Forked from rustymagnet3000/a_openssl_command_playground.md
Created
November 20, 2020 14:48
-
-
Save BurgerZ/f176d2e057a7f20e3bb0720db52d81f0 to your computer and use it in GitHub Desktop.
Revisions
-
Rusty Robot revised this gist
Nov 18, 2020 . 1 changed file with 32 additions and 39 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -19,60 +19,53 @@ openssl x509 -in foobar.crt -subject -serial -noout | awk -F= '{print $NF}' foobar BigTime CA XXXXXXXXXXXXXXXXXXXXXXXXXXX ``` ## Verify Certificates ( by file ) ##### Help `man verify` ##### Set path to certs to trust `export CERTS=/Users/{path_to_your_certs}` ##### Verify leaf - OK `openssl verify -CAfile ${CERTS}/local_rootca_2025.pem -untrusted ${CERTS}/local_intca_2023.pem ${CERTS}/local_leaf.pem ` ##### Verify leaf - failed, as wrong Int CA `openssl verify -CAfile ${CERTS}/local_rootca_2025.pem -untrusted ${CERTS}/httpbin-org-IntCA.pem ${CERTS}/local_leaf.pem` ##### Verify Intermediate CA - OK `openssl verify -CAfile ${CERTS}/local_rootca_2025.pem ${CERTS}/local_intca_2023.pem` ##### Verify Intermediate CA ( with -no-CApath ) - OK `openssl verify -no-CApath -CAfile ${CERTS}/local_rootca_2025.pem ${CERTS}/local_intca_2023.pem` ##### Verify Intermediate CA - failed, as Int CA not signed by Root CA `openssl verify -CAfile ${CERTS}/local_rootca_2025.pem ${CERTS}/httpbin-org-IntCA.pem` ## Verify Certificates ( by folder ) ##### Set path to certs to folder of Certificates `export CERTS=/Users/{path_to_your_certs}` ##### c_rehash > rehash scans directories and calculates a hash value of each ".pem", ".crt", ".cer", or ".crl" file in the specified directory list and creates symbolic links > for each file ##### Use c_rehash before -CAPath `~/openssl/bin/c_rehash ${CERTS}` ##### Verify leaf_cert ( Root CA and IntCA inside ${CERTS} ) `openssl verify -CApath ${CERTS} ${UNTRUSTED}/local_leaf.pem` ##### Verify multiple untrusted `openssl verify -CApath ${CERTS} ${UNTRUSTED}/local_leaf.pem ${UNTRUSTED}/httpbin_org_leaf.pem ` ##### Verify failure ( missing Int CA, unable to get local issuer certificate, error 20 ) `openssl verify -CApath ${CERTS} ${UNTRUSTED}/local_leaf.pem` ##### Verify failure ( missing Root CA, error 2 at 1 depth lookup: unable to get issuer certificat ) `openssl verify -CApath ${CERTS} ${UNTRUSTED}/local_leaf.pem` ##### Partial Chain flag > -partial_chain > Allow verification to succeed even if a complete chain cannot be built to a > self-signed trust-anchor, provided it is possible to construct a chain to a > trusted certificate that might not be self-signed. ##### Verify OK with Int CA and missing Root CA, due to Partial flag `openssl verify -partial_chain -CApath ${CERTS} httpbin-org-leaf.pem` ##### Verify failed ( with Root CA but missing Int CA ) `openssl verify -partial_chain -CApath ${CERTS} httpbin-org-leaf.pem` ## Generate RSA Private Key and Certificate ##### Generate RSA Private Key and Certificate ( with Private Key encryption ) `openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365` -
Nov 6, 2020 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -47,8 +47,8 @@ error: verification failed ##### Use c_rehash before -CAPath ``` // Calls c_rehash. Auto deletes and re-adds the hash values. ${HOME}/openssl/bin/c_rehash ${CERTS} ``` ##### Verify leaf_cert ``` -
Nov 6, 2020 . 1 changed file with 32 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -40,7 +40,39 @@ error 20 at 0 depth lookup: unable to get local issuer certificate error: verification failed ``` ## Verify Certificates ( advanced ) ##### c_rehash > rehash scans directories and calculates a hash value of each ".pem", ".crt", ".cer", or ".crl" file in the specified directory list and creates symbolic links > for each file ##### Use c_rehash before -CAPath ``` // creates symbolic links for each cert file, where the name of the link is the hash value. ${CERTS}${HOME}/openssl/bin/c_rehash ${CERTS} ``` ##### Verify leaf_cert ``` // Root CA and IntCA inside of directory ${CERTS} openssl verify -CApath ${CERTS} ${UNTRUSTED}/local_leaf.pem ``` ##### Verify multiple untrusted ``` openssl verify -CApath ${CERTS} ${UNTRUSTED}/local_leaf.pem ${UNTRUSTED}/httpbin_org_leaf.pem local_leaf.pem: OK /httpbin_org_leaf.pem: OK ``` ##### Verify failure ( missing Int CA ) ``` // Only Root CA inside of directory ${CERTS} openssl verify -CApath ${CERTS} ${UNTRUSTED}/local_leaf.pem error 20 at 0 depth lookup: unable to get local issuer certificate ``` ##### Verify failure ( missing Root CA ) ``` // Only Int CA inside of directory ${CERTS} ▶ openssl verify -CApath ${CERTS} ${UNTRUSTED}/local_leaf.pem error 2 at 1 depth lookup: unable to get issuer certificate ``` ## Generate RSA Private Key and Certificate ##### Generate RSA Private Key and Certificate ( with Private Key encryption ) `openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365` -
