Skip to content

Instantly share code, notes, and snippets.

@rbdiang

rbdiang/ssl-files.md

Last active January 19, 2018 11:41
Show Gist options
  • Save rbdiang/0614624fd02a48ed0e0d96600f5858e8 to your computer and use it in GitHub Desktop.
Save rbdiang/0614624fd02a48ed0e0d96600f5858e8 to your computer and use it in GitHub Desktop.
Download ZIP
Working with ssl files
Raw
ssl-files.md

p12 file from rsa.key and server.crt

verify file contents:

../private/imac.yantz5.key.pem

head -10 ../private/imac.yantz5.key.pem
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,25AD524E722FC26BF558B1717CDEE602

+9WhhvN5yu9LJD++PSFVv9XGpa0qVl+PTjvRQVdf/h7kJEULcAkGtJ6DTpD179k+
KY7rmKjAdGNSG990hK5zAUkkpyalSUnd4jzyksRDD540iHIQ8U7H6MnSKqIvyq1s
k/Rv5wqv3pIxg3Nj9p9vxtQVh18rE55dc+mJQb4E4s10qPFxhNByN2dNvs0BNCb9
Ps5d4naB0DcxlHjJ0apBJEszDQZVUo2WpJM1RcJqVysdVANryUIDnPQfKQzIXBNs
wnWVu5h7CexqjUqTEYr9XkQKfvVTSPUfXhrnuJfz6c7L6f8e7hL59VOfAvXsg3I0
4LY3hCyNHQ2hS/4GVjZZj6arQ/l4dcosRq/hyqaq+GLPdFShfC6cATyLN05mPLer

../private/imac.yantz5.key.pem

head -10 imac.yantz5.cert.pem 
-----BEGIN CERTIFICATE-----
MIIGFTCCA/2gAwIBAgICEAQwDQYJKoZIhvcNAQELBQAwgasxCzAJBgNVBAYTAlVT
MRYwFAYDVQQIDA1Vbml0ZWQgU3RhdGVzMR4wHAYDVQQKDBVTZXZlcm4gUml2ZXIg
U29mdHdhcmUxNDAyBgNVBAsMK1NldmVybiBSaXZlciBTb2Z0d2FyZSBDZXJ0aWZp
Y2F0ZSBBdXRob3JpdHkxLjAsBgNVBAMMJVNldmVybiBSaXZlciBTb2Z0d2FyZSBJ
bnRlcm1lZGlhdGUgQ0EwHhcNMTgwMTEzMjE1NTQzWhcNMTkwMTIzMjE1NTQzWjBu
MQswCQYDVQQGEwJVUzEWMBQGA1UECAwNVW5pdGVkIFN0YXRlczERMA8GA1UEBwwI
TWFyeWxhbmQxHjAcBgNVBAoMFVNldmVybiBSaXZlciBTb2Z0d2FyZTEUMBIGA1UE
AwwLaW1hYy55YW50ejUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDK
pBXBG16FJo5G8rCJWJ4iGm+/TipFaQVq/RKOvxziyjNcaehu/jMBP9512vEvsu9g

use openssl

openssl pkcs12 -export -out imac.yantz5.p12 -inkey ../private/imac.yantz5.key.pem -in imac.yantz5.cert.pem 
Enter pass phrase for ../private/imac.yantz5.key.pem:
Enter Export Password:
Verifying - Enter Export Password:

ls -la imac.yantz5.p12 
-rw-r--r--  1 root  staff  3165 Jan 19 05:45 imac.yantz5.p12

jks file from p12 file

use keytool

keytool \
-importkeystore \
-srckeystore imac.yantz5.p12 \
-srcstoretype pkcs12 \
-srcalias 1 \
-destkeystore imac.yantz5.jks \
-deststoretype jks \
-destalias imac.yantz5
keystore password:  
Re-enter new password: 
Enter source keystore password:  

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore imac.yantz5.jks -destkeystore imac.yantz5.jks -deststoretype pkcs12".

