openssl

show details of certificate request ( .csr )

openssl req -noout -text -in server.csr

show details of certificate ( .pem )

openssl x509 -text -in server.crt

show details of certificate ( .p12 )

openssl pkcs12 -info -in server.crt

generate self-signed certificate

openssl x509 -req -days 60 -in server.csr -signkey server.key -out server.crt

remove password

openssl rsa -in cert.key -out cert_new.key

Converting openssl Key Files to PEM-Format

openssl rsa -in cert.key -outform PEM -out cert.pem

Converting CRT/DER to PEM

openssl x509 -in cert.crt -inform DER -outform PEM -out cert.pem

Converting PEM to DER

openssl x509 -in cert.pem -inform PEM -outform DER -out cert.der

Converting P7c to PEM also remove B64 encoding
Script is working pretty well if you have plain .

  • .p7(c/b) or
  • .p7(b/c).b64 encoded
#!/bin/bash  

B64_FILE="$( ls | grep .b64 )"
PEM_FILE="${2:-cert.pem}"
## NO BASE64 FILE FOUND
if [ ! "${B64_FILE}" ]; then
    ## LOOKING FOR p7b
    P7C_FILE="$( ls | egrep ".p7b" )"
    if [ "${P7C_FILE}" ]; then
    ## CHECKING IF p7b IS VALID
        openssl pkcs7 -inform DE  -in ${P7C_FILE} >/dev/null
        if [ $? -ne 0 ]; then
            ## p7b DOES NOT WORK USING p7c
            P7C_FILE="$( ls | egrep ".p7c" )"
            openssl pkcs7 -inform DE  -in ${P7C_FILE} >/dev/null
            if [ $? -ne 0 ]; then
                ## p7b DOES NOT WORK - ABORTING
                echo "NO VALID CETIFICATE FOUND... ABORTING"
                exit 42
          fi
        fi
    else
        ## NO p7b FILE FOUND USING p7c
        P7C_FILE="$( ls | egrep ".p7c" )"
    fi
else
    P7C_FILE="temp.p7c"
    openssl enc -d -base64 -in ${B64_FILE} -out ${P7C_FILE}
fi
## CONVERTING P7C -> PEM
openssl pkcs7 -inform DE  -in ${P7C_FILE} |  openssl pkcs7  -print_certs  -out ${PEM_FILE} 
## REMOVE TEMP - FILE
[[ -f temp.p7c ]] && rm temp.p7c
## ONLY THE LAST 26 LINES ARE INTERESTING FOR US
tail -26 ${PEM_FILE} > cert.tmp
MAX_LINES=$( wc -l ${PEM_FILE} | awk '{ print $1 }' )
MIN_LINES=$(( MAX_LINES - 26 ))
head -${MIN_LINES} ${PEM_FILE} >> cert.tmp
mv cert.tmp  ${PEM_FILE}
## CHECK CERTIFICATE
openssl x509 -text -in ${PEM_FILE}

Test connectivity

openssl s_client -connect IP-TARGET:443 -cert cert.pem  -key key.pem -CAfile ca.pem  -state

Base 64 decode

openssl enc -d -base64 -in myfile.b64 -out myfile.decrypt

compare cert with keyfile

#!/bin/bash
 
CERT_FILE="$1"
KEY_FILE="$2"

if [ ! "${KEY_FILE}" ]; then
	echo
	echo "################################"
	echo "## FILES MUST BE IN .PEM FORMAT"
	echo "################################"
	echo "USAGE: $0 <certifikat_file> <key_file>"  
	echo
	exit 42
fi

CERT=$( openssl x509 -noout -modulus -in "${CERT_FILE}" | openssl md5 )
KEY=$( openssl rsa -noout -modulus -in "${KEY_FILE}" 2>/dev/null  | openssl md5 )
 
if [ "${KEY}" = "${CERT}" ]; then
        echo "OK :: CERT MATCHES KEY [ $KEY_FILE ]"
else
	echo "FAILED :: CERT NOT MATCHING KEY [ $KEY_FILE ]"
fi

Webseite testen:

openssl s_client -connect www.redhat.com:443
openssl s_client -connect www.redhat.com:443 -state -nbio