API tools faq
paste
Advertisement
opexxx

opensslCMD

opexxx
Oct 24th, 2016
280
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 11.53 KB | None | 0 0
raw download clone embed print report
  1. #Convert PFX Windows Cert to Linux Public/Private Key and Chain
  2. openssl pkcs12 -in ./cert.pfx -clcerts -nokeys -out public.crt
  3. openssl pkcs12 -in ./cert.pfx -nocerts -nodes -out private.rsa
  4. cat public.crt ca-bundle.crt >> bundle.crt
  5.  
  6. openssl pkcs12 -in file.pfx -nocerts -out privateKey.pem
  7. openssl pkcs12 -in file.pfx -clcerts -nokeys -out publicCert.cer
  8. openssl rsa -in privateKey.pem -out privateKey_nopasswd.pem
  9.  
  10.  
  11. openssl pkcs12 -in file.pfx -nocerts -out file.pem -nodes
  12. openssl pkcs12 -in file.pfx -clcerts -nokeys -out file.cert
  13.  
  14. #Creating the certs from pfx
  15. openssl pkcs12 -nocerts -in ssl.pfx -out ssl.key -nodes
  16.  
  17. openssl pkcs12 -nokeys -clcerts -in ssl.pfx -out ssl.cer -nodes
  18.  
  19. openssl pkcs12 -nokeys -cacerts -in ssl.pfx  -out ssl.crt -nodes
  20.  
  21. #Checking the certs
  22.  
  23. openssl x509 -noout -modulus -in ssl.cer | openssl md5
  24. openssl rsa -noout -modulus -in ssl.key | openssl md5
  25.  
  26.  
  27. #To read a certificate file:
  28. openssl x509 -inform PEM -in servercert.pem -text
  29.  
  30. #To read a private key file:
  31. openssl rsa -noout -text -in serverkey.pem
  32.  
  33. #To read a CSR request:
  34. openssl req -noout -text -in serverreq.pem
  35.  
  36. #To view CER/DER (binary) files:
  37. openssl x509 -noout -text -in exported.crt -inform DER
  38.  
  39. #To read a CRL PEM file
  40. openssl crl -inform PEM -in crl.pem -text
  41.  
  42. #To convert pem files to pfx files:
  43. openssl pkcs12 -export -in clientcert.pem -inkey clientkey.pem -out bbva_cert.pfx
  44.  
  45. #To convert pfx files to pem files:
  46. openssl pkcs12 -nocerts -in "trader certificate.pfx" -out clientkey.pem #(outputs the key)
  47. openssl pkcs12 -clcerts -nokeys -in "trader certificate.pfx" -out clientcert.pem #(outputs the cert)
  48. openssl rsa -in key.pem -out newkey.pem #remove the pem passphrase
  49.  
  50. #To convert CER/DER (binary) files to the .PEM format used by the SCS:
  51. openssl x509 -inform DER -in cert.cer -out rootcacert.pem
  52.  
  53. #To convert CRL DER files into CRL for PEM
  54. openssl crl -inform DER -in site_name.crt -outform PEM -out site_name.pem
  55.  
  56. #To make a test SSL connection and download the server certificate
  57. openssl s_client -connect remote.host:443
  58.  
  59. #To make a test SSL connection using a client certificate
  60. openssl s_client -cert clientcert.pem -key clientkey.pem -connect remote.host:443
  61.  
  62. General OpenSSL Commands
  63.  
  64. These commands allow you to generate CSRs, Certificates, Private Keys and do other miscellaneous tasks.
  65.  
  66. Generate a new private key and Certificate Signing Request
  67. openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
  68. Generate a self-signed certificate (see How to Create and Install an Apache Self Signed Certificate for more info)
  69. openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
  70. Generate a certificate signing request (CSR) for an existing private key
  71. openssl req -out CSR.csr -key privateKey.key -new
  72. Generate a certificate signing request based on an existing certificate
  73. openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key
  74. Remove a passphrase from a private key
  75. openssl rsa -in privateKey.pem -out newPrivateKey.pem
  76. Checking Using OpenSSL
  77.  
  78. If you need to check the information within a Certificate, CSR or Private Key, use these commands. You can also check CSRs and check certificates using our online tools.
  79.  
  80. Check a Certificate Signing Request (CSR)
  81. openssl req -text -noout -verify -in CSR.csr
  82. Check a private key
  83. openssl rsa -in privateKey.key -check
  84. Check a certificate
  85. openssl x509 -in certificate.crt -text -noout
  86. Check a PKCS#12 file (.pfx or .p12)
  87. openssl pkcs12 -info -in keyStore.p12
  88. Debugging Using OpenSSL
  89.  
