vepetkov/ssl_keystores.sh

## ssl_keystores.sh
# Concatenate the Root and SubCA certs from DigiCert
# to get the full certification chain
cat DigiCert_Global_Root_CA.pem DigiCertSHA2SecureServerCA.pem > DigiCertCA_Chain.pem

# Generate a new key store from the signed cert, the private key
openssl pkcs12 -export \
    -in my_cert_signed.crt
    -inkey my_cert_key.pem
    -chain -CAfile DigiCertCA_Chain.pem \
    -name "my_cert" -out my_cert.keystore.p12

# Convert from PKCS12 to JKS
keytool -importkeystore \
    -deststorepass:file my_cert.keystore.pass -destkeystore my_cert.keystore.jks \
    -srckeystore my_cert.keystore.p12 -srcstoretype PKCS12 -srcstorepass:file my_cert.keystore.pass

# Show the contents of the final keystore
keytool -list -v -keystore my_cert.keystore.jks -storepass:file my_cert.keystore.pass


## Debug in case of issues
# Show contents
openssl req -in my_cert.csr -text -noout
openssl rsa -in delxvi49_key.pem -check
openssl x509 -in my_cert_self_signed.crt -text -noout
openssl x509 -in my_cert_signed.crt -text -noout

# Remove the pass from the key
openssl rsa -in [file1.key] -out [file2.key]

# Check MD5 Sums: need to be equal for CSR, KEY & CERTs if they belong together
openssl req -noout -modulus -in my_cert.csr | openssl md5
openssl rsa -noout -modulus -in my_cert_key.pem | openssl md5
openssl x509 -noout -modulus -in my_cert_self_signed.crt | openssl md5
openssl x509 -noout -modulus -in my_cert_signed.crt | openssl md5

# Export PFX to Cert, Key & Chain
openssl pkcs12 -in <filename.pfx> -nocerts -nodes | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > <clientcert.key>
openssl pkcs12 -in <filename.pfx> -clcerts -nokeys | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > <clientcert.crt>
openssl pkcs12 -in <filename.pfx> -cacerts -nokeys -chain | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > <cacerts.crt>


# Export the priv key without a pass
openssl rsa -in [keyfile-encrypted.key] -out [keyfile-decrypted.key]

# Extract the cert directly from the server
openssl s_client -connect your.dsm.name.com:8443 –showcerts
	# Concatenate the Root and SubCA certs from DigiCert
	# to get the full certification chain
	cat DigiCert_Global_Root_CA.pem DigiCertSHA2SecureServerCA.pem > DigiCertCA_Chain.pem

	# Generate a new key store from the signed cert, the private key
	openssl pkcs12 -export \
	-in my_cert_signed.crt
	-inkey my_cert_key.pem
	-chain -CAfile DigiCertCA_Chain.pem \
	-name "my_cert" -out my_cert.keystore.p12

	# Convert from PKCS12 to JKS
	keytool -importkeystore \
	-deststorepass:file my_cert.keystore.pass -destkeystore my_cert.keystore.jks \
	-srckeystore my_cert.keystore.p12 -srcstoretype PKCS12 -srcstorepass:file my_cert.keystore.pass

	# Show the contents of the final keystore
	keytool -list -v -keystore my_cert.keystore.jks -storepass:file my_cert.keystore.pass


	## Debug in case of issues
	# Show contents
	openssl req -in my_cert.csr -text -noout
	openssl rsa -in delxvi49_key.pem -check
	openssl x509 -in my_cert_self_signed.crt -text -noout
	openssl x509 -in my_cert_signed.crt -text -noout

	# Remove the pass from the key
	openssl rsa -in [file1.key] -out [file2.key]

	# Check MD5 Sums: need to be equal for CSR, KEY & CERTs if they belong together
	openssl req -noout -modulus -in my_cert.csr \| openssl md5
	openssl rsa -noout -modulus -in my_cert_key.pem \| openssl md5
	openssl x509 -noout -modulus -in my_cert_self_signed.crt \| openssl md5
	openssl x509 -noout -modulus -in my_cert_signed.crt \| openssl md5

	# Export PFX to Cert, Key & Chain
	openssl pkcs12 -in <filename.pfx> -nocerts -nodes \| sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > <clientcert.key>
	openssl pkcs12 -in <filename.pfx> -clcerts -nokeys \| sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > <clientcert.crt>
	openssl pkcs12 -in <filename.pfx> -cacerts -nokeys -chain \| sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > <cacerts.crt>


	# Export the priv key without a pass
	openssl rsa -in [keyfile-encrypted.key] -out [keyfile-decrypted.key]

	# Extract the cert directly from the server
	openssl s_client -connect your.dsm.name.com:8443 –showcerts