Handy Certificate Commands for Linux
How to view certificates in Java Key Store (JKS)
keytool -list -v -keystore <keystorename>.jks
How to add certificate in key store (it will install the cert chain of trust also)
keytool -importkeystore -srckeystore /tmp/<pfxname>.pfx -srcstoretype pkcs 2 -destkeystore <keystorename>..jks -deststoretype JKS
keytool –import –keystore <keystorename> -file <certname>.cer
In the above, the pfx should contain the certs til the root level. After entering the command you need to provide destination password as key store password and source password as pfx password.
Note: the pfx password and keystore password has to be same.
How to delete certificate in key store.
keytool -delete -alias <aliasnameofcert> -keystore <keystorename>.jks
Change alias of the existing certificate:
keytool -changealias -alias <aliasname> -destalias <newalias> -keystore <keystorename>.jks
Always take a backup of the jks file before doing any changes.
Keytool is a utility to do cert related activities for linux servers. In SSL, the purpose of key store is to provide credentials and trust store is to verify credentials.
Key store stores private keys and certificates corresponding to their public keys.
Trust store stores certificates from third party and certs signed by CA.
Export the current keystore(jks) as .p 2:
/usr/java/jdk .6.0_26/bin/keytool -v -importkeystore -srckeystore xxx.jks -srcalias xxx-xxx.xxx.com -destkeystore myp 2file.p 2 -deststoretype PKCS 2
Export private key:
openssl pkcs 2 -in myp 2file.p 2 -out private.pem
Sign the .cer public key certificate with the private key and generate new .p 2:
openssl pkcs 2 -export -in xxx-xxx.xxx.com.cer -inkey private.pem -out newcert.p 2 -name xxx-xxx.xxx.com -CAfile intermediate.cer -caname root.cer
Export new PKCS 2 store to jks store:
/usr/java/jdk .6.0_26/bin/keytool -importkeystore -srckeystore newcert.p 2 -destkeystore myotherstore.jks -srcstoretype PKCS 2 -deststoretype jks -srcstorepass tcserver -deststorepass tcserver -srcalias xxx-xxx.xxx.com -destalias xxx-xxx.xxx.com -srckeypass tcserver -destkeypass tcserver
Generate .pfx from existing public key certificate (.cer) and and private key (.pem)
openssl pkcs 2 -export -in xxx-xxx.xxx.com.cer -inkey private.pem -out certificate.pfx -certfile intermediate.cer -certfile root.cer
Create Self Signed Cert:
openssl genrsa -out server.key 2048
openssl req -new -out server.csr -key server.key
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
openssl req -nodes -newkey rsa:2048 -x509 -days 365 -keyout server.key -out server.crt
Generate a New CSR and Key:
openssl req -nodes -new -newkey rsa:4096 -out www.example.com.csr -keyout www.example.com.key
openssl req -out myxxxinfinite.com-new.csr -new -newkey rsa:2048 -sha256 -nodes -keyout myxxxinfinite.com.key
Generate a New CSR from Existing key:
openssl req -nodes -new -key www.example.com.old.key -out www.example.com.new.csr
Generate a NEW CSR from existing key and CRT:
openssl x509 -x509toreq -in www.example.com.old.crt -signkey www.example.com.key -out www.example.com.csr
Generate a CSR with SANs:
SANs (subject alternative names) allow a single CRT to refer to multiple FQDNs. This differs from a wildcard certificate, which refers to all sub-domains of a given domain. The SANs can refer to wildly different domains, like www.example.com and www.example.net.
