132 lines
2.6 KiB
Markdown
132 lines
2.6 KiB
Markdown
# OpenSSL Cheatsheet
|
|
|
|
|
|
## Read X.509 Certificate
|
|
|
|
* A certificate can be read via
|
|
```sh
|
|
openssl x509 -in $CERT -text
|
|
```
|
|
|
|
## Generate CSR
|
|
|
|
* A Certificate Signing Request needs a private alongside the request for a cert.
|
|
This is done in the following way
|
|
```sh
|
|
openssl req -new -nodes -newkey rsa:4096 -keyout $PRIVATE_KEY -out $CERT_CSR
|
|
```
|
|
|
|
## Create an X.509 Certificate
|
|
|
|
* Create a X.509 certificate via
|
|
```sh
|
|
openssl x509 -newkey -nodes rsa:4096 -keyout $PRIVATE_KEY -out $CERT -sha256 -days 365
|
|
openssl req -new -x509 -keyout cert.pem -out cert.pem -days 365 -nodes
|
|
```
|
|
|
|
## Extract Keys from PFX Cert
|
|
|
|
* Key and cert form PFX
|
|
```sh
|
|
openssl pkcs12 -in cert.pfx -nocerts -out key.pem -nodes
|
|
openssl pkcs12 -in cert.pfx -out cert.pem -clcerts -nokeys
|
|
```
|
|
|
|
## Extract & Repack PFX Cert
|
|
|
|
* Extract & Repack with another password, e.g. from `mimikatz` to `cqure`
|
|
```sh
|
|
openssl pkcs12 -in *.pfx -out temp.pem -nodes
|
|
openssl pkcs12 -export -out *.pfx -in temp.pem
|
|
```
|
|
|
|
## RSA
|
|
|
|
### Read Parameters of a RSA Key
|
|
|
|
* Show parameters of the private key
|
|
```sh
|
|
openssl rsa -in $PRIVATE_KEY -text -noout
|
|
```
|
|
|
|
### Create RSA Key
|
|
|
|
* Generate an OpenSSL RSA key via
|
|
```sh
|
|
openssl genrsa -out $PRIVATE_KEY 4096
|
|
```
|
|
|
|
* Generate an OpenSSl RSA public key from a private key
|
|
```sh
|
|
openssl rsa -in $PRIVATE_KEY -pubout -out public-key.pem
|
|
```
|
|
|
|
### Encrypt RSA
|
|
|
|
* Encrypt RSA current and deprecated
|
|
```sh
|
|
openssl pkeyutl -encrypt -in $CLEAR_TEXT -out $CLEAR_TEXT -pubin -inkey $PUBLIC_KEY
|
|
openssl rsautl -encrypt -in $CLEAR_TEXT -out $ENCRYPTED -pubin -inkey $PUBLIC_KEY
|
|
```
|
|
|
|
### Decrypt RSA
|
|
|
|
* Decrypt a RSA cipher with the private key
|
|
```sh
|
|
openssl pkeyutl -decrypt -in $CIPHER -out $PLAIN_TEXT -inkey $PRIVATE_KEY
|
|
```
|
|
|
|
* Deprecated version of RSA decryption is the following
|
|
```sh
|
|
openssl rsautl -decrypt -in $CIPHER -out $PLAIN_TEXT -inkey $PRIVATE_KEY
|
|
```
|
|
|
|
## Diffie-Hellman
|
|
|
|
### Read Parameters of a DH Keys
|
|
|
|
* Output of a DH key is done the following way
|
|
```sh
|
|
openssl dhparam -in $PRIVATE_KEY -text -noout
|
|
```
|
|
|
|
### Create DH Key
|
|
|
|
* A Diffie-Hellman key can be created via
|
|
```sh
|
|
openssl dhparam -out $PRIVATE_KEY 4096
|
|
```
|
|
|
|
## AES
|
|
|
|
### Encrypt AES
|
|
|
|
* Encrypt AES
|
|
|
|
```sh
|
|
openssl aes-256-cbc -e -in $PLAIN_TEXT -out $CIPHER
|
|
```
|
|
|
|
### Decrypt AES
|
|
|
|
* Decrypt AES
|
|
```sh
|
|
openssl aes-256-cbc -d -in $CIPHER -out $PLAIN_TEXT
|
|
```
|
|
|
|
## PBKDF2
|
|
|
|
### Encrypt PBKDF2
|
|
|
|
* Encrypt file via PBKDF2 with 128000 iterations
|
|
```sh
|
|
openssl aes-256-cbc -pbkdf2 -iter 128000 -e -in $PLAIN_TEXT -out $CIPHER
|
|
```
|
|
|
|
### Decrypt PBKDF2
|
|
|
|
* Decrypt file via PBKDF2 with an iteration of 128000
|
|
```sh
|
|
openssl aes-256-cbc -pbkdf2 -iter 128000 -d -in $CIPHER -out $PLAIN_TEXT
|
|
```
|