-
Notifications
You must be signed in to change notification settings - Fork 18
/
OpenSSL_Key_Format.txt
148 lines (88 loc) · 4.52 KB
/
OpenSSL_Key_Format.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
Generating Keys.
------------------
# Generating a PEM formatted RSA key.
openssl genrsa -out rsa.pem 2048
# Generating a PEM formatted ECDSA key.
openssl ecparam -genkey -name prime256v1 -noout -out ec.pem
# Generating a private key in traditional format. (-traditional is required for OpenSSL 3.0)
openssl genrsa -traditional -out rsa.pri 2048
Switching from PEM format to DER format and vice versa
-----------------------------------------------------------
>> RSA Keys
# Converting PEM to DER (RSA)
openssl rsa -in rsa.pem -out rsa.der -outform der
# Examining a DER formatted RSA key.
openssl rsa -in rsa.der -inform der -noout -text
# Converting DER formatted RSA key to PEM.
openssl rsa -in rsa.der -inform der -out rsa.pem -outform pem
# Encrypting RSA Private Keys.
openssl rsa -aes-256-cbc -in rsa.pri -out rsa.enc
# Using encryption for private keys in traditional format.
openssl rsa -aes-256-cbc -in rsa.pri -out rsa.enc -traditional
# Removing encryption from an RSA private key.
openssl rsa -in rsa.enc -out rsa.pri
>> ECDSA keys.
# Converting PEM to DER (ECDSA)
openssl ec -in ec.pem -out ec.der -outform der
# Examining a DER formatted ECDSA key.
openssl ec -in ec.der -noout -text
# Converting DER formatted ECDSA key to PEM.
openssl ec -in ec.der -out ec.pem -outform pem
# Encrypting ECDSA private keys.
openssl ec -in ec.pem -aes-256-cbc -out ec.enc
# Removing encryption from an ECDSA private key.
openssl ec -in ec.enc -out ec.dec
Switching from PKCS #1 (Traditional Format) to PKCS #8 format
---------------------------------------------------------------
>> RSA Keys.
# Converting PKCS#1 to PKCS#8 format key.
openssl pkcs8 -in rsa.pri -topk8 -out rsa.pk8
# Converting PKCS#1 to PKCS#8 format key with no encryption.
openssl pkcs8 -in rsa.pri -topk8 -out rsa.pk8 -nocrypt
# Converting PKCS#1 to PKCS#8 formatted key with no encryption in DER format.
openssl pkcs8 -in rsa.pri -topk8 -out rsa.pk8 -nocrypt -outform DER
# Examining a PKCS#8 DER formatted key.
openssl rsa -in rsa.pk8 -noout -text
>> ECDSA keys.
# Converting PKCS#1 to PKCS#8 format key.
openssl pkcs8 -in ec.pem -topk8 -out ec.pk8
# Converting PKCS#1 to PKCS#8 format key with no encryption.
openssl pkcs8 -in ec.pem -topk8 -nocrypt -out ec.pk8
Generating a PKCS #7 Bundle (P7B)
------------------------------------
# Generating a P7b file of a signed certificate with certificate chain.
openssl crl2pkcs7 -nocrl -certfile dev.cer -certfile myIssuing.cer -certfile root.cer -out dev.p7b
# Examining a P7B file
openssl pkcs7 -in dev.p7b -print_certs
# Examining a P7B file without outputting the certificates
openssl pkcs7 -in dev.p7b -print_certs -noout
Generating a PKCS #12 (PFX/P12) file.
---------------------------------------
# Generating a private key and a self-signed certificate
openssl genpkey -algorithm rsa -out rsa.pri -quiet
openssl req -x509 -new -key rsa.pri -subj '/CN=Test/' -days 365 -out test.cer
# Generating a PKCS#12 (PFX/P12) file.
openssl pkcs12 -export -inkey rsa.pri -in test.cer -out test.pfx
# Generate a PFX/P12 file for a signed certificate including its certificate chain.
cat root.cer myIssuing.cer > cacert.cer
openssl pkcs12 -export -inkey dev.key -in dev.cer -certfile cacert.cer -out dev.pfx
# Examining a PKCS#12 file without displaying any key.
openssl pkcs12 -in dev.pfx -info -nokeys
# Examining a PKCS#12 file without displaying any certificate
openssl pkcs12 -in dev.pfx -info -nocerts
# Examining a PKCS#12 file without displaying keys and certs (-nokeys + -nocerts)
openssl pkcs12 -in dev.pfx -info -nokeys -nocerts
openssl pkcs12 -in dev.pfx -info -noout
# Examining a PKCS#12 file to display only signed/client certificate
openssl pkcs12 -in dev.pfx -info -nokeys -clcerts
# Examining a PKCS#12 file to display only CA certificates
openssl pkcs12 -in dev.pfx -info -nokeys -cacerts
# Extract private key out of PKCS#12 file without encryption
openssl pkcs12 -in dev.pfx -nocerts -noenc | openssl rsa -out private.key
# Extract private key out of PKCS#12 file with encryption
openssl pkcs12 -in dev.pfx -nocerts | openssl rsa -aes-256-cbc -out private.key
# Extract private key out of PKCS#12 file with encryption with password as input from a file.
echo password@123 > passfile
openssl pkcs12 -in dev.pfx -passin file:passfile -nocerts -nodes | openssl rsa -aes-256-cbc -passout file:passfile -out private.key
# Examining ASN.1 Structure of a key.
openssl asn1parse -in rsa.pri