Skip to content

Instantly share code, notes, and snippets.

@marceloalmeida
Last active August 21, 2023 14:08
Show Gist options
  • Save marceloalmeida/52431501185f23f07edd3c1b15b9ac2e to your computer and use it in GitHub Desktop.
Save marceloalmeida/52431501185f23f07edd3c1b15b9ac2e to your computer and use it in GitHub Desktop.
Certificates cheat sheet

Certificates cheat sheet

Generate Certificate and sign

Generate private key

openssl genrsa -out test.com.key 4096

Create ssl.conf

cat > ssl.conf <<-EOF
[ req ]
default_bits       = 4096
distinguished_name = req_distinguished_name
req_extensions     = req_ext

[ req_distinguished_name ]
countryName                    = Country Name (2 letter code)
countryName_default            = PT
stateOrProvinceName            = State or Province Name (full name)
stateOrProvinceName_default    = Porto
localityName                   = Locality Name (eg, city)
localityName_default           = Porto
organizationName               = Organization Name (eg, company)
organizationName_default       = Marcelo Almeida
organizationalUnitName         = Organizational Unit Name
organizationalUnitName_default = Marcelo Almeida CA
commonName                     = Common Name (e.g. server FQDN or YOUR name)
commonName_max                 = 64
commonName_default             = malmeida.dev

[ req_ext ]
subjectAltName = @alt_names

[alt_names]
DNS.1   = malmeida.dev
DNS.2   = www.malmeida.dev
EOF

Generate CSR

openssl req -new -key test.com.key -config ssl.conf -out test.com.csr

Read CSR

openssl req -text -noout -in test.com.csr

Sign certificate with with our intermediate key

openssl x509 -req -in test.com.csr -CA bundle.crt -CAkey ca-sre-key.pem -CAcreateserial -out test.com.crt -days 500 -sha256 -extensions req_ext -extfile ssl.conf

Generate certificate bundle

cat bundle.crt >> test.com.crt

View certificate

openssl x509 -in test.com.crt -text -noout

Add root CA to jks

curl -s -L https://www.geotrust.com/resources/root_certificates/certificates/GeoTrust_Primary_CA.pem | keytool -keystore cacerts -storepass changeit -noprompt -trustcacerts -importcert -alias GeoTrust_Primary_CA -file /dev/stdin

Verify Certificate against CA

openssl verify -verbose -CAfile cacert.pem  test.com.crt

Verify server certificate

echo |openssl s_client -showcerts -servername github.com -connect github.com:443 | openssl x509 -text

Check If Certificate, Private Key and CSR Match

openssl x509 -in test.com.crt -noout -modulus | openssl sha1
openssl rsa -in test.com.key -noout -modulus | openssl sha1
openssl req -noout -modulus -in test.com.csr | openssl sha1

Check certificate fingerprint

openssl x509 -noout -fingerprint -sha256 -inform pem -in test_com.crt

Print full chain

openssl crl2pkcs7 -nocrl -certfile bundle.crt | openssl pkcs7 -print_certs -noout # -text

Convert PEM to PFX (PKCS#12) without private key

openssl pkcs12 -export -nokeys -in certificate.cer -out pkcs12.pfx

Display information of PFX / P12 file

openssl pkcs12 -in pkcs12.pfx -info
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment