Nerdy Drunk

Drunk on technology

User Tools

Site Tools


linux:openssl

OpenSSL

OpenSSL Cheat Sheet

Most of this should work with LibreSSL, but you will need OpenSSL for the CSR SAN cert.


CSR SAN wild card cert
openssl req -new -sha256 -newkey rsa:4096 -keyout KEY-FILE.enc.key -out CSR-FILE.csr -addext “subjectAltName = DNS:*.DOMAIN.TLD”
Common Name (eg, your name or your server's hostname) []:DOMAIN.TLD

CSR SAN cert
openssl req -new -sha256 -newkey rsa:4096 -keyout KEY-FILE.enc.key -out CSR-FILE.csr -addext “subjectAltName = DNS:SITE1.DOMAIN.TLD,DNS:SITE2.DOMAIN.TLD”
Common Name (eg, your name or your server's hostname) []:DOMAIN.TLD

CSR with encrypted key
openssl req -new -sha256 -newkey rsa:4096 -keyout KEY-FILE.enc.key -out CSR-FILE.csr

CSR with unencrypted key
openssl req -new -sha256 -newkey rsa:4096 -nodes -keyout KEY-FILE.key -out CSR-FILE.csr

Add encryption to key
openssl rsa -aes256 -in KEY-FILE.key -out KEY-FILE.enc.key

Remove encryption from key
openssl rsa -in KEY-FILE.enc.key -out KEY-FILE.key

Self sign cert
openssh x509 -req -days 365 -in CSR-FILE.csr -signkey KEY-FILE.key -out CRT-FILE.crt

Full pem
cat KEY-FILE.key » CRT-FILE.pem
cat CRT-FILE.crt » CRT-FILE.pem
cat INT-CA-FILE.crt » CRT-FILE.pem
cat ROOT-CA-FILE.crt » CRT-FILE.pem

Export PEM to PKCS12/P12/PFX
openssl pkcs12 -export -in CRT-FILE.pem -out CRT-FILE.p12

Export P12 to PEM
openssl pkcs12 -in CRT-FILE.p12 -out CRT-FILE.pem -nodes
-legacy may need to be added if p12 was created with OpenSSL 1.x and you are now using 3.x

Export to PKCS7/P7B
openssl crl2pkcs7 -nocrl -certfile CRT-FILE.pem -out CRT-FILE.p7b

Convert from binary to base64
openssl base64 -in example_com.p12

View certificate contents
openssl x509 -in CRT-FILE.crt -text -noout -purpose

View certificate chain
openssl s_client -showcerts -connect SITE.DOMAIN.TLD:443

Specify the config file to use
*Add the following option to the end of any openssl command string*
-config openssl.cfg
*Example*
openssl req -new -sha256 -newkey rsa:4096 -nodes -keyout KEY-FILE.key -out CSR-FILE.csr -config openssl.cfg

Encrypt and decrypt file

#generate key
openssl rand -out secret.key 32
vim passwords.txt
#encrypt file
openssl aes-256-cbc -in passwords.txt -out passwords.txt.enc -pass file:secret.key
#encrypt key
openssl rsautl -encrypt -oaep -pubin -inkey <(ssh-keygen -e -f ~/.ssh/id_rsa.pub -m PKCS8) -in secret.key -out secret.key.enc
#decrypt key
openssl rsautl -decrypt -oaep -inkey ~/.ssh/id_rsa -in secret.key.enc -out new-secret.key
#decrypt file
openssl aes-256-cbc -d -in passwords.txt.enc -out new-passwords.txt -pass file:new-secret.key
cat new-passwords.txt

From: https://bjornjohansen.no/encrypt-file-using-ssh-key

PKCS#5 vs PKCS#8
https://github.com/kjur/jsrsasign/wiki/Tutorial-for-PKCS5-and-PKCS8-PEM-private-key-formats-differences

linux/openssl.txt · Last modified: 2023/08/10 22:11 by tingalls