Google
 
Web unafbapune.blogspot.com

Monday, June 18, 2007

 

OpenSsl/Keytool Cheat Sheet

# Convert an RSA public key from PEM to DER
openssl rsa -inform PEM -in test-public-key.pem -outform DER -out test-public-key.der -pubin

# Convert a X509 certificate from PEM to DER
openssl x509 -in test-x509-cert.pem -inform PEM -out test-x509-cert.der -outform DER

# Print a X509 certificate
openssl x509 -text -in test-public-cert.pem

# Import a certificate to JKS
jdk1.6.0/bin/keytool -storepass changeit -keystore truststore.jks -importcert -alias mycert -file mycert.der -trustcacerts

# http://www.agentbob.info/agentbob/79.html
# Read the javadoc in ImportKey.java for details of converting it to a keystore

# Convert a private key from PEM to DER
openssl pkcs8 -topk8 -nocrypt -in private-key.pem -out private-key.der -outform der

# Convert cert from PEM to DER
openssl x509 -in cert.pem -out cert.der -outform der

# Convert private key and cert to keystore
java -cp . ImportKey private-key.der cert.der

# Change the storepass
keytool -keystore keystore.jks -storepass importkey -storepasswd -new changeit

# Change the alias
keytool -keystore keystore.jks -storepass changeit -changealias -alias importkey -keypass importkey -destalias myhost

# Change the keypass
keytool -keystore keystore.jks -storepass changeit -alias myhost -keypasswd -keypass importkey -new changeit

# List the keystore
keytool -keystore keystore.jks -storepass changeit -list -v

# How to generate a self-signed key pairs using keytool ?
keytool -genkeypair -dname "cn=myname,ou=myunit,o=myorg,c=AU" -alias myalias -keypass changeit -keystore ./my-keystore.jks
-keypass changeit -storepass changeit -validity 9999 -v

### Extracting the certificate (public key) ###

# Export the X509 certificate
keytool -export -alias myalias -keystore my-keystore.jks -storepass changeit -file mycert.der

# Display it
openssl x509 -noout -text -in mycert.der -inform der

# Convert to PEM
openssl x509 -out mycert.pem -outform pem -in mycert.der -inform der

### Extracting the private key ###

#Download, compile & run ExportPriv.

# Export private key into pcks8 format
javac ExportPriv.java
java ExportPriv my-keystore.jks myalias changeit > my-key.pkcs8

# Combine public and private key into pkcs12 format
openssl pkcs12 -export -out my-key.p12 -inkey my-key.pkcs8 -in my-cert.pem

# Convert pkc12 to PEM so it can be displayed
openssl pkcs12 -in pkcs-12-certificate(-and-key-file) -out pem-certificate(-and-key-file)

# Find out the MD5 of an X509 cert
openssl x509 -fingerprint -md5 -in cert.pem

# posted by rot13(Unafba Pune) @ 3:31 PM
Comments:
thank you so much for this. i love you man hehe
# posted by Anonymous Anonymous : 11:24 AM
 
Trying to follow the HowTo, I crash at the compile part:
ExportPriv.java:38: cannot find symbol
symbol : variable Base64Coder
location: class ExportPriv
char[] b64 = Base64Coder.encode(privKey.getEncoded());
^
Any suggestions?

TIA!
# posted by Anonymous Anonymous : 3:44 PM
 
Which JDK are you using ? I've been using jdk1.5/1.6, and have never had an issue with the compilation.
# posted by Blogger rot13(Unafba Pune) : 4:04 PM
 
Never mind, had to download the Base64coder code too...
# posted by Anonymous Anonymous : 5:15 AM
 
This is a great chunk of info which I think is about to save my life. I wish I knew more about SSL as the terms drive me nuts.

It seems I need the Base64coder too. Can someone explain what that is and how to obtain it?

Much appreciated!

Mark-
mchester (at) level-studios (dot) com
# posted by Anonymous Anonymous : 11:03 AM
 
There is no Base64 encoder/decoder in the standard Java SDK class library. The undocumented classes sun.misc.BASE64Encoder and sun.misc.BASE64Decoder should not be used. Which Base64Decoder did you use? Google shows a bunch of them.
# posted by Anonymous Anonymous : 3:36 PM
 
A Base64Encoder under GPL can be found at www.sourcecode.biz. This library/class has a static encode method that takes a String as an argument and may be a valid replacement for the one you used.
# posted by Anonymous Anonymous : 3:40 PM
 
Well, I have no clue how to use that change alias command.
Maybe some variables with short explanations would help (like [[pwd]] for password, or something).

To add that would really help!
# posted by Blogger VincentG : 12:46 AM
 
found a workaround.
use the keyclone option to copy the key with a new alias, then remove the other one:
http://java.sun.com/j2se/1.4.2/docs/tooldocs/solaris/keytool.html#keycloneCmd
# posted by Blogger VincentG : 6:30 AM
 
You made my day. You are great.
Thanks for the info
# posted by Blogger Jonnadula Nanaji : 10:01 PM
 
anyone here have the base64coder class file? i cant seem to compile it.
# posted by Anonymous dan : 2:58 AM
 
Post a Comment

<< Home

This page is powered by Blogger. Isn't yours?