  90. If you are receiving an error that the private doesn't match the certificate or that a certificate that you installed to a site is not trusted, try one of these commands. If you are trying to verify that an SSL certificate is installed correctly, be sure to check out the SSL Checker.
  91.  
  92. Check an MD5 hash of the public key to ensure that it matches with what is in a CSR or private key
  93. openssl x509 -noout -modulus -in certificate.crt | openssl md5
  94. openssl rsa -noout -modulus -in privateKey.key | openssl md5
  95. openssl req -noout -modulus -in CSR.csr | openssl md5
  96. Check an SSL connection. All the certificates (including Intermediates) should be displayed
  97. openssl s_client -connect www.paypal.com:443
  98. Converting Using OpenSSL
  99.  
  100. These commands allow you to convert certificates and keys to different formats to make them compatible with specific types of servers or software. For example, you can convert a normal PEM file that would work with Apache to a PFX (PKCS#12) file and use it with Tomcat or IIS. Use our SSL Converter to convert certificates without messing with OpenSSL.
  101.  
  102. Convert a DER file (.crt .cer .der) to PEM
  103. openssl x509 -inform der -in certificate.cer -out certificate.pem
  104. Convert a PEM file to DER
  105. openssl x509 -outform der -in certificate.pem -out certificate.der
  106. Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM
  107. openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes
  108. You can add -nocerts to only output the private key or add -nokeys to only output the certificates.
  109.  
  110. Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)
  111. openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
  112.  
  113.  
  114. I. Convert PEM files
  115. PEM to DER
  116. openssl x509 -outform der -in certificate.pem -out certificate.der
  117. PEM to P7B
  118. openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cer
  119. PEM to PFX
  120. openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
  121.  
  122. II. Convert P7B files
  123. P7B to PEM
  124. openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
  125. P7B to PFX
  126. openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
  127. openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.cer
  128.  
  129. III. Convert PFX files
  130. PFX to PEM
  131. openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes konwersja poprze OpenSSL
  132.  
  133. IV. Convert DER files
  134. DER to PEM
  135. openssl x509 -inform der -in certificate.cer -out certificate.pem
  136.  
  137. KEY Gen
  138.  
  139.    $ openssl genrsa 2048 > mfapola.key
  140.  
  141. CSR Gen
  142.  
  143.    $ openssl req -new -key mfapola.key > mfapola.csr
  144.    $ openssl req -nodes -newkey rsa:2048 -sha1 -keyout mydomain.key -out mydomain.csr
  145.  
  146. Sign CRT
  147.  
  148.    $ openssl x509 -req -days 3650 -signkey mfapola.key < mfapola.csr > mfapola.crt
  149.  
  150. Change type SSL cert from pkcs12(.pfx) to CER(PEM)
  151.  
  152.    $ conv to pkcs12 from cer/crt
  153.    $ openssl pkcs12 -export -out test.pfx -inkey mfapola.key -in mfapola.crt
  154.  
  155. Other
  156.  
  157.    $ openssl x509 -noout -text -in
  158.    $ openssl x509 -noout -issuer -subject -dates -modulus -in
  159.    $ openssl req -noout -text -in
  160.    $ openssl req -noout -subject -modulus -in
  161.    $ openssl rsa -noout -text -in
  162.    $ openssl rsa -noout -modulus -in
  163.  
  164.  
  165.  
  166.  
  167. For symmetic encryption, you can use the following:
  168.  
  169. To encrypt:
  170. openssl aes-256-cbc -salt -a -e -in plaintext.txt -out encrypted.txt
  171.  
  172. To decrypt:
  173. openssl aes-256-cbc -salt -a -d -in encrypted.txt -out plaintext.txt
  174.  
  175.  
  176. For Asymmetric encryption you must first generate your private key and extract the public key.
  177.  
  178. openssl genrsa -aes256 -out private.key 8912
  179. openssl -in private.key -pubout -out public.key
  180.  
  181. To encrypt:
  182. openssl rsautl -encrypt -pubin -inkey public.key -in plaintext.txt -out encrypted.txt
  183.  
  184. To decrypt:
  185. openssl rsautl -decrypt -inkey private.key -in encrypted.txt -out plaintext.txt
  186.  
  187. Source: http://bsdsupport.org/2007/01/q-how-do-i-use-openssl-to-encrypt-files/
  188.  
  189. =============================================================================================================
  190.  
  191. You can't directly encrypt a large file using rsautl. instead, do something like the following:
  192.  
