SSL-commands

Hre is a really good page of openssl and keytools commands;

http://shib.kuleuven.be/docs/ssl_commands.shtml

convert DER to PEM

openssl x509 -inform der -in  MYCERT.cer  -out  MYCERT .pem

convert PKCS#12 (.pfx .p12) to PEM containing both private key and certificates

openssl pkcs12 -in  KEYSTORE.pfx   -out  KEYSTORE .pem -nodes

ssltap

for intercepting ssl handshake



{| border="0" cellpadding="1" cellspacing="1" class="article-table article-table-selected" style="width: 500px;" ! scope="col"| ! scope="col"| =A few frequently used SSL commands=

using openssl using keytool (included in recent Sun java reference implementations)

keytool
add -config  if your config file has not been set in the environment
 * generate a new private key and matching Certificate Signing Request (eg to send to a commercial CA)
 * openssl req -out MYCSR .csr -pubkey -new -keyout MYKEY .key
 * add -nodes to create an unencrypted private key
 * add -nodes to create an unencrypted private key


 * decrypt private key
 * openssl rsa -in <span class="console_input" style="color: rgb(255, 102, 0);">MYKEY .key >> <span class="console_input" style="color: rgb(255, 102, 0);">MYKEY-NOCRYPT .key


 * generate a certificate siging request for an existing private key
 * openssl req -out <span class="console_input" style="color: rgb(255, 102, 0);">MYCSR .csr -key <span class="console_input" style="color: rgb(255, 102, 0);">MYKEY .key -new


 * generate a certificate signing request based on an existing x509 certificate
 * openssl x509 -x509toreq -in <span class="console_input" style="color: rgb(255, 102, 0);">MYCRT .crt -out <span class="console_input" style="color: rgb(255, 102, 0);">MYCSR .csr -signkey <span class="console_input" style="color: rgb(255, 102, 0);">MYKEY .key


 * create self-signed certificate (can be used to sign other certificates)
 * openssl req -x509 -new -out <span class="console_input" style="color: rgb(255, 102, 0);">MYCERT .crt -keyout <span class="console_input" style="color: rgb(255, 102, 0);">MYKEY .key -days 365


 * sign a Certificate Signing Request
 * openssl x509 -req -in <span class="console_input" style="color: rgb(255, 102, 0);">MYCSR .csr -CA <span class="console_input" style="color: rgb(255, 102, 0);">MY-CA-CERT .crt -CAkey <span class="console_input" style="color: rgb(255, 102, 0);">MY-CA-KEY .key -CAcreateserial -out <span class="console_input" style="color: rgb(255, 102, 0);">MYCERT .crt -days <span class="console_input" style="color: rgb(255, 102, 0);">365
 * -days has to be less than the validity of the CA certificate


 * convert DER (.crt .cer .der) to PEM
 * openssl x509 -inform der -in <span class="console_input" style="color: rgb(255, 102, 0);">MYCERT.cer  -out <span class="console_input" style="color: rgb(255, 102, 0);">MYCERT .pem


 * convert PEM to DER
 * openssl x509 -outform der -in <span class="console_input" style="color: rgb(255, 102, 0);">MYCERT.pem  -out <span class="console_input" style="color: rgb(255, 102, 0);">MYCERT .der


 * convert PKCS#12 (.pfx .p12) to PEM containing both private key and certificates
 * openssl pkcs12 -in <span class="console_input" style="color: rgb(255, 102, 0);">KEYSTORE.pfx  -out <span class="console_input" style="color: rgb(255, 102, 0);">KEYSTORE .pem -nodes
 * add -nocerts for private key only; add -nokeys for certificates only


 * convert (add) a seperate key and certificate to a new keystore of type PKCS#12
 * openssl pkcs12 -export -in <span class="console_input" style="color: rgb(255, 102, 0);">MYCERT.crt  -inkey <span class="console_input" style="color: rgb(255, 102, 0);">MYKEY.key  -out <span class="console_input" style="color: rgb(255, 102, 0);">KEYSTORE .p12 -name "<span class="console_input" style="color: rgb(255, 102, 0);">tomcat "


 * convert (add) a seperate key and certificate to a new keystore of type PKCS#12 for use with a server that should send the chain too (eg Tomcat)
 * openssl pkcs12 -export -in <span class="console_input" style="color: rgb(255, 102, 0);">MYCERT.crt  -inkey <span class="console_input" style="color: rgb(255, 102, 0);">MYKEY.key  -out <span class="console_input" style="color: rgb(255, 102, 0);">KEYSTORE .p12 -name "<span class="console_input" style="color: rgb(255, 102, 0);">tomcat " -CAfile <span class="console_input" style="color: rgb(255, 102, 0);">MY-CA-CERT.crt  -caname <span class="console_input" style="color: rgb(255, 102, 0);">myCA -chain
 * you can repeat the combination of "-CAfile" and "-caname" for each intermediate certificate


