpress\/index.php\/wp-json\/wp\/v2\/media?parent=53"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/deleforterie.com\/wordpress\/index.php\/wp-json\/wp\/v2\/categories?post=53"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/deleforterie.com\/wordpress\/index.php\/wp-json\/wp\/v2\/tags?post=53"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}