2.6 KiB
2.6 KiB
OpenSSL Cheatsheet
Read X.509 Certificate
- A certificate can be read via
openssl x509 -in $CERT -text
Generate CSR
- A Certificate Signing Request needs a private alongside the request for a cert. This is done in the following way
openssl req -new -nodes -newkey rsa:4096 -keyout $PRIVATE_KEY -out $CERT_CSR
Create an X.509 Certificate
- Create a X.509 certificate via
openssl x509 -newkey -nodes rsa:4096 -keyout $PRIVATE_KEY -out $CERT -sha256 -days 365
openssl req -new -x509 -keyout cert.pem -out cert.pem -days 365 -nodes
Extract Keys from PFX Cert
- Key and cert form PFX
openssl pkcs12 -in cert.pfx -nocerts -out key.pem -nodes
openssl pkcs12 -in cert.pfx -out cert.pem -clcerts -nokeys
Extract & Repack PFX Cert
- Extract & Repack with another password, e.g. from
mimikatz
tocqure
openssl pkcs12 -in *.pfx -out temp.pem -nodes
openssl pkcs12 -export -out *.pfx -in temp.pem
RSA
Read Parameters of a RSA Key
- Show parameters of the private key
openssl rsa -in $PRIVATE_KEY -text -noout
Create RSA Key
- Generate an OpenSSL RSA key via
openssl genrsa -out $PRIVATE_KEY 4096
- Generate an OpenSSl RSA public key from a private key
openssl rsa -in $PRIVATE_KEY -pubout -out public-key.pem
Encrypt RSA
- Encrypt RSA current and deprecated
openssl pkeyutl -encrypt -in $CLEAR_TEXT -out $CLEAR_TEXT -pubin -inkey $PUBLIC_KEY
openssl rsautl -encrypt -in $CLEAR_TEXT -out $ENCRYPTED -pubin -inkey $PUBLIC_KEY
Decrypt RSA
- Decrypt a RSA cipher with the private key
openssl pkeyutl -decrypt -in $CIPHER -out $PLAIN_TEXT -inkey $PRIVATE_KEY
- Deprecated version of RSA decryption is the following
openssl rsautl -decrypt -in $CIPHER -out $PLAIN_TEXT -inkey $PRIVATE_KEY
Diffie-Hellman
Read Parameters of a DH Keys
- Output of a DH key is done the following way
openssl dhparam -in $PRIVATE_KEY -text -noout
Create DH Key
- A Diffie-Hellman key can be created via
openssl dhparam -out $PRIVATE_KEY 4096
AES
Encrypt AES
- Encrypt AES
openssl aes-256-cbc -e -in $PLAIN_TEXT -out $CIPHER
Decrypt AES
- Decrypt AES
openssl aes-256-cbc -d -in $CIPHER -out $PLAIN_TEXT
PBKDF2
Encrypt PBKDF2
- Encrypt file via PBKDF2 with 128000 iterations
openssl aes-256-cbc -pbkdf2 -iter 128000 -e -in $PLAIN_TEXT -out $CIPHER
Decrypt PBKDF2
- Decrypt file via PBKDF2 with an iteration of 128000
openssl aes-256-cbc -pbkdf2 -iter 128000 -d -in $CIPHER -out $PLAIN_TEXT