BASH - OpenSSL X509, CSR, CRL OCSP Commands



### CSRs / CERTS ###
 
#generate CSR interactive
openssl req -out csr.csr -new -newkey rsa:2048 -nodes -keyout private.key
 
#generate CSR oneliner
openssl req -new -newkey rsa:2048 -nodes -out c.csr -keyout c.key -subj "/C=US/ST=MT/L=Ulm/O=XYZ/CN=example.com"
 
#generate private key and self signed cert oneliner
openssl req -nodes -new -days 365 -newkey rsa:2048 -x509 -keyout ss.key -out ss.pem -subj "/C=CA/CN=localhost"
 
#parse csr/cert/x509
openssl asn1parse -in file.pem
 
#parse csr
cat file.csr |openssl req -noout -text 
 
#parse cert
cat file.pem |openssl x509 -noout -text
 
#parse crl
openssl crl -inform DER -text -noout -in mycrl.crl
openssl asn1parse -inform DER -in mycrl.crl


### ECC ###
 
# generate ECC CSR
openssl ecparam -genkey -text -name prime256v1 -out example-ecc.key
openssl req -new -key example-ecc.key -sha384 -out example-ecc.csr -subj "/C=US/ST=MT/O=OrgName/CN=example.com"
 
#now that you have a ecc CSR, lets create a self signed cert from it
openssl x509 -req -days 3650 -in example-ecc.csr -signkey example-ecc.key -out example-ecc.pem -sha384
 
#generate private key
openssl ecparam -genkey -text -name prime256v1 -out example-ecc.key #equiv RSA 3072
openssl ecparam -genkey -text -name secp384r1 -out example-ecc.key #equiv RSA 7680
openssl ecparam -genkey -text -name secp521r1 -out example-ecc.key #equiv RSA 15360
 
#shows all ecc curves supported by openssl
openssl ecparam -list_curves


### CLIENT CERTS ###
#client cert csr
openssl req -new -newkey rsa:2048 -nodes -out client.csr -keyout client.key -subj "/emailAddress=b@x.co/CN=BobJo"
 
#generate client cert
openssl x509 -req -days 365 -in client.csr -signkey client.key -out client.crt -addtrust clientAuth
 
#view certs on chrome
certutil -d sql:$HOME/.pki/nssdb -L -h "Builtin Object Token"
 
#view certs on java
keytool -list -keystore /usr/lib/jvm/java-6-sun-1.6.0.22/jre/lib/security/cacerts


### OCSP ###
 
#check OCSP of intermediate/issuer
cat root.pem|openssl x509 -noout -text |grep -i ocsp
cat /etc/ssl/certs/ca-certificates.crt > b.crt
openssl ocsp -issuer root.pem -CAfile b.crt -VAfile b.crt -cert issuer.pem -url <OCSPURL> -resp_text -req_text
 
#check OCSP of end cert
cat iss.pem|openssl x509 -noout -text |grep -i ocsp
cat /etc/ssl/certs/ca-certificates.crt issuer.pem > b.crt
openssl ocsp -issuer issuer.pem -CAfile b.crt -VAfile b.crt -cert cert.pem -url <OCSPURL> -resp_text -req_text


### CSR WITH SANS ###
 
#make a custom openssl.conf file
cat > my.cnf <<EOF
[ req ]
distinguished_name = req_distinguished_name
 
[ req_distinguished_name ]
commonName_max = 64
 
[ server_cert ]
subjectAltName = DNS:test1.example.com,DNS:other1.example.com,DNS:www1.example.net
EOF
 
openssl req -new -newkey rsa:2048 -nodes -out csr -keyout key -subj "CN=ex1" -config my.cnf -reqexts server_cert


### DIGITAL SIGNATURES ###
openssl dgst -sha256 -sign private_key.pem -out signature.sig message.txt
openssl dgst -sha256 -verify public_key.pem -signature signature.sig message.txt
 
### REMOVE PASSPHRASE ###
openssl rsa -in server.key -out server.key.out 
 
### BUILD PKCS7/P7B ###
openssl crl2pkcs7 -nocrl -certfile certificate.crt -certfile intermediate.crt -out certificate.p7b
 
### VIEW PKCS7 ###
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.crt
 
### BUILD PKCS12 / P12 ###
openssl pkcs12 -export -out certificate.pfx -inkey private.key -in certificate.crt -certfile more.crt
code snippets are licensed under Creative Commons CC-By-SA 3.0 (unless otherwise specified)