CERTIFICATE COMMANDS

Certificate Commands
Convert pUTTy ppl file to a hash for cracking with John The Ripper

putty2john private.ppk > private.hash

Convert a Password Protected SSH Key to a John The Ripper Hash for Cracking

/usr/share/john/ssh2john.py ~/.ssh/id_rsa > id_rsa.hash

Create a Signing Request Using A Domains CA

1.) Create Key and Certificate Signing Request:

openssl req -newkey rsa:4096 -keyout <user key> -out <user csr> -nodes -days 365 -subj "/CN=<name>"`

2.) Sign CSR With CA:

openssl  x509 -req -in <user csr> -CA <ca cert> -CAkey <ca  key> -out <signed user cert> -set_serial 01 -days 365

3.) Convert To PKCS12 For Use In Browsers As Client Certificate:

openssl pkcs12 -export -clcerts -in <signed user cert> -inkey <user key> -out <user>.p12

USEFUL COMMANDS

Generate Private Key

openssl genrsa -out yourdomain.key 2048

View Private Keys Contents

openssl rsa -text -in yourdomain.key -noout

Extract Public Key

openssl rsa -in yourdomain.key -pubout -out yourdomain_public.key

Create Signing Request

openssl req -new -key yourdomain.key -out yourdomain.csr

OR

openssl req -new \
-newkey rsa:2048 -nodes -keyout yourdomain.key \
-out yourdomain.csr \
-subj "/C=US/ST=Utah/L=Lehi/O=Your Company, Inc./OU=IT/CN=yourdomain.com"

VERIFY CSR

openssl req -text -in yourdomain.csr -noout -verify

VIEW CONTENTS OF CERTIFICATE

openssl x509 -text -in yourdomain.crt -noout

VERIFY KEYS MATCH

openssl rsa -modulus -in yourdomain.key -noout | openssl sha256

AND

openssl req -modulus -in yourdomain.csr -noout | openssl sha256

AND

openssl x509 -modulus -in yourdomain.crt -noout | openssl sha256

GENERATE SELF SIGNED CERT

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt

CREATE CSR FOR EXISTING PRIVATE KEY

openssl req -out CSR.csr -key privateKey.key -new

GENERATE SIGNING REQUEST ON EXISTING CERTIFICATE

openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key

REMOVE PASSWORD FROM PRIVATE KEY

openssl rsa -in privateKey.pem -out newPrivateKey.pem

USE OPENSSL TO CHECK CONNECTION

openssl s_client -connect roberthosborne.com:443

================================

CONVERSIONS

================================

PEM to PKCS12

openssl pkcs12 -export -name "yourdomain-digicert-(expiration date)" \
-out yourdomain.pfx -inkey yourdomain.key -in yourdomain.crt

PKCS12 to PEM

openssl pkcs12 -in yourdomain.pfx -nocerts -out yourdomain.key -nodes

Extract Certificate from PKCS12 and Convert It To PEM

openssl pkcs12 -in yourdomain.pfx -nokeys -clcerts -out yourdomain.crt

PEM to DER

openssl x509 -inform PEM -in yourdomain.crt -outform DER -out yourdomain.der

PEM Private to DER Private

openssl rsa -inform PEM -in yourdomain.key -outform DER -out yourdomain_key.der

DER to PEM

openssl x509 -inform DER -in yourdomain.der -outform PEM -out yourdomain.crt

DER Private to PEM Private

openssl rsa -inform DER -in yourdomain_key.der -outform PEM -out yourdomain.key