Nov 6, 2020 . 1 changed file with 22 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -19,6 +19,28 @@ openssl x509 -in foobar.crt -subject -serial -noout | awk -F= '{print $NF}' foobar BigTime CA XXXXXXXXXXXXXXXXXXXXXXXXXXX ``` ## Verify Certificates ##### Help `man verify` ##### Set path to certs to trust `export CERTS=/Users/{path_to_your_certs}` ##### Verify leaf `openssl verify -CAfile ${CERTS}/local_rootca_2025.pem -untrusted ${CERTS}/local_intca_2023.pem ${CERTS}/local_leaf.pem ` ##### Verify leaf ( failure, as wrong Int CA ) `openssl verify -CAfile ${CERTS}/local_rootca_2025.pem -untrusted ${CERTS}/httpbin-org-IntCA.pem ${CERTS}/local_leaf.pem` ##### Verify Intermediate CA `openssl verify -CAfile ${CERTS}/local_rootca_2025.pem ${CERTS}/local_intca_2023.pem` ##### Verify Intermediate CA ( with -no-CApath ) `openssl verify -no-CApath -CAfile ${CERTS}/local_rootca_2025.pem ${CERTS}/local_intca_2023.pem` ##### Verify Intermediate CA ( failure, as wrong Int CA ) ``` openssl verify -CAfile ${CERTS}/local_rootca_2025.pem ${CERTS}/httpbin-org-IntCA.pem error 20 at 0 depth lookup: unable to get local issuer certificate error: verification failed ``` ## Generate RSA Private Key and Certificate ##### Generate RSA Private Key and Certificate ( with Private Key encryption ) `openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365` -
Sep 23, 2020 . 1 changed file with 5 additions and 6 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,13 +1,12 @@ # OpenSSL Playground ## Certificates ##### Print Certificate ( crt file ) `openssl x509 -in stackexchangecom.crt -text -noout` ##### Print Certificate ( pem file ) `openssl x509 -in cert.pem -text -noout` ##### Print Certificate ( cer file ) `openssl x509 -inform der -in foobar.cer -noout -text` ##### Read part of Certificate ``` openssl x509 -in foobar.crt -subject -serial -noout -
Sep 16, 2020 . 1 changed file with 29 additions and 43 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,6 +1,14 @@ # OpenSSL Playground ## Certificates ##### Print Certificate ( crt file ) ``` openssl x509 -in stackexchangecom.crt -text -noout ``` ##### Print Certificate ( pem file ) ``` openssl x509 -in cert.pem -text -noout ``` ##### Read part of Certificate ``` openssl x509 -in foobar.crt -subject -serial -noout subject=C = BM, O = foobar Limited, CN = foobar BigTime CA @@ -12,28 +20,34 @@ openssl x509 -in foobar.crt -subject -serial -noout | awk -F= '{print $NF}' foobar BigTime CA XXXXXXXXXXXXXXXXXXXXXXXXXXX ``` ## Generate RSA Private Key and Certificate ##### Generate RSA Private Key and Certificate ( with Private Key encryption ) `openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365` ##### Generate RSA Private Key and Certificate ( without Private Key encryption ) `openssl req -x509 -newkey rsa:2048 -keyout key.pem -nodes -out cert.pem -days 365` ##### Create Certificate with existing Private Key `openssl req -key priv_1024.pem -new -x509 -days 365 -out domain.crt` ##### Extract Public Key from Cert as PEM file `openssl x509 -pubkey -noout -in stackexchangecom.crt > pubkey.pem` ##### Strip the Generic Header and Footer ``` awk '{if (NR!=9 && NR!=1) {print}}' pubkey.pem MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr0YDzscT5i6T2FaRsTGN CiLB8OtPXu8N9iAyuaROh/nS0kRRsN8wUMk1TmgZhPuYM6oFS377V8W2LqhLBMrP Xi7lnhvKt2DFWCyw38RrDbEsM5dzVGErmhux3F0QqcTI92zjVW61DmE7NSQLiR4y onVpTpdAaO4jSPJxn8d+4p1sIlU2JGSk8LZSWFqaROc7KtXtlWP4HahNRZtdwvL5 dIEGGNWx+7B+XVAfY1ygc/UisldkA+a3D2+3WAtXgFZRZZ/1CWFjKWJNMAI6ZBAt lbgSNgRYxdcdleIhPLCzkzWysfltfiBmsmgz6VCoFR4KgJo8Gd3MeTWojBthM10S LwIDAQAB ``` ##### Extract Public Key from Cert in Hex format ``` openssl x509 -modulus -noout < stackexchangecom.crt | sed s/Modulus=// AF4603CEC713E62E93D85691B1318D0A22C1F0EB4F5EEF0DF62032B9A44E87F9D2D24451B0DF3050C9354E681984FB9833AA054B7EFB57C5B62EA84B04CACF5E2EE59E1BCAB760C5582CB0DFC46B0DB12C33977354612B9A1BB1DC5D10A9C4C8F76CE3556EB50E613B35240B891E32A275694E974068EE2348F2719FC77EE29D6C2255362464A4F0B652585A9A44E73B2AD5ED9563F81DA84D459B5DC2F2F974810618D5B1FBB07E5D501F635CA073F522B2576403E6B70F6FB7580B57805651659FF509616329624D30023A64102D95B812360458C5D71D95E2213CB0B39335B2B1F96D7E2066B26833E950A8151E0A809A3C19DDCC7935A88C1B61335D122F ``` ##### Print public key ``` openssl rsa -inform PEM -pubin -in pubkey.pem -text -noout @@ -59,24 +73,6 @@ Modulus: 12:2f Exponent: 65537 (0x10001) ``` ## RSA ##### Encrypt ``` @@ -138,16 +134,6 @@ openssl ec -inform PEM -pubin -in pubkey.pem -text -noout openssl rsa -inform PEM -in private.pem -text -noout openssl rsa -in private.pem -pubout -out pubkey.pem ``` ## Helpers -
