From 547954d5f065a3fde5c550dd1dd5429fc7d35ce4 Mon Sep 17 00:00:00 2001 From: spoki0 Date: Mon, 28 Oct 2019 20:56:36 +0100 Subject: [PATCH] Additional cheat files (#139) * Most common openssl commands * Most common java keytool commands --- cheats/keytool.cheat | 58 +++++++++++++++++++++++++++++++ cheats/openssl.cheat | 81 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 139 insertions(+) create mode 100644 cheats/keytool.cheat create mode 100644 cheats/openssl.cheat diff --git a/cheats/keytool.cheat b/cheats/keytool.cheat new file mode 100644 index 0000000..7b067be --- /dev/null +++ b/cheats/keytool.cheat @@ -0,0 +1,58 @@ +% java keytool, certificate, encryption + +## Creating +# Generate a Java keystore and key pair +keytool -genkey -alias -keyalg RSA -keystore -keysize + +# Generate a certificate signing request (CSR) for an existing Java keystore +keytool -certreq -alias -keystore -file + +# Import a root or intermediate CA certificate to an existing Java keystore +keytool -import -trustcacerts -alias root -file -keystore + +# Import a signed primary certificate to an existing Java keystore +keytool -import -trustcacerts -alias -file -keystore + +# Generate a keystore and self-signed certificate +keytool -genkey -keyalg RSA -alias -keystore -storepass -validity -keysize + + + +## Verifying +# Check a stand-alone certificate +keytool -printcert -v -file + +# Check which certificates are in a Java keystore +keytool -list -v -keystore + +# Check a particular keystore entry using an alias +keytool -list -v -keystore -alias + + + +## Other +# Remove a certificate from a keystore +keytool -delete -alias -keystore + +# Change the password of a keystore +keytool -storepasswd -keystore -new + +# Export a certificate from a keystore +keytool -export -alias -file -keystore + +# List the trusted CA Certs from the default Java Trusted Certs Keystore +keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts + +# Import New Certificate Authority into the default Java Trusted Certs Keystore +keytool -import -trustcacerts -file -alias -keystore $JAVA_HOME/jre/lib/security/cacerts + + + +# Sensible/common default alternatives +$ VALIDITY: printf "DAYS\tCOMMENT\n1\ta day\n30\ta month\n365\ta year\n730\ttwo years" --- --column 1 --headers 1 +$ RSA_LENGTH: printf "KEY LENGTH\tCOMMENT\n2048\t\tDefault\n4096\t\tBetter\n8192\t\tSlow?" --- --column 1 --headers 1 + +# Attempt to find files with the appropriate endings, default to everything. +$ INPUT_CRT: ls -a | grep -e "\(.crt\|.cer\|.der\)" || ls -a +$ INPUT_PEM: ls -a | grep -e "\(.pem\)" || ls -a +$ INPUT_JKS: ls -a | grep -e "\(.jks\)" || ls -a diff --git a/cheats/openssl.cheat b/cheats/openssl.cheat new file mode 100644 index 0000000..4c13337 --- /dev/null +++ b/cheats/openssl.cheat @@ -0,0 +1,81 @@ +% openssl, certificate, encryption + +## General OpenSSL Commands +# Create a new signing request and key +openssl req -new -newkey rsa: -nodes -out -keyout + +# Create a new self-signed certificate +openssl req -x509 -sha256 -nodes -days -newkey rsa: -out -keyout + +# Create a signing request from existing key +openssl req -out -key -new + +# Create a signing request from existing certificate and key +openssl x509 -x509toreq -out -in -signkey + +# Remove a passphrase from a private key +openssl rsa -in -out + + + +## Converting between the different encoding +# Convert a DER encoded file to a PEM encoded file +openssl x509 -inform der -in -out + +# Convert a PEM encoded file to a DER encoded file +openssl x509 -outform der -in -out + +# Convert a PKCS12 encoded file containing a private key and certificates to PEM +openssl pkcs12 -in -out -nodes + +# Extract the private key from a PKCS12 encoded file +openssl pkcs12 -in -out -nodes -nocerts + +# Extract the certificate from a PKCS12 encoded file +openssl pkcs12 -in -out -nodes -nokeys + +# Convert a PEM certificate file and a private key to PKCS12 encoded file +openssl pkcs12 -export -out -inkey -in -certfile + + + +## Validating certificates and keys using OpenSSL +# Validate a certificate signing request +openssl req -text -noout -verify -in + +# Validate a private key +openssl rsa -in -check + +# Validate a certificate +openssl x509 -in -text -noout + +# Validate a PKCS12 file (.pfx or .p12) +openssl pkcs12 -info -in + + + +## Debugging using OpenSSL +# Compare the MD5 hash of a certificate +openssl x509 -noout -modulus -in | openssl md5 + +# Compare the MD5 hash of a private key +openssl rsa -noout -modulus -in | openssl md5 + +# Compare the MD5 hash of a certificate signing request +openssl req -noout -modulus -in | openssl md5 + +# Display the server certificate chain +openssl s_client -connect : + + + +# Sensible/common default alternatives +$ VALIDITY: printf "DAYS\tCOMMENT\n1\ta day\n30\ta month\n365\ta year\n730\ttwo years" --- --column 1 --headers 1 +$ RSA_LENGTH: printf "KEY LENGTH\tCOMMENT\n2048\t\tDefault\n4096\t\tBetter\n8192\t\tSlow?" --- --column 1 --headers 1 + +# Attempt to find files with the appropriate endings, default to everything. +$ INPUT_PKCS12: ls -a | grep -e "\(.pfx\|.p12\)" || ls -a +$ INPUT_CSR: ls -a | grep -e "\(.csr\)" || ls -a +$ INPUT_KEY: ls -a | grep -e "\(.key\|.pem\)" || ls -a +$ INPUT_CRT: ls -a | grep -e "\(.crt\|.cer\|.der\)" || ls -a +$ INPUT_PEM: ls -a | grep -e "\(.pem\)" || ls -a