seguridad:sslcommands
Differences
This shows you the differences between two versions of the page.
Previous revision | |||
— | seguridad:sslcommands [2022/12/02 22:02] (current) – external edit 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== SSL Commands ====== | ||
+ | |||
+ | ===== openssl ===== | ||
+ | |||
+ | generate a new private key and matching Certificate Signing Request (eg to send to a commercial CA) | ||
+ | |||
+ | < | ||
+ | openssl req -out MYCSR.csr -pubkey -new -keyout MYKEY.key | ||
+ | add -nodes to create an unencrypted private key | ||
+ | add -config < | ||
+ | </ | ||
+ | |||
+ | decrypt private key | ||
+ | |||
+ | < | ||
+ | openssl rsa -in MYKEY.key >> MYKEY-NOCRYPT.key | ||
+ | </ | ||
+ | |||
+ | generate a certificate siging request for an existing private key | ||
+ | |||
+ | < | ||
+ | openssl req -out MYCSR.csr -key MYKEY.key -new | ||
+ | </ | ||
+ | |||
+ | generate a certificate signing request based on an existing x509 certificate | ||
+ | |||
+ | < | ||
+ | openssl x509 -x509toreq -in MYCRT.crt -out MYCSR.csr -signkey MYKEY.key | ||
+ | </ | ||
+ | |||
+ | create self-signed certificate (can be used to sign other certificates) | ||
+ | |||
+ | < | ||
+ | openssl req -x509 -new -out MYCERT.crt -keyout MYKEY.key -days 365 | ||
+ | </ | ||
+ | |||
+ | sign a Certificate Signing Request | ||
+ | |||
+ | < | ||
+ | openssl x509 -req -in MYCSR.csr -CA MY-CA-CERT.crt -CAkey MY-CA-KEY.key -CAcreateserial -out MYCERT.crt -days 365 | ||
+ | </ | ||
+ | |||
+ | -days has to be less than the validity of the CA certificate | ||
+ | |||
+ | convert DER (.crt .cer .der) to PEM | ||
+ | |||
+ | < | ||
+ | openssl x509 -inform der -in MYCERT.cer -out MYCERT.pem | ||
+ | </ | ||
+ | |||
+ | convert PEM to DER | ||
+ | |||
+ | < | ||
+ | openssl x509 -outform der -in MYCERT.pem -out MYCERT.der | ||
+ | </ | ||
+ | |||
+ | convert PKCS#12 (.pfx .p12) to PEM containing both private key and certificates | ||
+ | |||
+ | < | ||
+ | openssl pkcs12 -in KEYSTORE.pfx -out KEYSTORE.pem -nodes | ||
+ | add -nocerts for private key only; add -nokeys for certificates only | ||
+ | </ | ||
+ | |||
+ | convert (add) a seperate key and certificate to a new keystore of type PKCS#12 | ||
+ | |||
+ | < | ||
+ | openssl pkcs12 -export -in MYCERT.crt -inkey MYKEY.key -out KEYSTORE.p12 -name " | ||
+ | </ | ||
+ | |||
+ | convert (add) a seperate key and certificate to a new keystore of type PKCS#12 for use with a server that should send the chain too (eg Tomcat) | ||
+ | |||
+ | < | ||
+ | openssl pkcs12 -export -in MYCERT.crt -inkey MYKEY.key -out KEYSTORE.p12 -name " | ||
+ | </ | ||
+ | |||
+ | you can repeat the combination of " | ||
+ | |||
+ | |||
+ | check a private key | ||
+ | |||
+ | < | ||
+ | openssl rsa -in MYKEY.key -check | ||
+ | add -noout to not disclose the key | ||
+ | </ | ||
+ | |||
+ | check a Certificate Signing Request | ||
+ | |||
+ | < | ||
+ | openssl req -text -noout -verify -in MYCSR.csr | ||
+ | </ | ||
+ | |||
+ | check a certificate | ||
+ | |||
+ | < | ||
+ | openssl x509 -in MYCERT.crt -text -noout | ||
+ | </ | ||
+ | |||
+ | check a PKCS#12 keystore | ||
+ | |||
+ | < | ||
+ | openssl pkcs12 -info -in KEYSTORE.p12 | ||
+ | </ | ||
+ | |||
+ | check a trust chain of a certificate | ||
+ | |||
+ | < | ||
+ | openssl verify -CAfile MYCHAINFILE.pem -verbose MYCERT.crt | ||
+ | </ | ||
+ | |||
+ | trust chain is in directory (hash format): replace -CAfile with -CApath / | ||
+ | to check for server usage: -purpose sslserver | ||
+ | to check for client usage: -purpose sslient | ||
+ | |||
+ | |||
+ | debug an SSL connection [server doesn' | ||
+ | |||
+ | < | ||