Sep 16, 2020 . 1 changed file with 78 additions and 63 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,4 +1,82 @@ # OpenSSL Playground ## Certificates ##### Read parts of Certificate ``` openssl x509 -in foobar.crt -subject -serial -noout subject=C = BM, O = foobar Limited, CN = foobar BigTime CA serial=XXXXXXXXXXXXXXXXXXXXXXXXXXX ``` ##### Print Common Name and Serial Number ``` openssl x509 -in foobar.crt -subject -serial -noout | awk -F= '{print $NF}' foobar BigTime CA XXXXXXXXXXXXXXXXXXXXXXXXXXX ``` ##### Print Certificate ( crt file ) ``` openssl x509 -in stackexchangecom.crt -text -noout ``` ##### Print Certificate ( pem file ) ``` openssl x509 -in cert.pem -text -noout ``` ##### Generate RSA Private Key and Certificate ( with Private Key encryption ) `openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365` ##### Generate RSA Private Key and Certificate ( without Private Key encryption ) `openssl req -x509 -newkey rsa:2048 -keyout key.pem -nodes -out cert.pem -days 365` ##### Create Certificate with existing Private Key `openssl req -key priv_1024.pem -new -x509 -days 365 -out domain.crt` ##### Extract Public Key from Cert as PEM file `openssl x509 -pubkey -noout -in stackexchangecom.crt > pubkey.pem` ##### Print public key only ``` openssl rsa -inform PEM -pubin -in pubkey.pem -text -noout Public-Key: (2048 bit) Modulus: 00:af:46:03:ce:c7:13:e6:2e:93:d8:56:91:b1:31: 8d:0a:22:c1:f0:eb:4f:5e:ef:0d:f6:20:32:b9:a4: 4e:87:f9:d2:d2:44:51:b0:df:30:50:c9:35:4e:68: 19:84:fb:98:33:aa:05:4b:7e:fb:57:c5:b6:2e:a8: 4b:04:ca:cf:5e:2e:e5:9e:1b:ca:b7:60:c5:58:2c: b0:df:c4:6b:0d:b1:2c:33:97:73:54:61:2b:9a:1b: b1:dc:5d:10:a9:c4:c8:f7:6c:e3:55:6e:b5:0e:61: 3b:35:24:0b:89:1e:32:a2:75:69:4e:97:40:68:ee: 23:48:f2:71:9f:c7:7e:e2:9d:6c:22:55:36:24:64: a4:f0:b6:52:58:5a:9a:44:e7:3b:2a:d5:ed:95:63: f8:1d:a8:4d:45:9b:5d:c2:f2:f9:74:81:06:18:d5: b1:fb:b0:7e:5d:50:1f:63:5c:a0:73:f5:22:b2:57: 64:03:e6:b7:0f:6f:b7:58:0b:57:80:56:51:65:9f: f5:09:61:63:29:62:4d:30:02:3a:64:10:2d:95:b8: 12:36:04:58:c5:d7:1d:95:e2:21:3c:b0:b3:93:35: b2:b1:f9:6d:7e:20:66:b2:68:33:e9:50:a8:15:1e: 0a:80:9a:3c:19:dd:cc:79:35:a8:8c:1b:61:33:5d: 12:2f Exponent: 65537 (0x10001) ``` ##### Strip the Generic Header and Footer ``` awk '{if (NR!=9 && NR!=1) {print}}' pubkey.pem MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr0YDzscT5i6T2FaRsTGN CiLB8OtPXu8N9iAyuaROh/nS0kRRsN8wUMk1TmgZhPuYM6oFS377V8W2LqhLBMrP Xi7lnhvKt2DFWCyw38RrDbEsM5dzVGErmhux3F0QqcTI92zjVW61DmE7NSQLiR4y onVpTpdAaO4jSPJxn8d+4p1sIlU2JGSk8LZSWFqaROc7KtXtlWP4HahNRZtdwvL5 dIEGGNWx+7B+XVAfY1ygc/UisldkA+a3D2+3WAtXgFZRZZ/1CWFjKWJNMAI6ZBAt lbgSNgRYxdcdleIhPLCzkzWysfltfiBmsmgz6VCoFR4KgJo8Gd3MeTWojBthM10S LwIDAQAB ``` ##### Extract Public Key from Cert in Hex format ``` openssl x509 -modulus -noout < stackexchangecom.crt | sed s/Modulus=// AF4603CEC713E62E93D85691B1318D0A22C1F0EB4F5EEF0DF62032B9A44E87F9D2D24451B0DF3050C9354E681984FB9833AA054B7EFB57C5B62EA84B04CACF5E2EE59E1BCAB760C5582CB0DFC46B0DB12C33977354612B9A1BB1DC5D10A9C4C8F76CE3556EB50E613B35240B891E32A275694E974068EE2348F2719FC77EE29D6C2255362464A4F0B652585A9A44E73B2AD5ED9563F81DA84D459B5DC2F2F974810618D5B1FBB07E5D501F635CA073F522B2576403E6B70F6FB7580B57805651659FF509616329624D30023A64102D95B812360458C5D71D95E2213CB0B39335B2B1F96D7E2066B26833E950A8151E0A809A3C19DDCC7935A88C1B61335D122F ``` ## RSA ##### Encrypt ``` @@ -70,70 +148,7 @@ openssl x509 -in stackexchangecom.crt -text -noout ##### without Private Key encryption `openssl req -x509 -newkey rsa:2048 -keyout key.pem -nodes -out cert.pem -days 365` ## Helpers ##### Convert hex to binary -
Sep 8, 2020 . 1 changed file with 53 additions and 29 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,41 +1,39 @@ # OpenSSL Playground ## RSA ##### Encrypt ``` echo 'Hi Alice!' | openssl rsautl -encrypt -pubin -oaep -inkey public_key.pem >message.bin // The standard defines random padding with each encrypt API call // https://en.wikipedia.org/wiki/Optimal_asymmetric_encryption_padding // It is always padded to 256 characters, with 2048 key ``` ##### Read ciphertext as Hex ``` xxd -ps -l 256 message.bin ``` ##### Decrypt from binary ciphertext ``` openssl rsautl -decrypt -in message.bin -inkey private_key.pem -oaep ``` ##### Decrypt and put plaintext in file ``` openssl rsautl -decrypt -in message.bin -inkey private.pem -oaep > plaintext.txt ``` ## AES ##### Encrypt ``` echo "foobar" | openssl enc -aes-256-cbc -base64 -pbkdf2 enter aes-256-cbc encryption password:alice Verifying - enter aes-256-cbc encryption password:alice U2FsdGVkX1/BRGpxGcBRBc/e9C6irJI53bh90HoLzP4= ``` ##### Decrypt (AES) ``` echo "U2FsdGVkX1/BRGpxGcBRBc/e9C6irJI53bh90HoLzP4=" | openssl enc -base64 -d | openssl enc -aes-256-cbc -d -pbkdf2 enter aes-256-cbc decryption password:alice // foobar ``` ## Key Pairs ``` @@ -66,22 +64,32 @@ openssl rsa -in private.pem -pubout -out pubkey.pem ``` openssl x509 -in stackexchangecom.crt -text -noout ``` ## Generate RSA Private Key and Cert ##### with Private Key encryption `openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365` ##### without Private Key encryption `openssl req -x509 -newkey rsa:2048 -keyout key.pem -nodes -out cert.pem -days 365` ## Certificates ##### Generate RSA Private Key and Certificate ( with Private Key encryption ) `openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365` ##### Generate RSA Private Key and Certificate ( without Private Key encryption ) `openssl req -x509 -newkey rsa:2048 -keyout key.pem -nodes -out cert.pem -days 365` ##### Print Certificate ( crt file ) ``` openssl x509 -in stackexchangecom.crt -text -noout ``` ##### Print Certificate ( pem file ) ``` openssl x509 -in cert.pem -text -noout ``` ##### Create Certificate with existing Private Key `openssl req -key priv_1024.pem -new -x509 -days 365 -out domain.crt` ##### Extract Public Key from Cert as PEM file `openssl x509 -pubkey -noout -in stackexchangecom.crt > pubkey.pem` ##### Print public key only ``` openssl rsa -inform PEM -pubin -in pubkey.pem -text -noout @@ -126,6 +134,22 @@ openssl x509 -modulus -noout < stackexchangecom.crt | sed s/Modulus=// AF4603CEC713E62E93D85691B1318D0A22C1F0EB4F5EEF0DF62032B9A44E87F9D2D24451B0DF3050C9354E681984FB9833AA054B7EFB57C5B62EA84B04CACF5E2EE59E1BCAB760C5582CB0DFC46B0DB12C33977354612B9A1BB1DC5D10A9C4C8F76CE3556EB50E613B35240B891E32A275694E974068EE2348F2719FC77EE29D6C2255362464A4F0B652585A9A44E73B2AD5ED9563F81DA84D459B5DC2F2F974810618D5B1FBB07E5D501F635CA073F522B2576403E6B70F6FB7580B57805651659FF509616329624D30023A64102D95B812360458C5D71D95E2213CB0B39335B2B1F96D7E2066B26833E950A8151E0A809A3C19DDCC7935A88C1B61335D122F ``` ## Helpers ##### Convert hex to binary `xxd -r -p message.hex message.bin` ##### Convert hex -> base64 -> binary `cat enc_message.hex | base64 --decode > enc_message.bin` ##### Convert binary -> base64 encoded data `openssl base64 -in message.bin -out b64message.txt` ##### Verify downloaded file ``` ➜ openssl dgst -sha256 openssl-1.1.1.tar.gz SHA256(openssl-1.1.1.tar.gz)= 2836875a0f89c03d0fdf483941512613a50cfb421d6fd94b9f41d7279d586a3d ➜ cat openssl-1.1.1.tar.gz.sha256 2836875a0f89c03d0fdf483941512613a50cfb421d6fd94b9f41d7279d586a3d ``` ## Nginx Self-Signed Cert Nginx needed the `Leaf's Private Key` the `Leaf's Certificate` or a `certificate chain`. -
Mar 18, 2020 . 1 changed file with 20 additions and 14 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -127,30 +127,36 @@ openssl x509 -modulus -noout < stackexchangecom.crt | sed s/Modulus=// AF4603CEC713E62E93D85691B1318D0A22C1F0EB4F5EEF0DF62032B9A44E87F9D2D24451B0DF3050C9354E681984FB9833AA054B7EFB57C5B62EA84B04CACF5E2EE59E1BCAB760C5582CB0DFC46B0DB12C33977354612B9A1BB1DC5D10A9C4C8F76CE3556EB50E613B35240B891E32A275694E974068EE2348F2719FC77EE29D6C2255362464A4F0B652585A9A44E73B2AD5ED9563F81DA84D459B5DC2F2F974810618D5B1FBB07E5D501F635CA073F522B2576403E6B70F6FB7580B57805651659FF509616329624D30023A64102D95B812360458C5D71D95E2213CB0B39335B2B1F96D7E2066B26833E950A8151E0A809A3C19DDCC7935A88C1B61335D122F ``` ## Nginx Self-Signed Cert Nginx needed the `Leaf's Private Key` the `Leaf's Certificate` or a `certificate chain`. Whichever choice, I always found PEM files worked better with OpenSSL. ``` QUICK KeyChain on macOS Right-click on Leaf cert Export the Certificate as a PEM file Verify you can read it: openssl x509 -noout -text -in eafCert.pem SLOW Export all Certs. cat leaf_cert.pem > cert_chain.pem cat int_ca_cert.pem >> cert_chain.pem cat root_ca_cert.pem >> cert_chain.pem ``` If you hit `Expecting: TRUSTED CERTIFICATE error`, check you actually `chained the Certificates` and NOT the `Public Keys`. Apply the new `Leaf Private Key` and `Certificate Chain`: ``` sudo nginx -s stop sudo nginx ``` This all worked fine with `Firefox` and `Safari` on macOS. But `Chrome` gave: `Error: "Subject Alternative Name Missing"`. Despite having a `trusted` Cert Chain (`Root CA`, `Int CA`), Chrome stopped the page loading. To re-generate the files required by `Nginx`, I used the same `Root CA`, `Int CA` and focused on a new `leaf` that had a `Subject Alternative Name`. I used `Keychain`. See the picture below. ##### Reference https://rietta.com/blog/2012/01/27/openssl-generating-rsa-key-from-command/ -
Jul 4, 2019 . 2 changed files with 42 additions and 6 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,5 +1,5 @@ # OpenSSL Playground ##### Verify downloaded file ``` ➜ openssl dgst -sha256 openssl-1.1.1.tar.gz SHA256(openssl-1.1.1.tar.gz)= 2836875a0f89c03d0fdf483941512613a50cfb421d6fd94b9f41d7279d586a3d @@ -21,7 +21,6 @@ xxd -ps -l 256 message.bin ##### Decrypt with RSA Private Key, from binary ciphertext ``` openssl rsautl -decrypt -in enc_message.bin -inkey private_key.pem -oaep openssl rsautl -decrypt -in enc_message.bin -inkey private.pem -oaep > plaintext.txt ``` ##### Decrypt with DES @@ -36,15 +35,29 @@ xxd -r -p hex.message.enc enc_message.bin ##### Base64 operations ``` cat enc_message.hex | base64 --decode > enc_message.bin openssl base64 -in key_pt.bin -out key_b64_pt.txt ``` ## Key Pairs ``` openssl genrsa -out private.pem 2048 // add the -des3 flag to encrypt Private Key openssl rsa -in private.pem -outform PEM -pubout -out public.pem // extract pub key ``` ##### Convert private key file to PEM file ``` openssl pkcs12 -in mycaservercert.pfx -nodes -nocerts -out mycaservercertkey.pem // you will be prompted for password ``` ##### Print EC private key & extract public key ``` openssl ec -inform PEM -in private.pem -text -noout openssl ec -in private.pem -pubout -out pubkey.pem ``` ##### Read EC public key ``` cat pubkey.pem openssl ec -inform PEM -pubin -in pubkey.pem -text -noout ``` ##### Print RSA private key & extract public key ``` openssl rsa -inform PEM -in private.pem -text -noout openssl rsa -in private.pem -pubout -out pubkey.pem @@ -53,7 +66,6 @@ openssl rsa -in private.pem -pubout -out pubkey.pem ``` openssl x509 -in stackexchangecom.crt -text -noout ``` ## Certificates Downloaded the leaf certificate from Stackoverflow.com. ##### Print the entire certificate @@ -114,7 +126,31 @@ openssl x509 -modulus -noout < stackexchangecom.crt | sed s/Modulus=// AF4603CEC713E62E93D85691B1318D0A22C1F0EB4F5EEF0DF62032B9A44E87F9D2D24451B0DF3050C9354E681984FB9833AA054B7EFB57C5B62EA84B04CACF5E2EE59E1BCAB760C5582CB0DFC46B0DB12C33977354612B9A1BB1DC5D10A9C4C8F76CE3556EB50E613B35240B891E32A275694E974068EE2348F2719FC77EE29D6C2255362464A4F0B652585A9A44E73B2AD5ED9563F81DA84D459B5DC2F2F974810618D5B1FBB07E5D501F635CA073F522B2576403E6B70F6FB7580B57805651659FF509616329624D30023A64102D95B812360458C5D71D95E2213CB0B39335B2B1F96D7E2066B26833E950A8151E0A809A3C19DDCC7935A88C1B61335D122F ``` ## Nginx Self-Signed Cert In my Nginx `reverse proxy` I had the following `Certificate Chain` setup and working. ``` server { listen 443 ssl; server_name rustymachine.local; ssl_certificate /rustymachine/Certificates/nginx/cert_chain.pem; ssl_certificate_key /rustymachine/Certificates/nginx/rustymachine.local.priv.pem; ``` It worked fine with `Firefox` and `Safari` on macOS. But `Chrome` gave: `Error: "Subject Alternative Name Missing"`. Despite having a `trusted` Cert Chain (`Root CA`, `Int CA`), Chrome stopped the page loading. To re-generate the files required by `Nginx`, I used the same `Root CA`, `Int CA` and focused on a new `leaf` that had a `Subject Alternative Name`. I used `Keychain`. See the picture below. Once you exported the Private Key, I then created a `certificate chain`. ``` cat leaf_cert.pem > cert_chain.pem cat int_ca_cert.pem >> cert_chain.pem cat root_ca_cert.pem >> cert_chain.pem ``` A quick stop and start of nginx would apply the new Private Key and Certificate Chain. ``` sudo nginx -s stop sudo nginx ``` ##### Reference https://rietta.com/blog/2012/01/27/openssl-generating-rsa-key-from-command/ LoadingSorry, something went wrong. Reload?Sorry, we cannot display this file.Sorry, this file is invalid so it cannot be displayed. -
Jul 4, 2019 . 1 changed file with 25 additions and 4 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,5 +1,12 @@ # OpenSSL Playground ##### Verify download ``` ➜ openssl dgst -sha256 openssl-1.1.1.tar.gz SHA256(openssl-1.1.1.tar.gz)= 2836875a0f89c03d0fdf483941512613a50cfb421d6fd94b9f41d7279d586a3d ➜ cat openssl-1.1.1.tar.gz.sha256 2836875a0f89c03d0fdf483941512613a50cfb421d6fd94b9f41d7279d586a3d ``` ##### RSA Public Key pad and encrypt ``` echo 'Hi Alice!' | openssl rsautl -encrypt -pubin -oaep -inkey public_key.pem >message.bin @@ -14,20 +21,34 @@ xxd -ps -l 256 message.bin ##### Decrypt with RSA Private Key, from binary ciphertext ``` openssl rsautl -decrypt -in enc_message.bin -inkey private_key.pem -oaep openssl rsautl -decrypt -in enc_message.bin -inkey private.pem -oaep > plaintext.txt ``` ##### Decrypt with DES ``` echo U2FsdGVkX18ztmw81FTK/c+jAf8xtcZdIpesuV2PLDM= | openssl enc -base64 -d | openssl des -d // `pass` when prompted ``` ##### Convert from ciphertext from hex to ciphertext ``` xxd -r -p hex.message.enc enc_message.bin ``` ##### Base64 operations ``` cat enc_message.hex | base64 --decode > enc_message.bin openssl base64 -in key_pt.bin -out key_b64_pt.txt ``` ## Generating a Key Pair ``` openssl genrsa -out private.pem 2048 // add the -des3 flag to encrypt Private Key openssl rsa -in private.pem -outform PEM -pubout -out public.pem // extract pub key ``` ##### Print private key & extract public key ``` openssl rsa -inform PEM -in private.pem -text -noout openssl rsa -in private.pem -pubout -out pubkey.pem ``` ##### Print the entire certificate ``` openssl x509 -in stackexchangecom.crt -text -noout -
9006113 revised this gist
