Skip to content

Instantly share code, notes, and snippets.

@marceloalmeida

marceloalmeida/README.md

Last active Feb 25, 2021
Star
Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
Certificates cheat sheet
Raw
README.md

Certificates cheat sheet

Generate Certificate and sign

Generate private key

openssl genrsa -out test.com.key 4096

Create ssl.conf

cat > ssl.conf <<-EOF
[ req ]
default_bits       = 4096
distinguished_name = req_distinguished_name
req_extensions     = req_ext

[ req_distinguished_name ]
countryName                    = Country Name (2 letter code)
countryName_default            = PT
stateOrProvinceName            = State or Province Name (full name)
stateOrProvinceName_default    = Porto
localityName                   = Locality Name (eg, city)
localityName_default           = Porto
organizationName               = Organization Name (eg, company)
organizationName_default       = Marcelo Almeida
organizationalUnitName         = Organizational Unit Name
organizationalUnitName_default = Marcelo Almeida CA
commonName                     = Common Name (e.g. server FQDN or YOUR name)
commonName_max                 = 64
commonName_default             = malmeida.dev

[ req_ext ]
subjectAltName = @alt_names

[alt_names]
DNS.1   = malmeida.dev
DNS.2   = www.malmeida.dev
EOF

Generate CSR

openssl req -new -key test.com.key -config ssl.conf -out test.com.csr

Read CSR

openssl req -text -noout -in test.com.csr

Sign certificate with with our intermediate key

openssl x509 -req -in test.com.csr -CA bundle.crt -CAkey ca-sre-key.pem -CAcreateserial -out test.com.crt -days 500 -sha256 -extensions req_ext -extfile ssl.conf

Generate certificate bundle

cat bundle.crt >> test.com.crt

View certificate

openssl x509 -in test.com.crt -text -noout

Add root CA to jks

curl -s -L https://www.geotrust.com/resources/root_certificates/certificates/GeoTrust_Primary_CA.pem | keytool -keystore cacerts -storepass changeit -noprompt -trustcacerts -importcert -alias GeoTrust_Primary_CA -file /dev/stdin

Verify Certificate against CA

openssl verify -verbose -CAfile cacert.pem  test.com.crt

Verify server certificate

echo |openssl s_client -showcerts -servername github.com -connect github.com:443 | openssl x509 -text

Check If Certificate, Private Key and CSR Match

openssl x509 -in test.com.crt -noout -modulus | openssl sha1
openssl rsa -in test.com.key -noout -modulus | openssl sha1
openssl req -noout -modulus -in test.com.csr | openssl sha1

Check certificate fingerprint

openssl x509 -noout -fingerprint -sha256 -inform pem -in test_com.crt

Print full chain

openssl crl2pkcs7 -nocrl -certfile bundle.crt | openssl pkcs7 -print_certs -noout # -text
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment