Commonly-used PKI functions

certificate.sh

# Check certificate expiration date
openssl x509 -in certificate.pem -noout -enddate

# Create new ECC key and CSR
openssl ecparam -out private.key -name prime256v1 -genkey
chmod 400 private.key
openssl req -new -key private.key -out csr.txt -subj '/CN=domain.tld'

# Create new RSA key and CSR
openssl req -out csr.txt -new -newkey rsa:4096 -sha256 -nodes -keyout private.key -subj '/CN=domain.tld' > /dev/null 2>&1

# Verify contents of CSR
openssl req -in csr.txt -noout -text

# Set correct permissions for private keys
chmod 400 private.key

# Print contents of certificate
openssl x509 -in certificate.pem -noout -text

# Convert between DER and PEM
openssl x509 -inform DER -in certificate.der -outform PEM -out certificate.pem
openssl x509 -inform PEM -in certificate.pem -outform DER -out certificate.der

# Get certificate portion of .p12 as .pem
openssl pkcs12 -in bundle.p12 -out certificate.pem -nodes -nokeys

# Get key portion of .p12 as .pem
openssl pkcs12 -in bundle.p12 -out private.key -nodes -nocerts

# Make .p12 using all individual components
openssl pkcs12 -export -certfile intermediate.pem -in certificate.pem -inkey private.key -out bundle.p12

# Sign .mobileconfig
openssl smime -sign -signer certificate.pem -inkey private.key -certfile intermediate.pem -nodetach -outform der -in config.mobileconfig -out signed.mobileconfig

# Verify SSL certificate installation
openssl s_client -connect example.com:443

ssh.sh

# Create 4096-bit RSA key
ssh-keygen -q -N '' -C '' -t rsa -b 4096 -f private.key

# Create Ed25519 key
ssh-keygen -q -N '' -C '' -t ed25519 -f private.key

# Get .pub of key
ssh-keygen -f private.key -y

# Links:
# http://martin.kleppmann.com/2013/05/24/improving-security-of-ssh-private-keys.html
# http://www.tedunangst.com/flak/post/new-openssh-key-format-and-bcrypt-pbkdf

zmodification

very recent, such modification