Jan 31, 2019 . 1 changed file with 18 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,5 +1,5 @@ # OpenSSL RSA Key playground ## RSA Public Key pad and encrypt ``` echo 'Hi Alice!' | openssl rsautl -encrypt -pubin -oaep -inkey public_key.pem >message.bin @@ -23,8 +23,18 @@ xxd -r -p hex.message.enc enc_message.bin ``` cat enc_message.hex | base64 --decode > enc_message.bin ``` ## Generating a Key Pair ``` openssl genrsa -out private.pem 2048 // add the -des3 flag to encrypt Private Key openssl rsa -in private.pem -outform PEM -pubout -out public.pem // extract pub key ``` ##### Print the entire certificate ``` openssl x509 -in stackexchangecom.crt -text -noout ``` ## Certificates Downloaded the leaf certificate from Stackoverflow.com. ##### Print the entire certificate ``` openssl x509 -in stackexchangecom.crt -text -noout @@ -85,6 +95,11 @@ AF4603CEC713E62E93D85691B1318D0A22C1F0EB4F5EEF0DF62032B9A44E87F9D2D24451B0DF3050 ``` ##### Reference https://rietta.com/blog/2012/01/27/openssl-generating-rsa-key-from-command/ https://www.guyrutenberg.com/2009/01/01/extract-public-key-from-x509-certificate-as-hex/ https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs https://crypto.stackexchange.com/questions/42097/what-is-the-maximum-size-of-the-plaintext-message-for-rsa-oaep -
rusty_magneto revised this gist
Aug 28, 2018 . 1 changed file with 6 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,11 +1,15 @@ # OpenSSL RSA Key playground ##### Encrypt with RSA Public Key ``` echo 'Hi Alice!' | openssl rsautl -encrypt -pubin -oaep -inkey public_key.pem >message.bin // It is always padded to 256 characters, with an 2048 key // The standard defines random padding with each encrypt API call // https://en.wikipedia.org/wiki/Optimal_asymmetric_encryption_padding ``` ##### Read ciphertext as Hex chars ``` xxd -ps -l 256 message.bin ``` ##### Decrypt with RSA Private Key, from binary ciphertext ``` -
Aug 28, 2018 . 1 changed file with 8 additions and 8 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -5,16 +5,19 @@ echo 'Hi Alice!' | openssl rsautl -encrypt -pubin -oaep -inkey public_key.pem >m ``` ##### Read ciphertext as Hex chars ``` xxd -ps -l 256 message.encrypted // this depends on your keylength. I was using 2048. ``` ##### Decrypt with RSA Private Key, from binary ciphertext ``` openssl rsautl -decrypt -in enc_message.bin -inkey private_key.pem -oaep ``` ##### Decrypt with RSA Private Key, from hex ciphertext ``` xxd -r -p hex.message.enc enc_message.bin ``` ##### Base64 Decode to binary encrypted message ``` cat enc_message.hex | base64 --decode > enc_message.bin ``` ##### Get certificate I downloaded the leaf certificate from Stackoverflow.com. @@ -25,10 +28,7 @@ openssl x509 -in stackexchangecom.crt -text -noout ##### Create own cert from Private key Use own private key to generate a self-signed certificate with it. This command creates a self-signed certificate (domain.crt) from an existing private key (domain.key): ``` openssl req -key priv_1024.pem -new -x509 -days 365 -out domain.crt ``` ##### Extract Public Key from Cert as PEM file -
Aug 24, 2018 . 1 changed file with 23 additions and 18 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,36 +1,41 @@ # OpenSSL RSA Key playground ##### Encrypt with RSA Public Key ``` echo 'Hi Alice!' | openssl rsautl -encrypt -pubin -oaep -inkey public_key.pem >message.encrypted ``` ##### Read ciphertext as Hex chars ``` $ xxd -ps -l 256 message.encrypted // this depends on your keylength. I was using 2048. ``` ##### Decrypt with RSA Private Key, from binary ciphertext ``` openssl rsautl -decrypt -in message.encrypted -inkey private_key.pem -oaep ``` ##### Decrypt with RSA Private Key, from hex ciphertext ``` => xxd -r -p hex.message.enc bin.message.enc => openssl rsautl -decrypt -in bin.message.enc -inkey private_key.pem -oaep ``` ##### Get certificate I downloaded the leaf certificate from Stackoverflow.com. ##### Print the entire certificate ``` openssl x509 -in stackexchangecom.crt -text -noout ``` ##### Create own cert from Private key Use own private key to generate a self-signed certificate with it. This command creates a self-signed certificate (domain.crt) from an existing private key (domain.key): ``` openssl req \ -key domain.key \ -new \ -x509 -days 365 -out domain.crt ``` ##### Extract Public Key from Cert as PEM file ``` openssl x509 -pubkey -noout -in stackexchangecom.crt > pubkey.pem ``` ##### Print public key only ``` openssl rsa -inform PEM -pubin -in pubkey.pem -text -noout @@ -56,7 +61,7 @@ Modulus: 12:2f Exponent: 65537 (0x10001) ``` ##### Strip the Generic Header and Footer ``` awk '{if (NR!=9 && NR!=1) {print}}' pubkey.pem @@ -68,14 +73,14 @@ dIEGGNWx+7B+XVAfY1ygc/UisldkA+a3D2+3WAtXgFZRZZ/1CWFjKWJNMAI6ZBAt lbgSNgRYxdcdleIhPLCzkzWysfltfiBmsmgz6VCoFR4KgJo8Gd3MeTWojBthM10S LwIDAQAB ``` ##### Extract Public Key from Cert in Hex format ``` openssl x509 -modulus -noout < stackexchangecom.crt | sed s/Modulus=// AF4603CEC713E62E93D85691B1318D0A22C1F0EB4F5EEF0DF62032B9A44E87F9D2D24451B0DF3050C9354E681984FB9833AA054B7EFB57C5B62EA84B04CACF5E2EE59E1BCAB760C5582CB0DFC46B0DB12C33977354612B9A1BB1DC5D10A9C4C8F76CE3556EB50E613B35240B891E32A275694E974068EE2348F2719FC77EE29D6C2255362464A4F0B652585A9A44E73B2AD5ED9563F81DA84D459B5DC2F2F974810618D5B1FBB07E5D501F635CA073F522B2576403E6B70F6FB7580B57805651659FF509616329624D30023A64102D95B812360458C5D71D95E2213CB0B39335B2B1F96D7E2066B26833E950A8151E0A809A3C19DDCC7935A88C1B61335D122F ``` ##### Reference https://www.guyrutenberg.com/2009/01/01/extract-public-key-from-x509-certificate-as-hex/ https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs https://crypto.stackexchange.com/questions/42097/what-is-the-maximum-size-of-the-plaintext-message-for-rsa-oaep -
