# PKI Stuff
A collection of procedures for doing different things with certs and keys
# Update Certificates on a Machine
wget -O - https://curl.haxx.se/ca/cacert.pem | cert-sync /dev/stdin
# Regenerate CA trust files
Run after adding certs to /etc/pki/ca-trust/source/anchors
update-ca-trust extract
# Check Expiry of a Cert
cat cert.crt | openssl x509 -noout -enddate
# Match a Certificate to a Key
openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in privateKey.key | openssl md5
openssl req -noout -modulus -in CSR.csr | openssl md5
# Decrypt a Private Key
RSA private keys look a bit like this
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjB ...
-----END ENCRYPTED PRIVATE KEY-----
Use this command to decrypt the key
openssl rsa -in encrypted.key -out decrypted.key
# Combine Certificate and Key to a .pfx
- Bundle CA Cert, Intermediate Cert, and Server Cert to one file, add the cert to end of file
openssl pkcs12 -export -out domain.name.pfx -inkey domain.name.key -in domain.name.crt
# Separate Certificate and Key from a .pfx
Separate files
openssl pkcs12 -in cert.pfx -out key.key -nocerts -nodes
openssl pkcs12 -in cert.pfx -out cert.crt -nokeys -clcerts
Combined certificate and key in same file
openssl pkcs12 -in cert.pfx -out combined.crt
# Convert p7b to base64
openssl pkcs7 -print_certs -in combined.p7b -out combined.crt
# Show Certificate Details of a Website
SITE=google.com; echo | openssl s_client -showcerts -servername "$SITE" -connect "$SITE":443 2>/dev/null | openssl x509 -inform pem -noout -text
# Openssl Certificate Generation
# CSR Config File
FQDN = servername.domain.tld
ORGNAME = MyCompany
ALTNAMES = DNS:$FQDN , DNS:servername , DNS:alternateName
[ req ]
default_bits = 2048
default_md = sha256
prompt = no
encrypt_key = no
distinguished_name = dn
req_extensions = req_ext
[ dn ]
C = UK
O = $ORGNAME
CN = $FQDN
[ req_ext ]
subjectAltName = $ALTNAMES
# Creating CSR From Config File
openssl req -new -nodes -key myExistingPrivate.key -out myCSR.csr -config myCSRConfig.cnf