  193. Generate a key using openssl rand, eg. openssl rand 32 -out keyfile
  194. Encrypt the key file using openssl rsautl
  195. Encrypt the data using openssl enc, using the generated key from step 1.
  196. Package the encrypted key file with the encrypted data. the recipient will need to decrypt the key with their private key, then decrypt the data with the resulting key.
  197.  
  198. Ultimate solution for safe and high secured encode anyone file in OpenSSL and command-line:
  199.  
  200. You should have ready some X.509 certificate for encrypt files in PEM format.
  201.  
  202. NOTE: You can generated a X.509 certificate using:
  203.  
  204. Private key generation (encrypted private key):
  205. openssl genrsa -aes256 -out private.pem 8912
  206. openssl -in private.pem -pubout -out public.pem
  207.  
  208. With unecrypted private key:
  209. openssl req -x509 -nodes -days 100000 -newkey rsa:8912 -keyout private_key.pem -out certificate.pem
  210.  
  211. With encrypted private key:
  212. openssl req -x509 -days 100000 -newkey rsa:8912 -keyout private_key.pem -out certificate.pem
  213.  
  214. With existing encrypted (unecrypted) private key:
  215. openssl req -x509 -new -days 100000 -key private_key.pem -out certificate.pem
  216.  
  217. To encrypt:
  218. openssl smime -encrypt -binary -aes-256-cbc -in plainfile.zip -out encrypted.zip.enc -outform PEM yourSslCertificate.pem
  219. openssl smime -encrypt -binary -aes-256-cbc -in plainfile.zip -out encrypted.zip.enc -outform DER yourSslCertificate.pem
  220.  
  221. For text files:
  222. openssl smime -encrypt -aes-256-cbc -in input.txt -out output.txt -outform DER yourSslCertificate.pem
  223. openssl smime -encrypt -aes-256-cbc -in input.txt -out output.txt -outform PEM yourSslCertificate.pem
  224.  
  225. What is what:
  226.  
  227. smime - ssl command for S/MIME utility (smime(1))
  228. -encrypt - chosen method for file process
  229. -binary - use safe file process. Normally the input message is converted to "canonical" format as required by the S/MIME specification, this switch disable it. It is necessary for all binary files (like a images, sounds, ZIP archives).
  230. -aes-256-cbc - chosen cipher AES in 256 bit for encryption (strong). If not specified 40 bit RC2 is used (very weak). (Supported ciphers)
  231. -in plainfile.zip - input file name
  232. -out encrypted.zip.enc - output file name
  233. -outform DER - encode output file as binary. If is not specified, file is encoded by base64 and file size will be increased by 30%.
  234. yourSslCertificate.pem - file name of your certificate's. That should be in PEM format.
  235. That command can very effectively a strongly encrypt any file regardless of its size or format.
  236.  
  237. To decrypt:
  238.  
  239. openssl smime -decrypt -binary -in encrypted.zip.enc -inform DER -out decrypted.zip -inkey private.key -passin pass:your_password
  240. openssl smime -decrypt -binary -in encrypted.zip.enc -inform PEM -out decrypted.zip -inkey private.key -passin pass:your_password
  241.  
  242. For text files:
  243. openssl smime -decrypt -in encrypted_input.txt -inform DER -out decrypted_input.zip -inkey private.key -passin pass:your_password
  244. openssl smime -decrypt -in encrypted_input.txt -inform PEM -out decrypted_input.zip -inkey private.key -passin pass:your_password
  245.  
  246. What is what:
  247.  
  248. -inform DER - same as -outform above
  249. -inkey private.key - file name of your private key. That should be in PEM format and can be encrypted by password.
  250. -passin pass:your_password - your password for private key encrypt. (http://www.openssl.org/docs/apps/openssl.html#PASS_PHRASE_ARGUMENTS)
  251.  
  252. Generating public key from private key:
  253. openssl rsa -in private_key.pem -pubout > public_key.pem
  254.  
  255. Creating a signed digest of a file:
  256. openssl dgst -sha512 -sign private_key.pem -out digest.sha512 file.txt
  257.  
  258. Verify a signed digest:
  259. openssl dgst -sha512 -verify public_key.pem -signature digest.sha512 file.txt
  260.  
  261. Source: http://stackoverflow.com/questions/7143514/how-to-encrypt-a-large-file-in-openssl-using-public-key
  262. http://www.madboa.com/geek/openssl/
  263. http://stackoverflow.com/questions/5140425/openssl-command-line-to-verify-the-signature
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!