Aug 24, 2018 . 1 changed file with 32 additions and 15 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,22 +1,39 @@ # OpenSSL RSA Key playground #### Encrypt with RSA Public Key `echo 'Hi Alice!' | openssl rsautl -encrypt -pubin -oaep -inkey public_key.pem >message.encrypted` #### Read ciphertext as Hex chars ``` $ xxd -ps -l 256 message.encrypted // this depends on your keylength. I was using 2048. ``` #### Decrypt with RSA Private Key, from binary cipher `openssl rsautl -decrypt -in message.encrypted -inkey private_key.pem -oaep` #### Decrypt with RSA Private Key, from hex ciphertext ``` => xxd -r -p hex.message.enc bin.message.enc => openssl rsautl -decrypt -in bin.message.enc -inkey private_key.pem -oaep ``` #### Get certificate I downloaded the leaf certificate from Stackoverflow.com. #### Print the entire certificate `openssl x509 -in stackexchangecom.crt -text -noout` #### Create own cert from Private key Use own private key to generate a self-signed certificate with it. This command creates a self-signed certificate (domain.crt) from an existing private key (domain.key): ``` openssl req \ -key domain.key \ -new \ -x509 -days 365 -out domain.crt ``` #### Extract Public Key from Cert as PEM file ``` openssl x509 -pubkey -noout -in stackexchangecom.crt > pubkey.pem ``` #### Print public key only ``` openssl rsa -inform PEM -pubin -in pubkey.pem -text -noout Public-Key: (2048 bit) Modulus: 00:af:46:03:ce:c7:13:e6:2e:93:d8:56:91:b1:31: @@ -39,9 +56,9 @@ Modulus: 12:2f Exponent: 65537 (0x10001) ``` #### Strip the Generic Header and Footer ``` awk '{if (NR!=9 && NR!=1) {print}}' pubkey.pem MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr0YDzscT5i6T2FaRsTGN CiLB8OtPXu8N9iAyuaROh/nS0kRRsN8wUMk1TmgZhPuYM6oFS377V8W2LqhLBMrP @@ -51,14 +68,14 @@ dIEGGNWx+7B+XVAfY1ygc/UisldkA+a3D2+3WAtXgFZRZZ/1CWFjKWJNMAI6ZBAt lbgSNgRYxdcdleIhPLCzkzWysfltfiBmsmgz6VCoFR4KgJo8Gd3MeTWojBthM10S LwIDAQAB ``` #### Extract Public Key from Cert in Hex format ``` openssl x509 -modulus -noout < stackexchangecom.crt | sed s/Modulus=// AF4603CEC713E62E93D85691B1318D0A22C1F0EB4F5EEF0DF62032B9A44E87F9D2D24451B0DF3050C9354E681984FB9833AA054B7EFB57C5B62EA84B04CACF5E2EE59E1BCAB760C5582CB0DFC46B0DB12C33977354612B9A1BB1DC5D10A9C4C8F76CE3556EB50E613B35240B891E32A275694E974068EE2348F2719FC77EE29D6C2255362464A4F0B652585A9A44E73B2AD5ED9563F81DA84D459B5DC2F2F974810618D5B1FBB07E5D501F635CA073F522B2576403E6B70F6FB7580B57805651659FF509616329624D30023A64102D95B812360458C5D71D95E2213CB0B39335B2B1F96D7E2066B26833E950A8151E0A809A3C19DDCC7935A88C1B61335D122F ``` ### Reference https://www.guyrutenberg.com/2009/01/01/extract-public-key-from-x509-certificate-as-hex/ https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs https://crypto.stackexchange.com/questions/42097/what-is-the-maximum-size-of-the-plaintext-message-for-rsa-oaep -
Aug 24, 2018 . 1 changed file with 22 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -3,6 +3,15 @@ I downloaded the leaf certificate from Stackoverflow.com. ##### Print the entire certificate `openssl x509 -in stackexchangecom.crt -text -noout` ##### Create own cert from Private key Use own private key to generate a self-signed certificate with it. This command creates a self-signed certificate (domain.crt) from an existing private key (domain.key): ``` openssl req \ -key domain.key \ -new \ -x509 -days 365 -out domain.crt ``` ##### Extract Public Key from Cert as PEM file `openssl x509 -pubkey -noout -in stackexchangecom.crt > pubkey.pem` ##### Print public key only @@ -30,6 +39,18 @@ Modulus: 12:2f Exponent: 65537 (0x10001) ``` ##### Strip the Generic Header and Footer ``` `awk '{if (NR!=9 && NR!=1) {print}}' pubkey.pem` MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr0YDzscT5i6T2FaRsTGN CiLB8OtPXu8N9iAyuaROh/nS0kRRsN8wUMk1TmgZhPuYM6oFS377V8W2LqhLBMrP Xi7lnhvKt2DFWCyw38RrDbEsM5dzVGErmhux3F0QqcTI92zjVW61DmE7NSQLiR4y onVpTpdAaO4jSPJxn8d+4p1sIlU2JGSk8LZSWFqaROc7KtXtlWP4HahNRZtdwvL5 dIEGGNWx+7B+XVAfY1ygc/UisldkA+a3D2+3WAtXgFZRZZ/1CWFjKWJNMAI6ZBAt lbgSNgRYxdcdleIhPLCzkzWysfltfiBmsmgz6VCoFR4KgJo8Gd3MeTWojBthM10S LwIDAQAB ``` ##### Extract Public Key from Cert in Hex format `openssl x509 -modulus -noout < stackexchangecom.crt | sed s/Modulus=//` ``` @@ -40,3 +61,4 @@ AF4603CEC713E62E93D85691B1318D0A22C1F0EB4F5EEF0DF62032B9A44E87F9D2D24451B0DF3050 ##### Reference https://www.guyrutenberg.com/2009/01/01/extract-public-key-from-x509-certificate-as-hex/ https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs -
