CERTIFICATES

Certificates and OpenSSL

Convert pUTTy ppl file to a hash for cracking with John The Ripper

putty2john private.ppk > private.hash


Convert a Password Protected SSH Key to a John The Ripper Hash for Cracking

/usr/share/john/ssh2john.py ~/.ssh/id_rsa > id_rsa.hash



Create a Signing Request Using A Domains CA


1.) Create Key and Certificate Signing Request:

openssl req -newkey rsa:4096 -keyout <user key> -out <user csr> -nodes -days 365 -subj "/CN=<name>"`


2.) Sign CSR With CA:

openssl  x509 -req -in <user csr> -CA <ca cert> -CAkey <ca  key> -out <signed user cert> -set_serial 01 -days 365


3.) Convert To PKCS12 For Use In Browsers As Client Certificate:

openssl pkcs12 -export -clcerts -in <signed user cert> -inkey <user key> -out <user>.p12


USEFUL COMMANDS

Generate Private Key

openssl genrsa -out yourdomain.key 2048



View Private Keys Contents

openssl rsa -text -in yourdomain.key -noout


Extract Public Key

openssl rsa -in yourdomain.key -pubout -out yourdomain_public.key


Create Signing Request

openssl req -new -key yourdomain.key -out yourdomain.csr

OR

openssl req -new \
-newkey rsa:2048 -nodes -keyout yourdomain.key \
-out yourdomain.csr \
-subj "/C=US/ST=Utah/L=Lehi/O=Your Company, Inc./OU=IT/CN=yourdomain.com"


VERIFY CSR

openssl req -text -in yourdomain.csr -noout -verify


VIEW CONTENTS OF CERTIFICATE

openssl x509 -text -in yourdomain.crt -noout


VERIFY KEYS MATCH

openssl rsa -modulus -in yourdomain.key -noout | openssl sha256

AND

openssl req -modulus -in yourdomain.csr -noout | openssl sha256

AND

openssl x509 -modulus -in yourdomain.crt -noout | openssl sha256


GENERATE SELF SIGNED CERT

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt


CREATE CSR FOR EXISTING PRIVATE KEY

openssl req -out CSR.csr -key privateKey.key -new


GENERATE SIGNING REQUEST ON EXISTING CERTIFICATE

openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key


REMOVE PASSWORD FROM PRIVATE KEY

openssl rsa -in privateKey.pem -out newPrivateKey.pem


USE OPENSSL TO CHECK CONNECTION

openssl s_client -connect roberthosborne.com:443


================================

CONVERSIONS

================================

PEM to PKCS12

openssl pkcs12 -export -name "yourdomain-digicert-(expiration date)" \
-out yourdomain.pfx -inkey yourdomain.key -in yourdomain.crt



PKCS12 to PEM

openssl pkcs12 -in yourdomain.pfx -nocerts -out yourdomain.key -nodes



Extract Certificate from PKCS12 and Convert It To PEM

openssl pkcs12 -in yourdomain.pfx -nokeys -clcerts -out yourdomain.crt



PEM to DER

openssl x509 -inform PEM -in yourdomain.crt -outform DER -out yourdomain.der



PEM Private to DER Private

openssl rsa -inform PEM -in yourdomain.key -outform DER -out yourdomain_key.der



DER to PEM

openssl x509 -inform DER -in yourdomain.der -outform PEM -out yourdomain.crt



DER Private to PEM Private

openssl rsa -inform DER -in yourdomain_key.der -outform PEM -out yourdomain.key