# see https://www.openssl.org/docs/manmaster/apps/req.html # Create a certificate del adr-*.pem openssl req -newkey rsa:2048 -x509 -days 3660 -out adr-pub.pem -keyout adr-key.pem #bug: openssl req -newkey rsa:2048 -x509 -days 3660 -out adr-bitvise-pub.pem -keyout adr-bitvise-key.pem #bug: openssl req -new -x509 -days 3660 -out adr-bitvise.pem -keyout adr-bitvise.pem openssl rsa -in adr-key.pem -out adr-key-no-pwd.pem -> stergere parola #openssl rsa -des3 -in adr-key.pem -out adr-key-new-pwd.pem -> setare parola openssl dhparam 2048 >> adr-pub.pem (dhparam -> versiunea noua pt. vechiul param gendh) openssl dhparam 2048 >> adr-key-no-pwd.pem openssl pkcs12 -export -in adr-pub.pem -inkey adr-key-no-pwd.pem -name "adr" -out adr-pwd.p12 #Pune adr-pub.pem in /home/root/.ssh/ (backup keys folder). cat adr-pub.pem >> /home/root/.ssh/authorized_keys (ssh server) #cat adr-pub.pem >> /ffp/var/lib/stunnel/authorized_keys.pem (stunnel) #cat adr-pub.pem >> /etc/service_conf/authorized_keys.crt (NSA310 web console) # Certificat pt. invitati: openssl req -newkey rsa:2048 -x509 -days 3660 -out gigi-pub.pem -keyout gigi-key.pem openssl rsa -in gigi-key.pem -out gigi-key-no-pwd.pem openssl dhparam 2048 >> gigi-pub.pem openssl dhparam 2048 >> gigi-key.pem openssl dhparam 2048 >> gigi-key-no-pwd.pem openssl pkcs12 -export -in gigi-pub.pem -inkey gigi-key-no-pwd.pem -name "gigi" -out gigi-pwd.p12 cat gigi-pub.pem >> /home/root/.ssh/authorized_keys # Encrypt a private key using triple DES (from https://www.openssl.org/docs/manmaster/apps/rsa.html): # Key generation for bitvise: openssl rsa -des3 -in adr-key.pem -out adr-key.pem.des3.bitvise -> requested by "User keypair manager" # see http://sysmic.org/dotclear/index.php?post/2010/03/24/Convert-keys-betweens-GnuPG%2C-OpenSsh-and-OpenSSL # Extract the public key to openssh format: ssh-keygen -y -f adr-key.pem > adr-pub.openssh cat adr-pub.openssh >> /home/root/.ssh/authorized_keys # convert p12 to pem openssl pkcs12 -in xxx.p12 -nocerts -out xxx_key.pem openssl pkcs12 -in xxx.p12 -clcerts -nokeys -out xxx_pub.pem # debug ssl connection openssl s_client -cert xxx_pub.pem -key xxx_key.pem -connect 192.168.1.10:443 -debug # request protected https resource wget --certificate=xxx_pub.pem --private-key=xxx_key.pem https://192.168.1.10/zzz ERROR ERROR: certificate common name ‘svn-ubuntu’ doesn't match requested host name ‘192.168.1.10’. To connect to 192.168.1.10 insecurely, use `--no-check-certificate'. HOW TO DETERMINE IT wget --no-hsts --certificate=xxx_pub.pem --private-key=xxx_key.pem https://192.168.1.10/zzz --no-hsts Wget supports HSTS (HTTP Strict Transport Security, RFC 6797) by default. Use --no-hsts to make Wget act as a non-HSTS-compliant UA. As a consequence, Wget would ignore all the "Strict-Transport-Security" headers, and would not enforce any existing HSTS policy. SOLUTION This might not work: wget --no-hsts --no-check-certificate --certificate=xxx_pub.pem --private-key=xxx_key.pem https://192.168.1.10/zzz This should work: Append 192.168.1.10 svn-ubuntu to /etc/hosts. wget --no-hsts --no-check-certificate --certificate=xxx_pub.pem --private-key=xxx_key.pem https://svn-ubuntu/zzz # DER format # https://www.openssl.org/docs/manmaster/man1/x509.html View the complete certificate information (private + public key also): openssl x509 -inform der -in temp/jetty-certificate.der -text -noout openssl x509 -in CA.cer -noout -text openssl x509 -in adr-pub.pem -noout -text | grep -P "Issuer|Subject" Saves the public key only: openssl x509 -inform der -in temp/jetty-certificate.der -pubkey -noout > temp/jetty-certificate.pub.pem Converts the certificate to pem: openssl x509 -inform der -outform PEM -in temp/jetty-certificate.der -out temp/jetty-certificate.pem Displays the certificate in PEM format and also it's alias: openssl x509 -inform der -outform PEM -in temp/jetty-certificate.der -alias Output the complete certificate information (valid only PEM with -----BEGIN CERTIFICATE----- content): openssl x509 -inform PEM -in temp/jetty-certificate.pem -text -noout # JAVA # see jre\lib\security\java.security for keystore.type (default jks) # jre\lib\security\cacerts -> JDK trusted certificates from a variety of Certificate Authorities (CA's) # jre\lib\security\cacerts -> default password is changeit # listing a keystore keytool -v -list -storetype JKS -keystore jetty_keystore.jks keytool -v -list -storetype JKS -keystore jetty_keystore.jks | grep "Alias name:" keytool -v -list -storetype PKCS12 -keystore jetty.p12 ERROR java.io.IOException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded SOLUTION It might be the case of a p12 file with the "Export Password" empty while you try to import it in a jks keystore. Import the p12 using -srcstorepass "" option: keytool -importkeystore -srckeystore $PKCS12_FILE -destkeystore "$KEYSTORE_FILE_NAME" -srcstoretype PKCS12 -deststoretype JKS -srcstorepass "" # show a certificate from url openssl s_client -connect adrhc.go.ro:443 -showcerts </dev/null 2>/dev/null openssl s_client -connect adrhc.go.ro:443 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM # see also https://support.ssl.com/Knowledgebase/Article/View/19/0/der-vs-crt-vs-cer-vs-pem-certificates-and-how-to-convert-them # key pair generation with multiple formats openssl req -newkey rsa:2048 -x509 -days 3660 -out adr1-pub.pem -keyout adr1-key.pem openssl rsa -des3 -in adr1-key.pem -out adr1-key.pem.des3.bitvise ssh-keygen -y -f adr1-key.pem > adr1-pub.openssh openssl rsa -in adr1-key.pem -out adr1-key-no-pwd.rsa.pem openssl pkcs12 -info -nokeys -export -in adr1-pub.pem -name "adr1-pub" -out adr1-pub.p12 openssl pkcs12 -info -export -in adr1-pub.pem -inkey adr1-key.pem -name "adr1 private key and public key" -out adr1.p12 cat adr1-pub.openssh > /********/.ssh/authorized_keys # putty-tools ubuntu package (command-line tools for SSH, SCP, and SFTP) # To convert a key from another format (puttygen will automatically detect the input key type): puttygen adr1-key.pem.des3.bitvise -C 'adr1-key.pem.des3.bitvise' -o adr1-key.putty.ppk