How to create a certificate

# see
# Create a certificate
del adr-*.pem
openssl req -newkey rsa:2048 -x509 -days 3660 -out adr-pub.pem -keyout adr-key.pem
#bug: openssl req -newkey rsa:2048 -x509 -days 3660 -out adr-bitvise-pub.pem -keyout adr-bitvise-key.pem
#bug: openssl req -new -x509 -days 3660 -out adr-bitvise.pem -keyout adr-bitvise.pem
openssl rsa -in adr-key.pem -out adr-key-no-pwd.pem -> stergere parola
#openssl rsa -des3 -in adr-key.pem -out adr-key-new-pwd.pem -> setare parola
openssl dhparam 2048 >> adr-pub.pem (dhparam -> versiunea noua pt. vechiul param gendh)
openssl dhparam 2048 >> adr-key-no-pwd.pem
openssl pkcs12 -export -in adr-pub.pem -inkey adr-key-no-pwd.pem -name "adr" -out adr-pwd.p12
#Pune adr-pub.pem in /home/root/.ssh/ (backup keys folder).
cat adr-pub.pem >> /home/root/.ssh/authorized_keys (ssh server)
#cat adr-pub.pem >> /ffp/var/lib/stunnel/authorized_keys.pem (stunnel)
#cat adr-pub.pem >> /etc/service_conf/authorized_keys.crt (NSA310 web console)

# Certificat pt. invitati:
openssl req -newkey rsa:2048 -x509 -days 3660 -out gigi-pub.pem -keyout gigi-key.pem
openssl rsa -in gigi-key.pem -out gigi-key-no-pwd.pem
openssl dhparam 2048 >> gigi-pub.pem
openssl dhparam 2048 >> gigi-key.pem
openssl dhparam 2048 >> gigi-key-no-pwd.pem
openssl pkcs12 -export -in gigi-pub.pem -inkey gigi-key-no-pwd.pem -name "gigi" -out gigi-pwd.p12
cat gigi-pub.pem >> /home/root/.ssh/authorized_keys

# Encrypt a private key using triple DES (from
# Key generation for bitvise:
openssl rsa -des3 -in adr-key.pem -out adr-key.pem.des3.bitvise -> requested by "User keypair manager"

# see
# Extract the public key to openssh format:
ssh-keygen -y -f adr-key.pem > adr-pub.openssh
cat adr-pub.openssh >> /home/root/.ssh/authorized_keys

# convert p12 to pem
openssl pkcs12 -in xxx.p12 -nocerts -out xxx_key.pem
openssl pkcs12 -in xxx.p12 -clcerts -nokeys -out xxx_pub.pem

# debug ssl connection
openssl s_client -cert xxx_pub.pem -key xxx_key.pem -connect -debug

# request protected https resource
wget --certificate=xxx_pub.pem --private-key=xxx_key.pem
	ERROR: certificate common name ‘svn-ubuntu’ doesn't match requested host name ‘’.
	To connect to insecurely, use `--no-check-certificate'.
	wget --no-hsts --certificate=xxx_pub.pem --private-key=xxx_key.pem
	     Wget supports HSTS (HTTP Strict Transport Security, RFC 6797) by default.  Use --no-hsts to make Wget act as a non-HSTS-compliant UA. As a
	     consequence, Wget would ignore all the "Strict-Transport-Security" headers, and would not enforce any existing HSTS policy.
	This might not work:
	wget --no-hsts --no-check-certificate --certificate=xxx_pub.pem --private-key=xxx_key.pem
	This should work:
	Append svn-ubuntu to /etc/hosts.
	wget --no-hsts --no-check-certificate --certificate=xxx_pub.pem --private-key=xxx_key.pem https://svn-ubuntu/zzz

# DER format
View the complete certificate information (private + public key also):
openssl x509 -inform der -in temp/jetty-certificate.der -text -noout
openssl x509 -in CA.cer -noout -text
openssl x509 -in adr-pub.pem -noout -text | grep -P "Issuer|Subject"
Saves the public key only:
openssl x509 -inform der -in temp/jetty-certificate.der -pubkey -noout > temp/
Converts the certificate to pem:
openssl x509 -inform der -outform PEM -in temp/jetty-certificate.der -out temp/jetty-certificate.pem
Displays the certificate in PEM format and also it's alias:
openssl x509 -inform der -outform PEM -in temp/jetty-certificate.der -alias
Output the complete certificate information (valid only PEM with -----BEGIN CERTIFICATE----- content):
openssl x509 -inform PEM -in temp/jetty-certificate.pem -text -noout

# see jre\lib\security\ for keystore.type (default jks)
# jre\lib\security\cacerts -> JDK trusted certificates from a variety of Certificate Authorities (CA's)
# jre\lib\security\cacerts -> default password is changeit
# listing a keystore
keytool -v -list -storetype JKS -keystore jetty_keystore.jks
keytool -v -list -storetype JKS -keystore jetty_keystore.jks | grep "Alias name:"
keytool -v -list -storetype PKCS12 -keystore jetty.p12

ERROR failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded
	It might be the case of a p12 file with the "Export Password" empty while you try to import it in a jks keystore.
	Import the p12 using -srcstorepass "" option:
	keytool -importkeystore -srckeystore $PKCS12_FILE -destkeystore "$KEYSTORE_FILE_NAME" -srcstoretype PKCS12 -deststoretype JKS -srcstorepass ""

# show a certificate from url
openssl s_client -connect -showcerts </dev/null 2>/dev/null
openssl s_client -connect -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM

# see also
# key pair generation with multiple formats
openssl req -newkey rsa:2048 -x509 -days 3660 -out adr1-pub.pem -keyout adr1-key.pem
openssl rsa -des3 -in adr1-key.pem -out adr1-key.pem.des3.bitvise
ssh-keygen -y -f adr1-key.pem > adr1-pub.openssh
openssl rsa -in adr1-key.pem -out adr1-key-no-pwd.rsa.pem
openssl pkcs12 -info -nokeys -export -in adr1-pub.pem -name "adr1-pub" -out adr1-pub.p12
openssl pkcs12 -info -export -in adr1-pub.pem -inkey adr1-key.pem -name "adr1 private key and public key" -out adr1.p12
cat adr1-pub.openssh > /********/.ssh/authorized_keys
# putty-tools ubuntu package (command-line tools for SSH, SCP, and SFTP)
# To convert a key from another format (puttygen will automatically detect the input key type):
puttygen adr1-key.pem.des3.bitvise -C 'adr1-key.pem.des3.bitvise' -o adr1-key.putty.ppk

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.