openssl genrsa -out server.key 1024
openssl req -new -key server.key -out server.csr
openssl x509 -req -in server.csr -out server.crt -signkey server.key -days 3650
This is a popular command for generating self-signed SSL certificates using OpenSSL.
What confuses me is the -signkey parameter in the third command line, what is the use of this option? I don't see it in openssl req -help.
Can anyone answer it please? Thanks in advance!
Why are you looking at req's help? The third line is using x509 command:
]$ openssl x509 -help
...
-signkey infile Self sign cert with arg
So it is the key with which you self-sign the certificate.
Related
I am new to Linux and i am currently trying to create server certificates from CA.crt.
I have Certificate parameter to be used are CN (common name) = ipaddress and 1 year validity. I know how to use validity parameter but don't know what is improtance of CN and how can i use it while creating server certificate? See below command i am using
//create a certificate request .csr
openssl req -new -out server.csr -key server.key
//CA key to verify and sign the server certificate
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365
Some common information
'CN(Common Name)' is one of the parameters in the 'Subject' of the certificate.
Others being C(Country), ST(State), OU(Organization Unit), etc.
'Subject' usually includes the information about the entity to which the certificate has been issued to.
To specify CN for a certificate, you can specify it while generating the CSR.
Answer to your question
Assuming you have to generate server.crt with CN=<ip_address>, you will have to generate CSR as follows (change ip as needed):
openssl req -new -out server2.csr -key server.key -subj "/CN=255.255.255.255"
Alternatively, if -subj option is not provided, an interactive mode window should open where you can specify the desired CN in 'Common Name' field. If you wish to skip other parameters like ST, OU in the subject, put '.' to skip them in the interactive mode.
Hope this helps.
I'm creating self signed certificate. It is one ssl sertificate for several local domains:
local.dev.lat.com
local.dev.bet.com
local.dev.cat.com
local.dev.mon.com
local.dev.pop.com
...
I have this command for creating that:
openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
-keyout server.key \
-out server.crt \
-subj "/CN=*.local.dev.lat.com,*.local.dev.bet.com" \
-addext "subjectAltName=DNS:*.local.dev.bet.com,DNS:local.dev.bet.com,DNS:*.local.dev.bet.com,DNS:local.dev.bet.com,IP:127.0.0.1"
My question is:
as I have around 30 domains I would like to extract -subj and -addext params to conf file somehow. Is it possible?
Let's make CERT="server.crt"; #or any other certificate.
You can easily get all of the requested info in one command openssl x509 -noout -in ${CERT} -text. You can parse that, but it's not ideal. Look at the man page for x509 for better options.
Note I am using bash to do variable substitution. You should too.
To get the serial:
serial=$(openssl x509 -serial -noout -in ${CERT}); #get only the serial
serial=${serial#*=}; #strip the 'serial=' header
To get the subject:
subject=$(openssl x509 -subject -noout -in ${CERT}); #get only the subject
subject=${subject#*=}; #strip the 'subject=' header
Now for the subjectAltName... It's an x509 extension, so it gets a bit trickier. But lets try anyways:
#use almost every certopt that exists to narrow display to X509v3 section
altname=$(openssl x509 -noout -in ${CERT} -text -certopt no_header,no_version,no_signame \
-certopt no_validity,no_subject,no_issuer,no_pubkey,no_sigdump,no_aux,no_serial)
#remove previous extensions, headers, and leading spaces
altname=${altname#*X509v3 Subject Alternative Name: $'\n' };
#remove any possible sections after
altname=${altname%%$'\n'*}
#unset the variable if subjectAltName didn't exist
[[ "${altname}" == " X509v3 extensions:" ]] && unset altname
Your mileage may vary whilst parsing altname. I just whipped this up in a few minutes, so I'm sure i missed some edge cases. Anyways...
Now you have three variables you can throw at anything however you want;
echo -e "${CERT}:\n Serial:\n ${serial}\n Subject:\n ${subject}\n subjectAltName:\n ${altname}"
That's it. Job done...
#there seems to be a pattern forming here
openssl ec -text -noout -check -in private.key #check private key
openssl req -text -noout -verify -in CSR.csr #check signing request
openssl x509 -text -noout -in public.crt #check public key
openssl pkcs12 -info -noout -in keyStore.p12 #check client cert
openssl crl -text -noout -in revocation.crl #check certificate revocation list
I am attempting to create an automated version fo this process https://aws.amazon.com/premiumsupport/knowledge-center/iot-self-signed-certificates/
But i am running into some issues. I keep getting an error when I attempt to use the iot registration code for the CN field of the command
openssl req -new -key verificationCert.key -out verificationCert.csr -subj "/CN=$CN"
Im having trouble with appending the variable I have stored the registration code to into the CN portion.