Generating a CSR with SANs requires using a separate configuration file to list the SANs. The file contains the following default openssl template, plus an additional section for subjectAltNames:
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = AU
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Some-State
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Internet Widgits Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS. = www.example.net
DNS.2 = www.example.org
openssl req -config openssl.conf -nodes -new -newkey rsa:4096 -out www.example.com.csr -keyout www.example.com.key
Read a CSR:
openssl req -text -noout -in www.example.com.csr
Read a CRT:
openssl x509 -text -noout -in www.example.com.crt
Verifying CRT matches a Private Key:
openssl x509 -noout -modulus -in <filename for crt>
openssl rsa -noout -modulus -in <filename for key
Verifying the fingerprint of a CRT:
openssl x509 -fingerprint -noout -in <filename for crt> -sha
openssl x509 -fingerprint -noout -in <filename for crt> -md5
Generate a CSR automatically without prompts:
openssl req -new -config openssl.conf -out www.example.com.csr
[ req ]
prompt = no
default_bits = 2048
default_keyfile = www.example.com.key
encrypt_key = no
distinguished_name = req_distinguished_name
string_mask = utf8only
req_extensions = v3_req
[ req_distinguished_name ]
O=Internet Widgits Pty Ltd
L=Grand Rapids
ST=Michigan
C=US
CN=www.example.com
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
Generate a Java keystore and key pair
keytool -genkey -alias mydomain -keyalg RSA -keystore keystore.jks -keysize 2048
Generate a certificate signing request (CSR) for an existing Java keystore
keytool -certreq -alias mydomain -keystore keystore.jks -file mydomain.csr
Import a root or intermediate CA certificate to an existing Java keystore
keytool -import -trustcacerts -alias root -file Thawte.crt -keystore keystore.jks
Import a signed primary certificate to an existing Java keystore
keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore keystore.jks
Check a stand-alone certificate
keytool -printcert -v -file mydomain.crt
Check which certificates are in a Java keystore
keytool -list -v -keystore keystore.jks
Check a particular keystore entry using an alias
keytool -list -v -keystore keystore.jks -alias mydomain
Delete a certificate from a Java Keytool keystore
keytool -delete -alias mydomain -keystore keystore.jks
Change a Java keystore password
keytool -storepasswd -new new_storepass -keystore keystore.jks
Export a certificate from a keystore
keytool -export -alias mydomain -file mydomain.crt -keystore keystore.jks
List Trusted CA Certs
keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts
Import New CA into Trusted Certs
keytool -import -trustcacerts -file /path/to/ca/ca.pem -alias CA_ALIAS -keystore $JAVA_HOME/jre/lib/security/cacerts
Create Keystore, Keys and Certificate Requests
Generate a Java keystore and key pair
keytool -genkey -alias mydomain -keyalg RSA -keystore keystore.jks -storepass password
Generate a certificate signing request (CSR) for an existing Java keystore
keytool -certreq -alias mydomain -keystore keystore.jks -storepass password -filemydomain.csr
Generate a keystore and self-signed certificate
keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360
Import Certificates
Import a root or intermediate CA certificate to an existing Java keystore
keytool -import -trustcacerts -alias root -file Thawte.crt -keystore keystore.jks -storepass password
Import a signed primary certificate to an existing Java keystore
keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore keystore.jks -storepass password
Export Certificates
Export a certificate from a keystore
keytool -export -alias mydomain -file mydomain.crt -keystore keystore.jks -storepass password
Check/List/View Certificates
Check a stand-alone certificate
keytool -printcert -v -file mydomain.crt
Check which certificates are in a Java keystore
keytool -list -v -keystore keystore.jks -storepass password
Check a particular keystore entry using an alias
keytool -list -v -keystore keystore.jks -storepass password -alias mydomain
Delete Certificates
Delete a certificate from a Java Keytool keystore
keytool -delete -alias mydomain -keystore keystore.jks -storepass password
Change Passwords
Change a Java keystore password
keytool -storepasswd -new new_storepass -keystore keystore.jks -storepass password
Change a private key password
keytool -keypasswd -alias client -keypass old_password -new new_password -keystore client.jks -storepass password
OpenSSL Convert PEM
Convert PEM to DER
openssl x509 -outform der -in certificate.pem -out certificate.der
Convert PEM to P7B
openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cer
Convert PEM to PFX
openssl pkcs 2 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
OpenSSL Convert DER
Convert DER to PEM
openssl x509 -inform der -in certificate.cer -out certificate.pem
OpenSSL Convert P7B
Convert P7B to PEM
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
Convert P7B to PFX
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
openssl pkcs 2 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.cer
OpenSSL Convert PFX
Convert PFX to PEM
openssl pkcs 2 -in certificate.pfx -out certificate.cer -nodes
KDB keystore:
Create kdb and stash file:
/IPG/HTTPServer/java/jre/bin/./ikeycmd -keydb -create -db <kdbfile> -pw <password> -type cms -stash <stashfilename>
View Certs:
/IPG/HTTPServer/java/jre/bin/./ikeycmd -cert -list -expiry -db <kdb file> -pw <password>
/IPG/HTTPServer/java/jre/bin/./ikeycmd -cert -details -label <certname> -db <kdb file> -pw <pssword>
/IPG/HTTPServer/bin/gsk7capicmd -cert -list -db /IPG/HTTPServer/ssl/key.kdb -pw mware4xxx
Delete Certs:
/IPG/HTTPServer/bin/gsk7capicmd -cert -delete -db key.kdb -pw mware4xxx -label xxxmmg
/IPG/HTTPServer/bin/gsk7capicmd -cert -delete -db key.kdb -pw mware4xxx -label VerisignIntermediate
Add Cert with Private Key:
/IPG/HTTPServer/bin/gsk7cmd -cert -import -file /tmp/Certs/newstarxxxmmg.pfx -pw xxx 23 -type pkcs 2 -target /IPG/HTTPServer/ssl/key.kdb -target_pw mware4xxx -target_type cms
/IPG/HTTPServer/bin/gsk7capicmd -cert -add -db /usr/IBMIHS/HTTPServer/ssl/key.kdb -pw mware4xxx -label VerisignInter -file Verisign_internediate.cer
Make the cert as default for store:
/IPG/HTTPServer/bin/gsk7capicmd -cert -setdefault -db /IPG/HTTPServer/ssl/key.kdb -label "le-72be4f54-558a-4eb8-8c3d-4f 6dd82bea4"
[root@xx bin]# ps -ef|grep "http*"
root 34 0 Aug24 ? 00:00:0 /usr/IBMIHS/HTTPServer/bin/httpd -d /usr/IBMIHS/HTTPServer -f /usr/IBMIHS/conf/httpd.conf -k start
www 36 34 0 Aug24 ? 00:00:39 /usr/IBMIHS/HTTPServer/bin/httpd -d /usr/IBMIHS/HTTPServer -f /usr/IBMIHS/conf/httpd.conf -k start
www 362 34 0 Aug24 ? 00:00:40 /usr/IBMIHS/HTTPServer/bin/httpd -d /usr/IBMIHS/HTTPServer -f /usr/IBMIHS/conf/httpd.conf -k start
Start Apache:
./apachectrl -f /usr/IBMIHS/conf/httpd.conf –k start
We can crack .jks, .keystore and .kdb keystores.
For Keystore and JKS, we need to run
java ChangePassword <keystorename> <keystorenametobechanged>
For KDB, we need to run unstash.pl pearl script
/usr/bin/perl unstash.pl <key.sth>
keytool -list -v -keystore <keystorename>.jks
How to add certificate in key store (it will install the cert chain of trust also)
keytool -importkeystore -srckeystore /tmp/<pfxname>.pfx -srcstoretype pkcs 2 -destkeystore <keystorename>..jks -deststoretype JKS
keytool –import –keystore <keystorename> -file <certname>.cer
In the above, the pfx should contain the certs til the root level. After entering the command you need to provide destination password as key store password and source password as pfx password.
Note: the pfx password and keystore password has to be same.
How to delete certificate in key store.
keytool -delete -alias <aliasnameofcert> -keystore <keystorename>.jks
Change alias of the existing certificate:
keytool -changealias -alias <aliasname> -destalias <newalias> -keystore <keystorename>.jks
Always take a backup of the jks file before doing any changes.
Keytool is a utility to do cert related activities for linux servers. In SSL, the purpose of key store is to provide credentials and trust store is to verify credentials.
Key store stores private keys and certificates corresponding to their public keys.
Trust store stores certificates from third party and certs signed by CA.
Export the current keystore(jks) as .p 2:
/usr/java/jdk .6.0_26/bin/keytool -v -importkeystore -srckeystore xxx.jks -srcalias xxx-xxx.xxx.com -destkeystore myp 2file.p 2 -deststoretype PKCS 2
Export private key:
openssl pkcs 2 -in myp 2file.p 2 -out private.pem
Sign the .cer public key certificate with the private key and generate new .p 2:
openssl pkcs 2 -export -in xxx-xxx.xxx.com.cer -inkey private.pem -out newcert.p 2 -name xxx-xxx.xxx.com -CAfile intermediate.cer -caname root.cer
Export new PKCS 2 store to jks store:
/usr/java/jdk .6.0_26/bin/keytool -importkeystore -srckeystore newcert.p 2 -destkeystore myotherstore.jks -srcstoretype PKCS 2 -deststoretype jks -srcstorepass tcserver -deststorepass tcserver -srcalias xxx-xxx.xxx.com -destalias xxx-xxx.xxx.com -srckeypass tcserver -destkeypass tcserver
Generate .pfx from existing public key certificate (.cer) and and private key (.pem)
openssl pkcs 2 -export -in xxx-xxx.xxx.com.cer -inkey private.pem -out certificate.pfx -certfile intermediate.cer -certfile root.cer
Create Self Signed Cert:
openssl genrsa -out server.key 2048
openssl req -new -out server.csr -key server.key
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
openssl req -nodes -newkey rsa:2048 -x509 -days 365 -keyout server.key -out server.crt
Generate a New CSR and Key:
openssl req -nodes -new -newkey rsa:4096 -out www.example.com.csr -keyout www.example.com.key
openssl req -out myxxxinfinite.com-new.csr -new -newkey rsa:2048 -sha256 -nodes -keyout myxxxinfinite.com.key
Generate a New CSR from Existing key:
openssl req -nodes -new -key www.example.com.old.key -out www.example.com.new.csr
Generate a NEW CSR from existing key and CRT:
openssl x509 -x509toreq -in www.example.com.old.crt -signkey www.example.com.key -out www.example.com.csr
Generate a CSR with SANs:
SANs (subject alternative names) allow a single CRT to refer to multiple FQDNs. This differs from a wildcard certificate, which refers to all sub-domains of a given domain. The SANs can refer to wildly different domains, like www.example.com and www.example.net.
Generating a CSR with SANs requires using a separate configuration file to list the SANs. The file contains the following default openssl template, plus an additional section for subjectAltNames:
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = AU
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Some-State
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Internet Widgits Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS. = www.example.net
DNS.2 = www.example.org
openssl req -config openssl.conf -nodes -new -newkey rsa:4096 -out www.example.com.csr -keyout www.example.com.key
Read a CSR:
openssl req -text -noout -in www.example.com.csr
Read a CRT:
openssl x509 -text -noout -in www.example.com.crt
Verifying CRT matches a Private Key:
openssl x509 -noout -modulus -in <filename for crt>
openssl rsa -noout -modulus -in <filename for key
Verifying the fingerprint of a CRT:
openssl x509 -fingerprint -noout -in <filename for crt> -sha
openssl x509 -fingerprint -noout -in <filename for crt> -md5
Generate a CSR automatically without prompts:
openssl req -new -config openssl.conf -out www.example.com.csr
[ req ]
prompt = no
default_bits = 2048
default_keyfile = www.example.com.key
encrypt_key = no
distinguished_name = req_distinguished_name
string_mask = utf8only
req_extensions = v3_req
[ req_distinguished_name ]
O=Internet Widgits Pty Ltd
L=Grand Rapids
ST=Michigan
C=US
CN=www.example.com
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
Generate a Java keystore and key pair
keytool -genkey -alias mydomain -keyalg RSA -keystore keystore.jks -keysize 2048
Generate a certificate signing request (CSR) for an existing Java keystore
keytool -certreq -alias mydomain -keystore keystore.jks -file mydomain.csr
Import a root or intermediate CA certificate to an existing Java keystore
keytool -import -trustcacerts -alias root -file Thawte.crt -keystore keystore.jks
Import a signed primary certificate to an existing Java keystore
keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore keystore.jks
Check a stand-alone certificate
keytool -printcert -v -file mydomain.crt
Check which certificates are in a Java keystore
keytool -list -v -keystore keystore.jks
Check a particular keystore entry using an alias
keytool -list -v -keystore keystore.jks -alias mydomain
Delete a certificate from a Java Keytool keystore
keytool -delete -alias mydomain -keystore keystore.jks
Change a Java keystore password
keytool -storepasswd -new new_storepass -keystore keystore.jks
Export a certificate from a keystore
keytool -export -alias mydomain -file mydomain.crt -keystore keystore.jks
List Trusted CA Certs
keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts
Import New CA into Trusted Certs
keytool -import -trustcacerts -file /path/to/ca/ca.pem -alias CA_ALIAS -keystore $JAVA_HOME/jre/lib/security/cacerts
Create Keystore, Keys and Certificate Requests
Generate a Java keystore and key pair
keytool -genkey -alias mydomain -keyalg RSA -keystore keystore.jks -storepass password
Generate a certificate signing request (CSR) for an existing Java keystore
keytool -certreq -alias mydomain -keystore keystore.jks -storepass password -filemydomain.csr
Generate a keystore and self-signed certificate
keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360
Import Certificates
Import a root or intermediate CA certificate to an existing Java keystore
keytool -import -trustcacerts -alias root -file Thawte.crt -keystore keystore.jks -storepass password
Import a signed primary certificate to an existing Java keystore
keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore keystore.jks -storepass password
Export Certificates
Export a certificate from a keystore
keytool -export -alias mydomain -file mydomain.crt -keystore keystore.jks -storepass password
Check/List/View Certificates
Check a stand-alone certificate
keytool -printcert -v -file mydomain.crt
Check which certificates are in a Java keystore
keytool -list -v -keystore keystore.jks -storepass password
Check a particular keystore entry using an alias
keytool -list -v -keystore keystore.jks -storepass password -alias mydomain
Delete Certificates
Delete a certificate from a Java Keytool keystore
keytool -delete -alias mydomain -keystore keystore.jks -storepass password
Change Passwords
Change a Java keystore password
keytool -storepasswd -new new_storepass -keystore keystore.jks -storepass password
Change a private key password
keytool -keypasswd -alias client -keypass old_password -new new_password -keystore client.jks -storepass password
OpenSSL Convert PEM
Convert PEM to DER
openssl x509 -outform der -in certificate.pem -out certificate.der
Convert PEM to P7B
openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cer
Convert PEM to PFX
openssl pkcs 2 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
OpenSSL Convert DER
Convert DER to PEM
openssl x509 -inform der -in certificate.cer -out certificate.pem
OpenSSL Convert P7B
Convert P7B to PEM
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
Convert P7B to PFX
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
openssl pkcs 2 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.cer
OpenSSL Convert PFX
Convert PFX to PEM
openssl pkcs 2 -in certificate.pfx -out certificate.cer -nodes
KDB keystore:
Create kdb and stash file:
/IPG/HTTPServer/java/jre/bin/./ikeycmd -keydb -create -db <kdbfile> -pw <password> -type cms -stash <stashfilename>
View Certs:
/IPG/HTTPServer/java/jre/bin/./ikeycmd -cert -list -expiry -db <kdb file> -pw <password>
/IPG/HTTPServer/java/jre/bin/./ikeycmd -cert -details -label <certname> -db <kdb file> -pw <pssword>
/IPG/HTTPServer/bin/gsk7capicmd -cert -list -db /IPG/HTTPServer/ssl/key.kdb -pw mware4xxx
Delete Certs:
/IPG/HTTPServer/bin/gsk7capicmd -cert -delete -db key.kdb -pw mware4xxx -label xxxmmg
/IPG/HTTPServer/bin/gsk7capicmd -cert -delete -db key.kdb -pw mware4xxx -label VerisignIntermediate
Add Cert with Private Key:
/IPG/HTTPServer/bin/gsk7cmd -cert -import -file /tmp/Certs/newstarxxxmmg.pfx -pw xxx 23 -type pkcs 2 -target /IPG/HTTPServer/ssl/key.kdb -target_pw mware4xxx -target_type cms
/IPG/HTTPServer/bin/gsk7capicmd -cert -add -db /usr/IBMIHS/HTTPServer/ssl/key.kdb -pw mware4xxx -label VerisignInter -file Verisign_internediate.cer
Make the cert as default for store:
/IPG/HTTPServer/bin/gsk7capicmd -cert -setdefault -db /IPG/HTTPServer/ssl/key.kdb -label "le-72be4f54-558a-4eb8-8c3d-4f 6dd82bea4"
[root@xx bin]# ps -ef|grep "http*"
root 34 0 Aug24 ? 00:00:0 /usr/IBMIHS/HTTPServer/bin/httpd -d /usr/IBMIHS/HTTPServer -f /usr/IBMIHS/conf/httpd.conf -k start
www 36 34 0 Aug24 ? 00:00:39 /usr/IBMIHS/HTTPServer/bin/httpd -d /usr/IBMIHS/HTTPServer -f /usr/IBMIHS/conf/httpd.conf -k start
www 362 34 0 Aug24 ? 00:00:40 /usr/IBMIHS/HTTPServer/bin/httpd -d /usr/IBMIHS/HTTPServer -f /usr/IBMIHS/conf/httpd.conf -k start
Start Apache:
./apachectrl -f /usr/IBMIHS/conf/httpd.conf –k start
We can crack .jks, .keystore and .kdb keystores.
For Keystore and JKS, we need to run
java ChangePassword <keystorename> <keystorenametobechanged>
For KDB, we need to run unstash.pl pearl script
/usr/bin/perl unstash.pl <key.sth>
Comments
Post a Comment