openssl recipes

These last days I had to tinker with openssl a lot and this is a short memory reminder of the params.

PKCS#7 manipulation

Verify pkcs#7 signature

#the -noverify means do not verify the certificate chain, this will only verify the signature not the originating certificate
openssl smime -inform DER -verify -noverify -in signature.p7s

Show the structure of the file (applies to all DER files)

#for debuging
openssl asn1parse -inform DER -i -in signature.p7s

Extract certificate and public key

openssl pkcs7 -inform DER -in signature.p7s -print_certs > certificate.crt
openssl x509 -in certificate.crt -noout -pubkey > pubKey.key

JKS certificate import

Export private key from jks keystore

#convert jks to pkcs#12 format
keytool -importkeystore -srckeystore myKeystore.jks -destkeystore myKeystore.p12
-deststoretype PKCS12 -srcalias myAlias
#export private key (WARNING, manipulate with care)
openssl pkcs12 -in myKeystore.p12  -nodes -nocerts -out myKey.pem

Check .csr or .crt public key against a private key

This will generate the sha256 hash for the public key, compare manualy. Very useful if you lost your key or are getting “No certificate matches private key”.

#generate hash for pubKey generated from privateKey
openssl pkey -in myPrivateKey.key -pubout -outform pem | sha256sum 
#generate hash for pubKey from cert
openssl x509 -in myCertificate.crt -pubkey -noout -outform pem | sha256sum 
#generate hash for pubKey from csr
openssl req -in myCSR.csr -pubkey -noout -outform pem | sha256sum

Convert p7b signed certificate response to jks keystore

This is very useful if you lost your jks keystore containing the original .csr

#export certs from signed certificate response to .pem
openssl pkcs7 -print_certs -in myStore.p7b -out certs.pem
#combine certs and key in pkcs#12 format
openssl pkcs12 -export -name server -in certs.pem -out myKeystore.p12 -inkey myPrivateKey.key
#convert pkcs#12 to jks
keytool -importkeystore -srcstoretype pkcs12 -srckeystore myKeystore.p12 -destkeystore myKeystore.jks

Leave a Reply

*