Keys & certificates cheatsheet
Nov 25, 2019
List of usefull commands
Keys
generate private key
openssl genrsa -out private.pem 2048
check private key
openssl pkey -in private.pem -text
extract public key from private
openssl rsa -in private.pem -pubout -out pubkey.pem
extract public key from private for SSH
ssh-keygen -y -f private.pem > key.pub
check public key
openssl rsa -inform PEM -pubin -in pubkey.pem -text -noout
change format of key to pkcs8
openssl pkcs8 -topk8 -nocrypt -in private.key -out private-pkcs8.key
Certificates
generate certificate authority from private key
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 4096 -out rootCA.crt
generate csr request using key
openssl req -sha512 -new -key xxx.key -out xxx.csr -conf config.conf
check csr request
openssl req -in mydomain.com.csr -noout -text
save serial to file
openssl x509 -in rootCA.crt -text -noout -serial
At the end is serial “serial=XXXX” take only XXXX part ad save it to file “serial”
generate server certificate
openssl x509 -days 365 -req -sha512 -in xxx.csr -CAserial serial -CA rootCA.crt -CAkey ca.key -out new.crt -extensions v3_req -extfile server.conf
generate client certificate
openssl x509 -days 365 -req -sha512 -in xxx.csr -CAserial serial -CA rootCA.crt -CAkey ca.key -out new.crt -extensions v3_req -extensions usr_cert -extfile client.conf
check certificate
openssl x509 -in certificate.crt -text -noout
get server certificate
openssl s_client -showcerts -connect www.example.com:443
Config files
server.conf
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
countryName = XX
stateOrProvinceName = XXXXXX
localityName = XXXXXX
postalCode = XXXXXX
organizationName = XXXXXX
organizationalUnitName = XXXXXX
commonName = XXXXXX
emailAddress = XXXXXX
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = DOMAIN NAME
IP.1 = IP ADDRESS
client.conf
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
countryName = XX
stateOrProvinceName = XXXXXX
localityName = XXXXXX
postalCode = XXXXXX
organizationName = XXXXXX
organizationalUnitName = XXXXXX
commonName = XXXXXX
emailAddress = XXXXXX
[ usr_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, server
nsComment = "Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement, nonRepudiation
extendedKeyUsage = serverAuth, clientAuth
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
Links and tutorials
- list of commands
- how to generate certificate with SAN
- setting certificates for Filebeat and Logstash
- script for generation certs
- tutorial for secure Logstash&Filebeat + info about config files
- certificates detailed tutorial