Skip to content

Instantly share code, notes, and snippets.

@arpitjindal97
Last active March 9, 2024 16:29
Show Gist options
  • Save arpitjindal97/b4196ed6174ca640f33c3f8ec5f4bfe4 to your computer and use it in GitHub Desktop.
Save arpitjindal97/b4196ed6174ca640f33c3f8ec5f4bfe4 to your computer and use it in GitHub Desktop.

Generating Private Key & Self-Signed Certificate

Below are the different ways

Existing Private key is used to generate Certificate

openssl req  -key private.key  -new  -x509 -days 1460 -out domain.crt

Generate private key and self-signed certifcate together

openssl req -new -x509 -sha256 -newkey rsa:2048 -nodes -keyout private.key -days 365 -out domain.cert

Now you have private key and certificate in PEM format (ASCII)

Bundling Private key & Certificate

Both of private key & certificate files can be contained in a single file JKS or P12 or PEM (un-encrypted)

Create P12 file from private key and certificate

It's also called PFX

openssl pkcs12 -export -name arpit -in domain.crt -inkey private.key -out keystore.p12

Create JKS from private key and certificate

not possible

Convert P12 to JKS

keytool -importkeystore -destkeystore keystore.jks -srckeystore keystore.p12 -srcstoretype pkcs12 -alias arpit

Convert P12 to PEM

openssl pkcs12 -in keystore.p12 -out keystore.pem -nodes

Create JKS

This will create private key on the fly

keytool -genkey -keyalg RSA -alias arpit -keystore keystore.jks -validity 1460 -keysize 2048

Convert JKS to P12

keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -deststoretype PKCS12

Unbundling various archive

Extract Certificate from JKS

keytool -exportcert -rfc -alias arpit -keystore keystore.jks -file domain.crt

Extract Private Key from PKCS12

openssl pkcs12 -in keystore.p12 -nocerts -out private.key

Extract Certificate from PKCS12

openssl pkcs12 -in keystore.p12 -clcerts -nokeys -out domain.pem

Utility commands

Generate 4096 bits RSA private key

openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:4096

Remove password from Private key

openssl rsa -in id_rsa -out id_rsa_new

List details of JKS

keytool -v -list -keystore keystore.jks

View details of certificate

keytool -printcert -file domain.crt
openssl x509 -text -in domain.crt

View Details of P12 file

keytool -list -keystore keystore.p12 -storetype PKCS12 -v

View details of CSR

openssl req -noout -text -in server.csr

Authorities Concept

CRT/CERT consists info about "Issued to" and "Issued By"

The Authority (Issued By) is called CA

Certifiacate Signing Flow

Buyer should generate CSR using his private key. Fill CN (Common Name) as IP Address or domain

openssl req -new -key client.key -out client.csr

He will give this CSR to Trusted Authorities(Issued By). They will have already generated their CERT and Private Key with CN as there Company Name

They will sign your CSR with their CERT and private key

If you are a Authority, maintain the serial order

Below is the command they use to sign your CSR

openssl x509 -req -days 1460 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt

client.crt will be emailed to him.

Let's encrypt Concept

This Authority provides signed certificate for free. In other words, signs our CSR for free.

You will have to configure subdomain DNS TXT record for this to work

See https://serverfault.com/a/1012254

You can install certbot command in your laptop

sudo certbot -d \*.msmartpay.in -d msmartpay.in --manual --preferred-challenges dns certonly

or use Docker image

docker run -it --rm --name certbot -v "/etc/letsencrypt:/etc/letsencrypt" -v "/var/lib/letsencrypt:/var/lib/letsencrypt" -p 80:80 certbot/certbot certonly

Google Playstore Concept

Signing aab or apk

Google play accepts files to be signed with upload-key

Sign with existing jks file

jarsigner -verbose -sigalg SHA256withRSA -digestalg SHA-256 -keystore keystore.jks -storepass 'arpit_storepass' -keypass 'arpit_aliaspass' app-release.aab arpit_alias

jarsigner -verbose -sigalg SHA256withRSA -digestalg SHA-256 -keystore keystore.jks -storepass arpit1997 -keypass arpit1997 ~/Desktop/distributor.aab upload

Verify if aab or apk is singed or not

jarsigner -verify -certs -verbose app-release.aab
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment