Title here
Summary here
OpenSSL
A cheat sheet of common OpenSSL commands.
#
# Viewing/Parsing
#
#Parse a certificate to view it's contents:
openssl x509 -text -noout -in certificate.pem
# Parse a CSR to view it's contents:
openssl req -text -noout -in csr.req
# Parse a DER encoded CRL to view it's contents:
openssl crl -text -noout -inform DER -in myca.crl
# Parse a PKCS7 (.p7c) file to view it's contents:
openssl pkcs7 -print_certs -noout -inform DER -in myca-chain.7c
# Parse a PKCS12 (.p12/.pfx) file to view it's contents:
# - Normal
openssl pkcs12 -info -in certs.p12
# - Legacy
openssl pkcs12 -info -legacy -in certs.p12
#
# Generating/Encrypting RSA/EC Keys
#
# Generate an RSA key:
openssl genrsa -out rsa.key 4096
# Generate an encrypted RSA key:
openssl genrsa -aes256 -out encrypted_rsa.key 4096
# Encrypt an existing RSA key:
openssl rsa -aes256 -in rsa.key -out encrypted_rsa.key
# Generate an EC key:
openssl ecparam -genkey -name secp384r1 -out ec.key
# Generate an encrypted EC key:
openssl ecparam -genkey -name secp384r1 | openssl ec -aes256 -out encrypted_ec.key
# Encrypt an existing EC Key:
openssl ec -aes256 -in ec.key -out encrypted_ec.key
#
# Generating a CSR or Certificate
#
# Generate a CSR:
openssl req -key cert.key -new -out cert.req -subj '/CN=CommonName/OU=OrganizationalUnit/O=Organization/ST=StateOrProvince/L=Locality/C=CountryCode'
# Generate a Self Signed Certificate:
openssl req -new -x509 -days 365 -sha384 -key cert.key -out cert.crt -subj '/CN=CommonName/OU=OrganizationUnit/O=Organization/ST=StateOrProvince/L=Locality/C=CountryCode'
#
# Checking OCSP
#
# Check OCSP:
openssl ocsp -issuer intermediate_wr2.crt -url http://o.pki.goog/wr2 -text -no_nonce -cert google.com.crt
# Check OCSP via Serial Number:
openssl ocsp -issuer intermediate_wr2.crt -url http://o.pki.goog/wr2 -text -no_nonce -serial 0xDF5B691B21764A32121C2F378BE596D3
#
# Verify CERT/CSR/KEY Match
#
# Verify RSA Match:
# - RSA Certificate Modulus MD5 Hash
openssl x509 -modulus -noout -in cert.crt | openssl md5
# - RSA CSR Modulus MD5 Hash
openssl req -modulus -noout -in cert.req | openssl md5
# - RSA Key Modulus MD5 Hash
openssl rsa -modulus -noout -in cert.key | openssl md5
# Verify EC Match:
# - EC Certificate Public Key MD5 Hash
openssl x509 -pubkey -noout -in cert.crt | openssl md5
# - EC CSR Public Key MD5 Hash
openssl req -pubkey -in cert.req -noout | openssl md5
# - EC Key Public Key MD5 Hash
openssl pkey -pubout -in cert.key | openssl md5Prev
OpenSSL