 * check a private key
 * openssl rsa -in <span class="console_input" style="color: rgb(255, 102, 0);">MYKEY .key -check
 * add -noout to not disclose the key


 * check a Certificate Signing Request
 * openssl req -text -noout -verify -in <span class="console_input" style="color: rgb(255, 102, 0);">MYCSR .csr


 * check a certificate
 * openssl x509 -in <span class="console_input" style="color: rgb(255, 102, 0);">MYCERT .crt -text -noout


 * check a PKCS#12 keystore
 * openssl pkcs12 -info -in <span class="console_input" style="color: rgb(255, 102, 0);">KEYSTORE .p12

to check for server usage: -purpose sslserver to check for client usage: -purpose sslient
 * check a trust chain of a certificate
 * openssl verify -CAfile <span class="console_input" style="color: rgb(255, 102, 0);">MYCHAINFILE .pem -verbose <span class="console_input" style="color: rgb(255, 102, 0);">MYCERT.crt
 * trust chain is in directory (hash format): replace -CAfile with -CApath /path/to/CAchainDir/


 * debug an SSL connection [server doesn't require certificate authentication]
 * openssl s_client -connect <span class="console_input" style="color: rgb(255, 102, 0);">idp.example.be:443

send the starttls command (smtp or pop3 style): -starttls smtp or -starttls pop3
 * debug an SSL connection with mutual certificate authentication
 * openssl s_client -connect <span class="console_input" style="color: rgb(255, 102, 0);">idp.example.be:8443  -CAfile <span class="console_input" style="color: rgb(255, 102, 0);">MY-CA-CERT .crt -cert <span class="console_input" style="color: rgb(255, 102, 0);">MYCERT .crt -key <span class="console_input" style="color: rgb(255, 102, 0);">MYKEY .key
 * trust chain is in directory (hash format): replace -CAfile with -CApath /path/to/CAchainDir/

keytool does not support management of private keys inside a keystore. You need to use another tool for that. If you are using the JKS format, that means you need another java-based tool. extkeytool from the Shibboleth distribution can do this. ;Create an empty keystore
 * keytool -genkey -alias foo -keystore truststore.jks

keytool -delete -alias foo -keystore truststore.jks
 * Generate a private key and an initial certificate as a JKS keystore
 * keytool -genkey -keyalg RSA -alias "<span class="console_input" style="color: rgb(255, 102, 0);">selfsigned " -keystore <span class="console_input" style="color: rgb(255, 102, 0);">KEYSTORE .jks -storepass "<span class="console_input" style="color: rgb(255, 102, 0);">secret " -validity <span class="console_input" style="color: rgb(255, 102, 0);">360
 * you can also pass the data for the DN of the certificate as command-line parameters: -dname "CN=${pki-cn}, OU=${pki-ou}, O=${pki-o}, L=${pki-l}, S=${pki-s}, C=${pki-c}"


 * Generate a secret key that can be used for symmetric encryption. For this to work, you need to make use of a JCEKS keystore.
 * keytool -genseckey -alias "<span class="console_input" style="color: rgb(255, 102, 0);">secret_key " -keystore <span class="console_input" style="color: rgb(255, 102, 0);">KEYSTORE .jks -storepass "<span class="console_input" style="color: rgb(255, 102, 0);">secret " -storetype "<span class="console_input" style="color: rgb(255, 102, 0);">JCEKS "


 * Generate a Certificate Signing Request for a key in a JKS keystore
 * keytool -certreq -v -alias "<span class="console_input" style="color: rgb(255, 102, 0);">selfsigned " -keystore <span class="console_input" style="color: rgb(255, 102, 0);">KEYSTORE .jks -storepass "<span class="console_input" style="color: rgb(255, 102, 0);">secret " -file <span class="console_input" style="color: rgb(255, 102, 0);">MYCSR .csr


 * Import a (signed) certificate into a JKS keystore
 * keytool -import -keystore <span class="console_input" style="color: rgb(255, 102, 0);">KEYSTORE .jks -storepass "<span class="console_input" style="color: rgb(255, 102, 0);">secret " -file <span class="console_input" style="color: rgb(255, 102, 0);">MYCERT .crt