+ | openssl s_client -connect idp.example.be: | ||
+ | </ | ||
+ | |||
+ | debug an SSL connection with mutual certificate authentication | ||
+ | |||
+ | < | ||
+ | openssl s_client -connect idp.example.be: | ||
+ | </ | ||
+ | |||
+ | trust chain is in directory (hash format): replace -CAfile with -CApath / | ||
+ | send the starttls command (smtp or pop3 style): -starttls smtp or -starttls pop3 | ||
+ | |||
+ | ===== keytool ===== | ||
+ | |||
+ | keytool does not support management of private keys inside a keystore. You need to use another tool for that. If you are using the JKS format, that means you need another java-based tool. extkeytool from the Shibboleth distribution can do this. | ||
+ | |||
+ | Create an empty keystore | ||
+ | |||
+ | < | ||
+ | keytool -genkey -alias foo -keystore truststore.jks | ||
+ | keytool -delete -alias foo -keystore truststore.jks | ||
+ | </ | ||
+ | |||
+ | Generate a private key and an initial certificate as a JKS keystore | ||
+ | |||
+ | < | ||
+ | keytool -genkey -keyalg RSA -alias " | ||
+ | </ | ||
+ | |||
+ | you can also pass the data for the DN of the certificate as command-line parameters: -dname " | ||
+ | Generate a secret key that can be used for symmetric encryption. For this to work, you need to make use of a JCEKS keystore. | ||
+ | |||
+ | < | ||
+ | keytool -genseckey -alias " | ||
+ | </ | ||
+ | |||
+ | Generate a Certificate Signing Request for a key in a JKS keystore | ||
+ | |||
+ | < | ||
+ | keytool -certreq -v -alias " | ||
+ | </ | ||
+ | |||
+ | Import a (signed) certificate into a JKS keystore | ||
+ | |||
+ | < | ||
+ | keytool -import -keystore KEYSTORE.jks -storepass " | ||
+ | </ | ||
+ | |||
+ | add a public certificate to a JKS keystore, eg the JVM truststore | ||
+ | |||
+ | < | ||
+ | keytool -import -trustcacerts -alias " | ||
+ | </ | ||
+ | |||
+ | If the JVM truststore contains your certificate or the certificate of the root CA that signed your certificate, | ||
+ | |||
+ | < | ||
+ | keytool -import -trustcacerts -alias " | ||
+ | </ | ||
+ | |||
+ | the default password of the Java truststore is " | ||
+ | if $JAVA_HOME is set to the root of the JDK, then the truststore is it $JAVA_HOME/ | ||
+ | keytool does NOT support adding trust certificates to a PKCS12 keystore (which is very unfortunate but probably a good move to promote JKS) | ||
+ | delete a public certificate from a JAVA keystore (JKS; eg JVM truststore) | ||
+ | |||
+ | < | ||
+ | keytool -delete -alias " | ||
+ | </ | ||
+ | |||
+ | the default password of the Java truststore is " | ||
+ | if $JAVA_HOME is set to the root of the JDK, then the truststore is it $JAVA_HOME/ | ||
+ | List the certificates inside a keystore | ||
+ | |||
+ | < | ||
+ | keytool -list -v -keystore KEYSTORE.jks | ||
+ | -storetype pkcs12 can be used | ||
+ | </ | ||
+ | |||
+ | Get information about a stand-alone certificate | ||
+ | |||
+ | < | ||
+ | keytool -printcert -v -file MYCERT.crt | ||
+ | </ | ||
+ | |||
+ | |||
+ | ===== notes: ===== | ||
+ | |||
+ | |||
+ | openssl for win32 can be downloaded at http:// | ||
+ | |||
+ | keytool is a part of each Sun Java distribution (binary). You need it to manipulate the Java KeyStore (JKS) format. | ||
+ | |||
+ | hash format: the -CApath directory should contain each certificate that needs to be trusted. The name of each certificate has to be its hashed value and a number. When running unix, execute "$ c_rehash ./" to create symlinks with the correct names. You can also do this manually with the -hash option of openssl (see " | ||
+ | |||
+ | please send remarks, corrections and other often used commands to shib@kuleuven.net | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||