Types of SSL Commands and Keytool

OpenSSL is an open-source implementation of SSL/TLS protocols and is consideredto be one of the most versatile SSL tools. It’s a library written in C programminglanguage that implements the basic cryptographic functions. OpenSSL have differentversions for most Unix-like operating systems, which include Mac OC X, Linux, andMicrosoft Windows etc.

Open SSL is normally used to generate a Certificate Signing Request (CSR) andprivate key for different platforms. However, it also has several different functions,which can be listed as follows. It is used to:

View details about a CSR or a certificateCompare MD5 hash of a certificate and private key to ensure they matchVerify proper installation of the certificate on a websiteConvert the certificate format

• Most of the functions mentioned below can also be performedwithout involving OpenSSL by using these convenient SSL tools.Here, we have put together few of the most common OpenSSLcommands.

1. General OpenSSL Commands

These are the set of commands that allow the users to generateCSRs, Certificates, Private Keys and many other miscellaneoustasks. Here, we have listed few such commands:

Generate a Certificate Signing Request (CSR) and new private key

openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyoutprivateKey.key

Generate a self-signed certificate

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyoutprivateKey.key -out certificate.crt

Create CSR based on an existing private key

openssl req -out CSR.csr -key privateKey.key –new

Create CSR based on an existing certificate

openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkeyprivateKey.key

Passphrase removal from a private key

openssl rsa -in privateKey.pem -out newPrivateKey.pem

2. SSL Check CommandsThese commands are very helpful, if the user wants to check the informationwithin an SSL certificate, a Private Key and CSR. Few online tools can also helpyou check CSRs and check SSL certificates. Following are the commands thathelp you check:

Certificate Signing Request (CSR)

openssl req -text -noout -verify -in CSR.csr

Private Key

openssl rsa -in privateKey.key –check

SSL Certificate

openssl x509 -in certificate.crt -text –noout

PKCS#12 File (.pfx or .p12)

openssl pkcs12 -info -in keyStore.p12

Convert DER Files (.crt, .cer, .der) to PEM

openssl x509 -inform der -in certificate.cer -out certificate.pem

Convert PEM to DER

openssl x509 -outform der -in certificate.pem -out certificate.der

Convert PKCS #12 File (.pfx, .p12) Containing a Private Key and Certificate to PEM

openssl pkcs12 -in keyStore.pfx -out keyStore.pem –nodes

To output only the private key, users can add –nocerts or –nokeys to output only the certificates.

Convert PEM Certificate (File and a Private Key) to PKCS # 12 (.pfx #12)

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

3. Convert CommandsAs per the title, these commands help convert the certificates and keys into different formats to impart them thecompatibility with specific servers types. For example, a PEM file, compatible with Apache server, can beconverted to PFX (PKCS#12), after which it would be possible for it to work with Tomcat or IIS. However, you canalso use the SSL Converter to change the format, without having to involve OpenSSL.

4. Debugging Using OpenSSL Commands

If there are error messages popping up about your private key not matching the certificate or that the newly-installed certificate is not trusted, you can rely on one of the comments mentioned below. You can also use theSSL certificate checker tool for verifying the correct installation of an SSL certificate.

Check SSL Connection (All certificates, including Intermediates, are to be displayed)

• Here, all the certificates should be displayed, including the Intermediates as well.

• openssl s_client -connect www.paypal.com:443

Check MD5 Hash of Public Key

• This is to ensure that the public key matches with the CSR or the private key.

• openssl x509 -noout -modulus -in certificate.crt | openssl md5openssl rsa -noout -modulus -in privateKey.key | openssl md5openssl req -noout -modulus -in CSR.csr | openssl md5

SSL Keytool

• Java Keytool is a key and certificate management utility that allows the users tocache the certificate and manage their own private or public key pairs andcertificates. Java Keytool stores all the keys and certificates in a ‘Keystore’, whichis, by default, implemented as a file. It contains private keys and certificates thatare essential for establishing the reliability of the primary certificate andcompleting a chain of trust.

• Every certificate in Java Keystore has a unique pseudonym / alias. For creating a‘Java Keystore’, you need to first create the .jks file containing only the private keyin the beginning. After that, you need to generate a Certificate Signing Request(CSR) and generate a certificate from it. After this, import the certificate to thekeystore including any root certificates.

• The ‘Java Keytool’ basically contains several other functions that help the usersexport a certificate or view the certificate details or the list of certificates inkeystore.

1. For Creating and ImportingThese Keytool commands allow users to create a new Java Keytool keystore file,generate a Certificate Signing Request (CSR) and import certificates. Before you importthe primary certificate for your domain, you need to first import any root orintermediate certificates.

Import a root or intermediate CA certificate to an existing Java keystore

keytool -import -trustcacerts -alias root -file Thawte.crt -keystore keystore.jks

Import a signed primary certificate to an existing Java keystore

keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystorekeystore.jks

Generate a keystore and self-signed certificate

keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepasspassword -validity 360 -keysize 2048

Generate Key Pair & Java Keystore

keytool -genkey -alias mydomain -keyalg RSA -keystore keystore.jks -keysize 2048

Generate CSR for existing Java Keystore

keytool -certreq -alias mydomain -keystore keystore.jks -file mydomain.csr

2. For CheckingUsers can check the information within a certificate or Java keystore by using thefollowing commands:

Check an individual certificate

keytool -printcert -v -file mydomain.crt

Check certificates in Java keystore

keytool -list -v -keystore keystore.jks

Check specific keystore entry using an alias

keytool -list -v -keystore keystore.jks -alias mydomain

3. Other Java Keytool CommandsHere are few more Java Keytool commands, which can be used to perform severalfunctions:

Delete a certificate from Java Keystore keystore

keytool -delete -alias mydomain -keystore keystore.jks

Change the password in Java keystore / Change a Java keystore password

keytool -storepasswd -new new_storepass -keystore keystore.jks

Export certificate from Java keystore

keytool -export -alias mydomain -file mydomain.crt -keystore keystore.jks

List the trusted CA Certificate

keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts

Import new CA into Trusted Certs

keytool -import -trustcacerts -file /path/to/ca/ca.pem -alias CA_ALIAS -keystore$JAVA_HOME/jre/lib/security/cacerts

Blog: cheapsslsecurity.com/blog

Facebook: CheapSSLSecurities

Twitter: SSLSecurity

Google Plus: +Cheapsslsecurity

For More Information on SSL Commands & Tool