Skip to content

Instantly share code, notes, and snippets.

@phylake

phylake/openssl.md

Last active February 4, 2019 20:25
Show Gist options
  • Save phylake/7392335 to your computer and use it in GitHub Desktop.
Save phylake/7392335 to your computer and use it in GitHub Desktop.
Download ZIP
openssl help
Raw
openssl.md

About certificate formats

Encodings

.cer, .crt

A file with the extension .crt or .cer, contains a single X.509 certificate using DER, a set of rules defined by the ASN.1 standard for formatting binary data.

.pem

Privacy Enhanced Mail (PEM) is a format for securing email using public key cryptography. It is a text-only encoding allowing it to be used in the headers of S/MIME messages.

.csr

A Certificate Signing Request is a message sent from an applicant to a Certificate Authority (CA). It includes identifying information such as distinguished name, corp/org name, location information, as well as the public key of the certificate to be signed.

.p7b, .p7c, .p7s

Files with a .p7b extension have a Public Key Cryptography Standard #7 (PKCS#7) message containing one or more X.509 certificates. The S/MIME secure mail standard uses PKCS#7 for its digitally signed and encrypted messages.

.p12, .pfx

The files with a .p12 extension have an encrypted file format conforming to the Public Key Cryptography Standard #12 (PKCS#12). This is a portable format for storing or transporting a user's private keys, certificates, miscellaneous secrets. This standard supports direct transfer of personal information under several privacy and integrity modes; from using public/private keys to lower security in the form of password-based privacy.

openssl examples

CSR

create your own CA

openssl req -new -nodes -x509 -keyout ca-key.pem -out ca-cert.pem -days 365 -config openssl.conf -extensions v3_ca

sign your own CA (optional additional step)

openssl x509 -in ca-cert.pem -days 365 -out ca-cert.crt -signkey ca-key.pem

create user CSR

openssl req -new -nodes -keyout my-key.pem -out my-csr.pem -days 365 -config openssl.conf

sign user CSR with CA

the order of these parameters matters

openssl ca -out my-cert.pem -days 365 -config openssl.conf -infiles my-csr.pem

Various

create private key encrypted with triple DES

openssl genrsa -des3 -out my-private-key.key -rand /dev/random 2048

create pkcs12

openssl pkcs12 -export -in my-cert.pem -inkey my-private-key.pem -name "First Last" -out my-cert.p12 -rand /dev/random

extract public key portion of private key

openssl rsa -in my-private-key.pem -pubout -out my-public-key.pub

encrypt a file using a public key

openssl rsautl -encrypt -inkey my-public-key.pub -pubin -in encryptme.txt -out encryptme.txt.encrypted

decrypt a file using private key

openssl rsautl -decrypt -inkey my-private-key.pem -in encryptme.txt.encrypted -out encryptme.txt

References

https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs

http://serverfault.com/a/9717/93668

https://www.sslshopper.com/article-most-common-openssl-commands.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment