Certificados (LINUX)

Leave a comment

Comandos mas utilizados a la hora de exportar y generar certificados.

Generar CSR
openssl req -new -newkey rsa:2048 -nodes -keyout tudominio.key -out tudominio.csr

Renovar
openssl req -new -key privkey.pem -out cert.csr -newkey rsa:2048

Exportar a PFX
openssl pkcs12 -export -out domain.name.pfx -inkey domain.name.key -in domain.name.crt

PEM A CRT
openssl x509 -outform der -in your-cert.pem -out your-cert.crt

PEM A KEY

openssl rsa -outform der -in private.pem -out private.key

PEM A CER

openssl x509 -inform PEM -in cacert.pem -outform DER -out certificate.cer

PEM A DER

openssl x509 -outform der -in certificate.pem -out certificate.der

PEM A P7B

openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cer

DER A PEM (.crt .cer .der)

openssl x509 -inform der -outform PEM -in certificate.cer -out certificate.pem

CER A CRT

openssl x509 -inform DER -in certificate.cer -out certificate.crt

KEY A PEM

openssl rsa -in [claveprivada.key] -outform PEM -out [claveprivadaformatopem.key]

PFX A PEM (COMBINADO)

openssl pkcs12 -in filename.pfx -out cert.pem -nodes

PFX A PEM (SEPARADO)

openssl pkcs12 -in filename.pfx -nocerts -out key.pem

openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem

**Si necesitamos quitar la clave openssl rsa -in key.pem -out server.key

QUITAR PASS PFX

openssl pkcs12 -export -nodes -out mycert.pfx -inkey mykey.key -in mycertificate.crt -certfile ca-cert.crt -passout pass:

QUITAR PASS .KEY

openssl rsa -in [claveprivadapass.key] -out [claveprivadasinpass.key]

EXTRAER CRT Y KEY DE PFX

·KEY

openssl pkcs12 -in [mifichero.pfx] -nocerts -out [claveprivada.key]

·CRT

openssl pkcs12 -in [mifichero.pfx] -clcerts -nokeys -out [clavepublica.crt]

KEYTOOL

Generar keystore y key

keytool -genkeypair -keyalg RSA -keysize 2048 -keystore keystore.jks -alias server -validity 3650

Generar keystore e importar certificado

keytool -importcert -file server.crt -keystore truststore.jks -alias server

Generar Root CA con capacidad de firma

keytool -v -genkeypair -dname «CN=Root-CA,OU=Certificate Authority,O=Thunderberry,C=NL» -keystore root-ca.jks -storepass secret -keypass secret -keyalg RSA -keysize 2048 -alias root-ca -validity 3650 -ext KeyUsage=digitalSignature,keyCertSign -ext BasicConstraints=ca:true,PathLen:3

Generar solicitud CSR para un keystore existente

keytool -certreq -keyalg rsa -keystore keystore.jks -alias server -file server.csr

Importar una CA Root o intermedia a keystore

keytool -import -trustcacerts -file root-ca.crt -alias my-newly-trusted-ca -keystore keystore.jks

Importar el contenido de un keystore en otra keystore

keytool -v -importkeystore -srckeystore source.p12 -srcstoretype PKCS12 -srcstorepass changeit -destkeystore target.p12 -deststoretype PKCS12 -deststorepass changeit

Chequeos «Keystore»

Chequear un certificado
keytool -v -printcert -file server.crt

Chequear un certificado en formato PEM
keytool -v -printcert -file server.crt -rfc

Listar los certificados dentro de un almacen Keystore
keytool -v -list -keystore keystore.jks

Chequear un almacen keystore concreto indicando el alias
keytool -v -list -keystore keystore.jks -alias server

Exportaciones «Keystore»

Exportar un certificado a .crt en formato binario
keytool -exportcert -keystore keystore.jks -alias server -file server.crt

Exportar un certificado a .crt en formato pem
keytool -exportcert -keystore keystore.jks -alias server -rfc -file server.crt

Exportar Keystore a formato .p12
keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -srcstoretype jks -deststoretype pkcs12

Otras cosucas «Keystore»

Convertir JKS a PKCS12

keytool -importkeystore -srckeystore keystore.jks -srcstoretype JKS -srcstorepass -destkeystore keystore.p12 -deststoretype PKCS12 password -deststorepass password

Convertir PKCS12 a JKS

keytool -importkeystore -srckeystore keystore.p12 -srcstoretype PKCS12 -srcstorepass -destkeystore keystore.jks -deststoretype JKS password -deststorepass password

Cambiar clave Keystore

keytool -storepasswd -keystore keystore.jks

Borrar certificado de Keystore

keytool -delete -alias server -keystore keystore.jks

Firmar un certificado con CSR

keytool -v -gencert -infile server.csr -outfile server-signed.cer -keystore root-ca.jks -storepass secret -alias root-ca -validity 3650 -ext KeyUsage=digitalSignature,dataEncipherment,keyEncipherment,keyAgreement -ext ExtendedKeyUsage=serverAuth,clientAuth

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>