Most of this should work with LibreSSL, but you will need OpenSSL for the CSR SAN cert.
CSR SAN wild card cert
openssl req -new -sha256 -newkey rsa:4096 -keyout KEY-FILE.enc.key -out CSR-FILE.csr -addext “subjectAltName = DNS:*.DOMAIN.TLD”
Common Name (eg, your name or your server's hostname) []:DOMAIN.TLD
CSR SAN cert
openssl req -new -sha256 -newkey rsa:4096 -keyout KEY-FILE.enc.key -out CSR-FILE.csr -addext “subjectAltName = DNS:SITE1.DOMAIN.TLD,DNS:SITE2.DOMAIN.TLD”
Common Name (eg, your name or your server's hostname) []:DOMAIN.TLD
CSR with encrypted key
openssl req -new -sha256 -newkey rsa:4096 -keyout KEY-FILE.enc.key -out CSR-FILE.csr
CSR with unencrypted key
openssl req -new -sha256 -newkey rsa:4096 -nodes -keyout KEY-FILE.key -out CSR-FILE.csr
Add encryption to key
openssl rsa -aes256 -in KEY-FILE.key -out KEY-FILE.enc.key
Remove encryption from key
openssl rsa -in KEY-FILE.enc.key -out KEY-FILE.key
Self sign cert
openssh x509 -req -days 365 -in CSR-FILE.csr -signkey KEY-FILE.key -out CRT-FILE.crt
Full pem
cat KEY-FILE.key » CRT-FILE.pem
cat CRT-FILE.crt » CRT-FILE.pem
cat INT-CA-FILE.crt » CRT-FILE.pem
cat ROOT-CA-FILE.crt » CRT-FILE.pem
Export PEM to PKCS12/P12/PFX
openssl pkcs12 -export -in CRT-FILE.pem -out CRT-FILE.p12
Export P12 to PEM
openssl pkcs12 -in CRT-FILE.p12 -out CRT-FILE.pem -nodes
-legacy
may need to be added if p12 was created with OpenSSL 1.x and you are now using 3.x
Export to PKCS7/P7B
openssl crl2pkcs7 -nocrl -certfile CRT-FILE.pem -out CRT-FILE.p7b
Convert from binary to base64
openssl base64 -in example_com.p12
View certificate contents
openssl x509 -in CRT-FILE.crt -text -noout -purpose
View certificate chain
openssl s_client -showcerts -connect SITE.DOMAIN.TLD:443
Specify the config file to use
*Add the following option to the end of any openssl command string*
-config openssl.cfg
*Example*
openssl req -new -sha256 -newkey rsa:4096 -nodes -keyout KEY-FILE.key -out CSR-FILE.csr -config openssl.cfg
Encrypt and decrypt file
#generate key openssl rand -out secret.key 32 vim passwords.txt #encrypt file openssl aes-256-cbc -in passwords.txt -out passwords.txt.enc -pass file:secret.key #encrypt key openssl rsautl -encrypt -oaep -pubin -inkey <(ssh-keygen -e -f ~/.ssh/id_rsa.pub -m PKCS8) -in secret.key -out secret.key.enc #decrypt key openssl rsautl -decrypt -oaep -inkey ~/.ssh/id_rsa -in secret.key.enc -out new-secret.key #decrypt file openssl aes-256-cbc -d -in passwords.txt.enc -out new-passwords.txt -pass file:new-secret.key cat new-passwords.txt
From: https://bjornjohansen.no/encrypt-file-using-ssh-key
PKCS#5 vs PKCS#8
https://github.com/kjur/jsrsasign/wiki/Tutorial-for-PKCS5-and-PKCS8-PEM-private-key-formats-differences