Using Openssl To Read Multiple Certificates - linux

I want to use the following command:
openssl x509 -noout -in /etc/pki/tls/certs/cert1.pem -enddate
openssl x509 -noout -in /etc/pki/tls/certs/cert2.pem -enddate
openssl x509 -noout -in /etc/pki/tls/certs/certN.pem -enddate
Is there a way to read all the certificates using wild cards? e.g,
openssl x509 -noout -in /etc/pki/tls/certs/*.pem -enddate
Any help would be much appreciated. Thank you in advance.

use a shell scriptlet:
#! /bin/sh
for file in /etc/pki/tls/certs/*.pem; do
echo -n "$file: "
openssl x509 -noout -in "$file" -enddate
done
put this in a file, say certexpires.sh then you can run it with:
sh certexpires.sh

My answer for your case is this command:
ls /etc/pki/tls/certs/cert*.pem | xargs -L1 openssl x509 -noout -enddate -in
Explanation
In the first step, I make the list of my certificates that I want to parse. For example in my case it could be like this:
[root#vpsfree certs]# ls -1 */*.crt
ewsport.org/ewsport.org.crt
hxpro.cz/hxpro.crt
jaguars.cz/jaguars.crt
koudelka.photography/koudelka.photography.crt
unicycle-hockey.cz/unicycle-hockey.cz.crt
unipragga.cz/unipragga.cz.crt
Next step, I want to get expiration date from each of them.
[root#vpsfree certs]# openssl x509 -noout -enddate -in hxpro.cz/hxpro.crt
notAfter=Apr 24 11:29:21 2017 GMT
Now I can send output from my first command to second using xargs.
[root#vpsfree certs]# ls -1 */*.crt | xargs -L1 openssl x509 -noout -enddate -in
notAfter=Mar 31 15:08:20 2017 GMT
notAfter=Apr 24 11:29:21 2017 GMT
notAfter=Mar 23 21:23:42 2017 GMT
notAfter=Apr 24 11:50:32 2017 GMT
notAfter=Dec 11 16:32:41 2016 GMT
notAfter=Mar 20 19:44:17 2017 GMT
I used option -L1, because openssl command needs only one -in file as input.

I have created an Alias for my terminal which runs this on whole files in folder (you can adjust it to run only on pem extension but this is my adaptation)
alias ssl-opemu='_(){ for i in *; do openssl x509 -in $i -noout -text; done; }; _'
I am almost sure I have inherited this from a previous thread so all rights to their original owners. :)

Related

Openssl aes load key from file

Using openssl with aes256 by passing password works fine:
openssl enc -iv BABA -aes256 -in message.txt -out message.enc -base64 -k 1234
openssl enc -d -iv BABA -aes256 -in message.enc -out message.txt -base64 -k 1234
What I am trying to do is to generate an aes256 key and save it in a file. Then use the key file for encryption/decryption actions.
I found this procedure:
openssl rand -base64 256 > symm_key
openssl enc -aes256 -e -in message.txt -out cipher.bin -pass file:symm_key -salt
openssl enc -aes256 -d -in cipher.bin -out message.txt -pass file:symm_key -salt
Any other solution? I do not want to use password.

Linux command piping in openssl to use string input

I have a shell script where a file path $path have some text which I encrypt as below and it works:
content_sha256="$(openssl dgst -binary -sha256 < $path | openssl enc -e -base64)";
The value of variable content_sha256 works correctly.
Now, I have a string $body which I want to encrypt. I am trying below but it gives me entirely different result.
content_sha256="$(echo $body | openssl dgst -sha256 | openssl enc -e -base64)";
Am I piping something wrong or option for openssl should be different?
Correct answer below
content_sha256="$(echo $body | openssl dgst -binary -sha256 | openssl enc -e -base64)";
Points to note:
Include -binary option.
Instead of redirection of file content as input, use echo $body with pipe .

Script in bash to get all certificates names in a directory

I'm creating a script in bash that uses the command:
openssl x509 -in <cert> -noout -text | grep 'Issuer\|Not After' | sed -e 's/^[ \t]*//'
and check all certificate files in the directory, I used the command
ls -l | grep .crt | cut -d " " -f11 > test.txt
to get the following certificate list:
client.crt
client1.crt
client12.crt
client2.crt
client3.crt
server12.crt
server2.crt
however when I run:
for i in test.txt;do openssl x509 -in $i -noout -text | grep 'Issuer|Not After' | sed -e 's/^[ \t]*//';done
I get the following output:
unable to load certificate
140075503359296:error:0909006C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
You're not iterating over the files listed in your test.txt, your executing openssl against that very file.
What you really want to do is this:
while read -r i
do
openssl x509 -in "$i" -noout -text | grep 'Issuer|Not After' | sed -e 's/^[ \t]*//'
done < test.txt
P.S.: I did not verify that your openssl magic works, just fixed the loop logic.

Decryption in a loop with openssl?

I'm trying to use openssl to decrypt files. I can successfully encrypt them in a loop, but when I try to change the command to make it decrypt, I get "error reading input file."
for f in /dir1/dir2/*.txt ;
do [ -f $f ] && openssl aes-256-cbc enc -in $f -out $f.enc -k PASSWORD ;
done
!the above works for encrypting
for f in /dir1/dir2/*.txt.enc ;
do [ -f $f ] && openssl enc -d -aes-256-cbc -k PASSWORD -in $f -out $f;
done
"error reading input file"
So I've tried making the input file $f.txt.enc, and $f.enc, and similar fiddling with the outfile. No luck.
I think your encoding line has problem, missing - in front of the aes part ... for reference here are lines that work for me:
openssl enc -aes-256-cbc -in $f -out $f.enc -k PASSWORD
openssl enc -aes-256-cbc -d -in $f.enc -out $f.dec -k PASSWORD

How to direct output of time command to a file in shell script?

This does not append the output of the time command to file.txt
echo $(time openssl genrsa -aes128 -out server.key 1024) &> file.txt
You can use the following:
{time openssl genrsa -aes128 -out server.key 1024} 2>> file.txt

Resources