# OpenSSL Cheatsheet


## Read X.509 Certificate

* A certificate can be read via
```sh
openssl x509 -in $CERT -text
```

## Generate CSR

* A Certificate Signing Request needs a private alongside the request for a cert.
This is done in the following way
```sh
openssl req -new -nodes -newkey rsa:4096 -keyout $PRIVATE_KEY -out $CERT_CSR
```

## Create an X.509 Certificate

* Create a X.509 certificate via
```sh
openssl x509 -newkey -nodes rsa:4096 -keyout $PRIVATE_KEY -out $CERT -sha256 -days 365
openssl req -new -x509 -keyout cert.pem -out cert.pem -days 365 -nodes
```

## Extract Keys from PFX Cert

* Key and cert form PFX
```sh
openssl pkcs12 -in cert.pfx -nocerts -out key.pem -nodes
openssl pkcs12 -in cert.pfx -out cert.pem -clcerts -nokeys
```

## Extract & Repack PFX Cert

* Extract & Repack with another password, e.g. from `mimikatz` to `cqure`
```sh
openssl pkcs12 -in *.pfx -out temp.pem -nodes
openssl pkcs12 -export -out *.pfx -in temp.pem
```

## RSA

### Read Parameters of a RSA Key

* Show parameters of the private key
```sh
openssl rsa -in $PRIVATE_KEY -text -noout
```

### Create RSA Key

* Generate an OpenSSL RSA key via
```sh
openssl genrsa -out $PRIVATE_KEY 4096
```

* Generate an OpenSSl RSA public key from a private key
```sh
openssl rsa -in $PRIVATE_KEY -pubout -out public-key.pem
```

### Encrypt RSA

* Encrypt RSA current and deprecated
```sh
openssl pkeyutl -encrypt -in $CLEAR_TEXT -out $CLEAR_TEXT -pubin -inkey $PUBLIC_KEY
openssl rsautl -encrypt -in $CLEAR_TEXT -out $ENCRYPTED -pubin -inkey $PUBLIC_KEY
```

### Decrypt RSA

* Decrypt a RSA cipher with the private key
```sh
openssl pkeyutl -decrypt -in $CIPHER -out $PLAIN_TEXT -inkey $PRIVATE_KEY
```

* Deprecated version of RSA decryption is the following
```sh
openssl rsautl -decrypt -in $CIPHER -out $PLAIN_TEXT -inkey $PRIVATE_KEY
```

## Diffie-Hellman

### Read Parameters of a DH Keys

* Output of a DH key is done the following way
```sh
openssl dhparam -in $PRIVATE_KEY  -text -noout
```

### Create DH Key

* A Diffie-Hellman key can be created via
```sh
openssl dhparam -out $PRIVATE_KEY 4096
```

## AES

### Encrypt AES

* Encrypt AES

```sh
openssl aes-256-cbc -e -in $PLAIN_TEXT -out $CIPHER
```

### Decrypt AES

* Decrypt AES
```sh
openssl aes-256-cbc -d -in $CIPHER -out $PLAIN_TEXT
```

## PBKDF2

### Encrypt PBKDF2

* Encrypt file via PBKDF2 with 128000 iterations
```sh
openssl aes-256-cbc -pbkdf2 -iter 128000 -e -in $PLAIN_TEXT -out $CIPHER
```

### Decrypt PBKDF2

* Decrypt file via PBKDF2 with an iteration of 128000
```sh
openssl aes-256-cbc -pbkdf2 -iter 128000 -d -in $CIPHER -out $PLAIN_TEXT
```

## ECPoint (EC)

* RFC5480

### Read PEM Public Key

```sh
openssl ec -pubin -in publickey.pem -noout -text
```