Certificate Commands
Convert pUTTy ppl file to a hash for cracking with John The Ripper
putty2john private.ppk > private.hash
Convert a Password Protected SSH Key to a John The Ripper Hash for Cracking
/usr/share/john/ssh2john.py ~/.ssh/id_rsa > id_rsa.hash
Create a Signing Request Using A Domains CA
1.) Create Key and Certificate Signing Request:
openssl req -newkey rsa:4096 -keyout <user key> -out <user csr> -nodes -days 365 -subj "/CN=<name>"`
2.) Sign CSR With CA:
openssl x509 -req -in <user csr> -CA <ca cert> -CAkey <ca key> -out <signed user cert> -set_serial 01 -days 365
3.) Convert To PKCS12 For Use In Browsers As Client Certificate:
openssl pkcs12 -export -clcerts -in <signed user cert> -inkey <user key> -out <user>.p12
USEFUL COMMANDS
Generate Private Key
openssl genrsa -out yourdomain.key 2048
View Private Keys Contents
openssl rsa -text -in yourdomain.key -noout
Extract Public Key
openssl rsa -in yourdomain.key -pubout -out yourdomain_public.key
Create Signing Request
openssl req -new -key yourdomain.key -out yourdomain.csr
OR
openssl req -new \
-newkey rsa:2048 -nodes -keyout yourdomain.key \
-out yourdomain.csr \
-subj "/C=US/ST=Utah/L=Lehi/O=Your Company, Inc./OU=IT/CN=yourdomain.com"
VERIFY CSR
openssl req -text -in yourdomain.csr -noout -verify
VIEW CONTENTS OF CERTIFICATE
openssl x509 -text -in yourdomain.crt -noout
VERIFY KEYS MATCH
openssl rsa -modulus -in yourdomain.key -noout | openssl sha256
AND
openssl req -modulus -in yourdomain.csr -noout | openssl sha256
AND
openssl x509 -modulus -in yourdomain.crt -noout | openssl sha256
GENERATE SELF SIGNED CERT
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
CREATE CSR FOR EXISTING PRIVATE KEY
openssl req -out CSR.csr -key privateKey.key -new
GENERATE SIGNING REQUEST ON EXISTING CERTIFICATE
openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key
REMOVE PASSWORD FROM PRIVATE KEY
openssl rsa -in privateKey.pem -out newPrivateKey.pem
USE OPENSSL TO CHECK CONNECTION
openssl s_client -connect roberthosborne.com:443
================================
CONVERSIONS
================================
PEM to PKCS12
openssl pkcs12 -export -name "yourdomain-digicert-(expiration date)" \
-out yourdomain.pfx -inkey yourdomain.key -in yourdomain.crt
PKCS12 to PEM
openssl pkcs12 -in yourdomain.pfx -nocerts -out yourdomain.key -nodes
Extract Certificate from PKCS12 and Convert It To PEM
openssl pkcs12 -in yourdomain.pfx -nokeys -clcerts -out yourdomain.crt
PEM to DER
openssl x509 -inform PEM -in yourdomain.crt -outform DER -out yourdomain.der
PEM Private to DER Private
openssl rsa -inform PEM -in yourdomain.key -outform DER -out yourdomain_key.der
DER to PEM
openssl x509 -inform DER -in yourdomain.der -outform PEM -out yourdomain.crt
DER Private to PEM Private
openssl rsa -inform DER -in yourdomain_key.der -outform PEM -out yourdomain.key
If accepted the cookies on this site are used for my own interest in who is viewing the site. I will not profit off of this information in any way.