When I do this manually it works.
--UPDATE--
openssl genrsa -out myRootCA.key 2048
openssl req -x509 -new -nodes -key myRootCA.key -sha256 -days 730 -subj "/C=US/ST=Massachusetts/L=Boston/O=Company/OU=USBDev/CN=CA STG CERT" -out myRootCA.pem
CN=$(aws iot get-registration-code | jq --raw-output .registrationCode)
openssl genrsa -out privateKeyCert.key 2048
openssl req -new -key privateKeyCert.key -subj "/CN=$CN" -out privateKeyCert.csr
openssl x509 -req -in privateKeyCert.csr -CA myRootCA.pem -CAkey myRootCA.key -CAcreateserial -out privateKeyCert.pem -days 730 -sha256
aws iot register-ca-certificate --ca-certificate file://myRootCA.pem --verification-cert file://privateKeyCert.pem
Step 1 : Generate the CA key and certificate
openssl genrsa -out cacert.key 2048
openssl req -x509 -new -nodes -key cacert.key -sha256 -days 365 -subj "C=US/ST=Massachusetts/L=Boston/O=Zoom Tel/OU=USBSensor iot/CN=CA STG CERT" -out cacert.pem
Step 2 : Getting registration code to put as the CN in a CSR
aws iot get-registration-code
{
"registrationCode": "xxxxxxx"
}
You can capture the registration code in a shell variable like this :
CN=$(aws iot get-registration-code | jq --raw-output .registrationCode)
Step 3 : Create the CA certificate (using the registration code)
Notice you only need to provide a CN here. nothing else.
openssl genrsa -out privateKeyVerification.key 2048
openssl req -new -key privateKeyVerification.key -subj "/CN=$CN" -out privateKeyVerification.csr
openssl x509 -req -in privateKeyVerification.csr -CA cacert.pem -CAkey cacert.key -CAcreateserial -out privateKeyVerification.crt -days 365 -sha256
Is there a way how to convert certificates between cer/pem/crt/der/pfx/p12 in Linux? I have an SSL certificate in a .cer file and I need it to be .pem in order to use it.
How can I convert it?
Converting certificates between cer/pem/crt/der/pfx/p12 can be done in Linux with the use of OpenSSL tool via the terminal.
These commands allow you to convert certificates and keys to different formats to make them compatible with specific types of servers or software.
Convert a DER file (.crt .cer .der) to PEM
openssl x509 -inform der -in certificate.cer -out certificate.pem
Convert a PEM file to DER
openssl x509 -outform der -in certificate.pem -out certificate.der
Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM
openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes
You can add -nocerts to only output the private key or add -nokeys to only output the certificates.
Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
For more information see:
http://www.sslshopper.com/article-most-common-openssl-commands.html
https://support.ssl.com/index.php?/Knowledgebase/Article/View/19
Convert .crt to .p12
openssl pkcs12 -export -out server.p12 -inkey server.key -in server.crt
Where server.key , is the server key .
server.crt is cert file from CA or self sigh
can any one able to tell me how to encrypt and decrypt an xml file using openssl.
i can able to create privatekey using the linux command
openssl genrsa -out private.pem 1024 and got my private key as private.pem
also i create public key using
openssl rsa -in private.pem -out public.pem -outform PEM -pubout got my public key as public.pem
now wat i want is i want to encrypt the xml file using this public key and again want to decrypt using my private key....please help me...
thanks in advance
I think what you are looking for is this:
If you have a PEM encoded key:
openssl pkeyutl -encrypt -in FileToEncrypt -out EncryptedData.enc -inkey ThePathToYourPublicKey -keyform PEM
If you have a DER encoded key:
openssl pkeyutl -encrypt -in FileToEncrypt -out EncryptedData.enc -inkey ThePathToYourPublicKey -keyform DER
You then decrypt with:
openssl pkeyutl -decrypt -in EncryptedData.enc -out DecryptedFile -inkey ThePathToYourPrivateKey
For more information about this you can consult openssl's pkeyutil documentation.
If you want to use S/MIME packaging (a standard used to encrypt/decrypt/sign e-mails), see openssl's smime documentation.
Encrypt with public key:
openssl rsautl -encrypt -inkey public.pem -pubin -in xml.file -out encrypted.enc
Decrypt with private key:
openssl rsautl -decrypt -inkey private.pem -in encrypted.enc -out xml.txt