 * add a public certificate to a JKS keystore, eg the JVM truststore
 * keytool -import -trustcacerts -alias "<span class="console_input" style="color: rgb(255, 102, 0);">sensible-name-for-ca " -file <span class="console_input" style="color: rgb(255, 102, 0);">CAcert.crt  -keystore <span class="console_input" style="color: rgb(255, 102, 0);">MYSTORE .jks
 * If the JVM truststore contains your certificate or the certificate of the root CA that signed your certificate, then the JVM will trust and thus might accept your certificate. The default truststore already contains the root certificates of most commonly used sommercial CA's. Use this command to add another certificate for trust:
 * keytool -import -trustcacerts -alias "<span class="console_input" style="color: rgb(255, 102, 0);">sensible-name-for-ca " -file <span class="console_input" style="color: rgb(255, 102, 0);">CAcert.crt  -keystore <span class="console_input" style="color: rgb(255, 102, 0);">$JAVA_HOME /lib/security/cacerts
 * the default password of the Java truststore is "changeit".

if $JAVA_HOME is set to the root of the JDK, then the truststore is it $JAVA_HOME/jre/lib/security/cacerts keytool does NOT support adding trust certificates to a PKCS12 keystore (which is very unfortunate but probably a good move to promote JKS)
 * delete a public certificate from a JAVA keystore (JKS; eg JVM truststore)
 * keytool -delete -alias "<span class="console_input" style="color: rgb(255, 102, 0);">sensible-name-for-ca " -keystore <span class="console_input" style="color: rgb(255, 102, 0);">$JAVA_HOME /lib/security/cacerts
 * the default password of the Java truststore is "changeit".

if $JAVA_HOME is set to the root of the JDK, then the truststore is it $JAVA_HOME/jre/lib/security/cacerts
 * List the certificates inside a keystore
 * keytool -list -v -keystore <span class="console_input" style="color: rgb(255, 102, 0);">KEYSTORE.jks
 * -storetype pkcs12 can be used


 * Get information about a stand-alone certificate
 * keytool -printcert -v -file <span class="console_input" style="color: rgb(255, 102, 0);">MYCERT.crt


 * Convert a JKS file to PKCS12 format (Java 1.6.x and above)
 * keytool -importkeystore -srckeystore <span class="console_input" style="color: rgb(255, 102, 0);">KEYSTORE.jks  -destkeystore <span class="console_input" style="color: rgb(255, 102, 0);">KEYSTORE.p12  -srcstoretype JKS -deststoretype PKCS12 -srcstorepass mysecret -deststorepass mysecret -srcalias myalias -destalias myalias -srckeypass mykeypass -destkeypass mykeypass -noprompt

certutil

 * Add a PKCS12 to a windows certificate store
 * certutil -p <span class="console_input" style="color: rgb(255, 102, 0);">secret  -importpfx <span class="console_input" style="color: rgb(255, 102, 0);">KEYSTORE.p12

<span style="color: rgb(0, 0, 0); font-family: Helvetica, Verdana, Arial, sans-serif; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; display: inline !important; float: none;">notes:

<u style="color: rgb(0, 0, 0); font-family: Helvetica, Verdana, Arial, sans-serif; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;">openssl <span style="color: rgb(0, 0, 0); font-family: Helvetica, Verdana, Arial, sans-serif; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; display: inline !important; float: none;"> for win32 can be downloaded at  http://www.slproweb.com/products/Win32OpenSSL.html<span style="color: rgb(0, 0, 0); font-family: Helvetica, Verdana, Arial, sans-serif; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; display: inline !important; float: none;">. Version v0.9.8 is known to cause problems in combination with Shibboleth SP v1.3!

<u style="color: rgb(0, 0, 0); font-family: Helvetica, Verdana, Arial, sans-serif; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;">keytool <span style="color: rgb(0, 0, 0); font-family: Helvetica, Verdana, Arial, sans-serif; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; display: inline !important; float: none;"> is a part of each Sun Java distribution (binary). You need it to manipulate the Java KeyStore (JKS) format.

hash format:  the -CApath directory should contain each certificate that needs to be trusted. The name of each certificate has to be its hashed value and a number. When running unix, execute "$ c_rehash ./" to create symlinks with the correct names. You can also do this manually with the -hash option of openssl (see "openssl verify").

please send remarks, corrections and other often used commands to [mailto:shib@kuleuven.net shib@kuleuven.net]

<p style="text-align: right; color: rgb(0, 0, 0); font-family: Helvetica, Verdana, Arial, sans-serif; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;">Authors: Brusten Philip & Van der Velpen Jan  Last modified: Wednesday, 17-Sep-2008 09:48:24 CEST
 * }
 * }
 * }
 * }
 * }