Jul 6, 2018 . 2 changed files with 0 additions and 0 deletions.There are no files selected for viewing
File renamed without changes.File renamed without changes -
Jul 6, 2018 . 1 changed file with 7 additions and 8 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,12 +1,10 @@ ## OpenSSL Public Key fun ##### Get certificate I downloaded the leaf certificate from Stackoverflow.com. ##### Print the entire certificate `openssl x509 -in stackexchangecom.crt -text -noout` ##### Extract Public Key from Cert as PEM file `openssl x509 -pubkey -noout -in stackexchangecom.crt > pubkey.pem` ##### Print public key only `openssl rsa -inform PEM -pubin -in pubkey.pem -text -noout` ``` @@ -32,10 +30,11 @@ Modulus: 12:2f Exponent: 65537 (0x10001) ``` ##### Extract Public Key from Cert in Hex format `openssl x509 -modulus -noout < stackexchangecom.crt | sed s/Modulus=//` ``` AF4603CEC713E62E93D85691B1318D0A22C1F0EB4F5EEF0DF62032B9A44E87F9D2D24451B0DF3050C9354E681984FB9833AA054B7EFB57C5B62EA84B04CACF5E2EE59E1BCAB760C5582CB0DFC46B0DB12C33977354612B9A1BB1DC5D10A9C4C8F76CE3556EB50E613B35240B891E32A275694E974068EE2348F2719FC77EE29D6C2255362464A4F0B652585A9A44E73B2AD5ED9563F81DA84D459B5DC2F2F974810618D5B1FBB07E5D501F635CA073F522B2576403E6B70F6FB7580B57805651659FF509616329624D30023A64102D95B812360458C5D71D95E2213CB0B39335B2B1F96D7E2066B26833E950A8151E0A809A3C19DDCC7935A88C1B61335D122F ``` -
Jul 6, 2018 . 3 changed files with 43 additions and 11 deletions.There are no files selected for viewing
LoadingSorry, something went wrong. Reload?Sorry, we cannot display this file.Sorry, this file is invalid so it cannot be displayed.This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,43 @@ ## OpenSSL Public Key fun ##### Get certificate I downloaded the leaf certificate from Stackoverflow.com. ##### Extract Public Key from Cert as PEM file `openssl x509 -pubkey -noout -in stackexchangecom.crt > pubkey.pem` ##### Extract Public Key from Cert in Hex format `openssl x509 -modulus -noout < stackexchangecom.crt | sed s/Modulus=//` ##### Print entire Cert `openssl x509 -in stackexchangecom.crt -text -noout` ##### Print public key only `openssl rsa -inform PEM -pubin -in pubkey.pem -text -noout` ``` Public-Key: (2048 bit) Modulus: 00:af:46:03:ce:c7:13:e6:2e:93:d8:56:91:b1:31: 8d:0a:22:c1:f0:eb:4f:5e:ef:0d:f6:20:32:b9:a4: 4e:87:f9:d2:d2:44:51:b0:df:30:50:c9:35:4e:68: 19:84:fb:98:33:aa:05:4b:7e:fb:57:c5:b6:2e:a8: 4b:04:ca:cf:5e:2e:e5:9e:1b:ca:b7:60:c5:58:2c: b0:df:c4:6b:0d:b1:2c:33:97:73:54:61:2b:9a:1b: b1:dc:5d:10:a9:c4:c8:f7:6c:e3:55:6e:b5:0e:61: 3b:35:24:0b:89:1e:32:a2:75:69:4e:97:40:68:ee: 23:48:f2:71:9f:c7:7e:e2:9d:6c:22:55:36:24:64: a4:f0:b6:52:58:5a:9a:44:e7:3b:2a:d5:ed:95:63: f8:1d:a8:4d:45:9b:5d:c2:f2:f9:74:81:06:18:d5: b1:fb:b0:7e:5d:50:1f:63:5c:a0:73:f5:22:b2:57: 64:03:e6:b7:0f:6f:b7:58:0b:57:80:56:51:65:9f: f5:09:61:63:29:62:4d:30:02:3a:64:10:2d:95:b8: 12:36:04:58:c5:d7:1d:95:e2:21:3c:b0:b3:93:35: b2:b1:f9:6d:7e:20:66:b2:68:33:e9:50:a8:15:1e: 0a:80:9a:3c:19:dd:cc:79:35:a8:8c:1b:61:33:5d: 12:2f Exponent: 65537 (0x10001) ``` ##### Compare keys match ##### Reference https://www.guyrutenberg.com/2009/01/01/extract-public-key-from-x509-certificate-as-hex/ This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,11 +0,0 @@ -
rustymagnet3000 revised this gist
Jul 4, 2018 . 1 changed file with 3 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,8 +1,11 @@ ## OpenSSL Extract Public Key from Cert With the leaf certificate from Stackoverflow.com, you can extract the public key that is embedded inside of the cert with this command: `openssl x509 -pubkey -noout -in stackexchangecom.crt > pubkey.pem` Print your cert information.. `openssl x509 -in stackexchangecom.crt -text -noout` Print your public key... `openssl rsa -inform PEM -pubin -in pubkey.pem -text -noout` now you can compare the Modulus of the cert and public key to see they are the same. -
Jul 4, 2018 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,8 @@ ## OpenSSL Extract Public Key from Cert With the leaf certificate from Stackoverflow.com, you can extract the public key that is embedded inside of the cert with this command: `openssl x509 -pubkey -noout -in stackexchangecom.crt > pubkey.pem` Print your cert information.. `openssl x509 -in stackexchangecom.crt -text -noout` Print your public key... `openssl rsa -inform PEM -pubin -in pubkey.pem -text -noout` now you can compare the Modulus of the cert and public key to see they are the same.
Rusty Robot
revised
this gist 
9006113
revised
this gist 
rusty_magneto
revised
this gist