ls -la imac.yantz5.jks 
-rw-r--r--  1 root  staff  2918 Jan 19 05:47 imac.yantz5.jks

jks to pk12

use keytool

keytool \
-importkeystore \
-srckeystore imac.yantz5.jks \
-destkeystore imac.yantz5.jks.p12 \
-srcstoretype JKS \
-deststoretype PKCS12 \
-srcalias imac.yantz5

Importing keystore imac.yantz5.jks to imac.yantz5.jks.p12...
Enter destination keystore password:  
Re-enter new password: 
Enter source keystore password:

ls -la imac.yantz5.jks.p12 
-rw-r--r--  1 root  staff  3273 Jan 19 05:55 imac.yantz5.jks.p12

p12 to key UNENCRYPTED

use openssl

openssl pkcs12  -in imac.yantz5.jks.p12 -out imac.yantz5.jks.p12.key -nodes -nocerts

Enter Import Password:
MAC verified OK

ls -la imac.yantz5.jks.p12.key 
-rw-r--r--  1 root  staff  1852 Jan 19 05:59 imac.yantz5.jks.p12.key

p12 to cert

use openssl

openssl pkcs12  -in imac.yantz5.jks.p12 -out imac.yantz5.jks.p12.crt  -nokeys 
Enter Import Password:
MAC verified OK

ls -la imac.yantz5.jks.p12.crt 
-rw-r--r--  1 root  staff  2510 Jan 19 06:04 imac.yantz5.jks.p12.crt

ca chain to jks truststore

verify file contents:

grep -A 2 BEGIN ca-chain.cert.pem 
-----BEGIN CERTIFICATE-----
MIIGQDCCBCigAwIBAgICEAIwDQYJKoZIhvcNAQELBQAwgbExCzAJBgNVBAYTAlVT
MRYwFAYDVQQIDA1Vbml0ZWQgU3RhdGVzMREwDwYDVQQHDAhNYXJ5bGFuZDEeMBwG
--
-----BEGIN CERTIFICATE-----
MIIGSjCCBDKgAwIBAgIJAIXS1q2WwR1hMA0GCSqGSIb3DQEBCwUAMIGxMQswCQYD
VQQGEwJVUzEWMBQGA1UECAwNVW5pdGVkIFN0YXRlczERMA8GA1UEBwwITWFyeWxh

break out into seperate files (1 for each -BEGIN CERTIFICATE-)

ls -la
total 32
drwxr-xr-x   5 root  staff   170 Jan 19 06:24 .
drwxr-xr-x  12 root  staff   408 Jan 19 06:22 ..
-rw-r--r--   1 root  staff  2228 Jan 19 06:23 ca-chain-1.pem
-rw-r--r--   1 root  staff  2240 Jan 19 06:24 ca-chain-2.pem
-r--r--r--   1 root  staff  4468 Jan 19 06:22 ca-chain.cert.pem

use openssl to encode each part

openssl x509 -in ca-chain-1.pem -outform DER -out ca-chain-1.der
openssl x509 -in ca-chain-2.pem -outform DER -out ca-chain-2.der

use keytool to import 1st part

keytool -import \
-trustcacerts \
-file ca-chain-1.der \
-keystore ca-chain.jks \
-alias Intermediate

Enter keystore password:  
Re-enter new password:

Trust this certificate? [no]:  y
Certificate was added to keystore

use keytool to import 2nd part

keytool -import \
-trustcacerts \
-file ca-chain-2.der \
-keystore ca-chain.jks \
-alias Root

Enter keystore password:  
...
Trust this certificate? [no]:  yes
Certificate was added to keystore

use keytool to verify contents

 keytool -keystore ca-chain.jks -list
Enter keystore password:  
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

root, Jan 19, 2018, trustedCertEntry, 
Certificate fingerprint (SHA1): 68:B4:89:AF:23:FC:74:B2:32:D8:FD:1D:39:3A:E6:68:33:9D:4D:75
intermediate, Jan 19, 2018, trustedCertEntry, 
Certificate fingerprint (SHA1): C9:23:74:6C:EB:88:E8:6F:89:41:E6:4F:AF:65:40:C4:79:D4:AA:77
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment