key/cert types

X.509 - Wikiwand
DER vs. CRT vs. CER vs. PEM Certificates and How To Convert Them

.pem, .key, .csr are used for keys (file format)
.crt == X.509? probably (-----BEGIN CERTIFICATE-----)
.csr can be converted to .crt by signing with private key
.pfx/.p12 == PKCS#12
SPKI, PKCS: key format

key: no meta data, just the prime numbers and modulus
cert: with meta data

cert generation

🔐 HTTPS certificate generation explained! Now setup HTTPS for local development environment (without sudo) | Blog
How to create a .pfx/.p12 certificate file using OpenSSL – SSL Information and FAQ
HOWTO: Generate a CSR for OpenSSL – (see tools.ssl.com) – SSL Information and FAQ
ssl - How to create a self-signed certificate with openssl? - Stack Overflow
OpenSSL CSR Tool - Create Your CSR Faster | DigiCert.com

How To Create a Self-Signed SSL Certificate for Nginx in Ubuntu 16.04 | DigitalOcean

Manage sensitive data with Docker secrets | Docker Documentation

Five Tips for Using Self Signed SSL Certificates with iOS | HttpWatch BlogHttpWatch Blog also on own CA

auth.cert

# private key and cert (CSR in the pipeline)
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout selfsigned.key -out selfsigned.crt

openssl genrsa -out privatekey.pem 2048 # key only
openssl req -new -key privatekey.pem -out CSR.csr # CSR only
# private key and CSR
openssl req -nodes -new -newkey rsa:2048 -keyout privatekey.key -out CSR.csr
# then sign SSH certificate (.crt) with csr
openssl x509 -req -days 365 -in CSR.csr -signkey privatekey.key -out selfsigned.crt

openssl genpkey -algorithm RSA -out privatekey.pem -pkeyopt rsa_keygen_bits:2048 # private key only
openssl rsa -pubout -in privatekey.pem -out publickey.pem

openssl genrsa -out rsa_1024_priv.pem 1024
openssl rsa -pubout -in rsa_1024_priv.pem -out rsa_1024_pub.pem

query cert

How to examine the metadata of an SSL (HTTPS/TLS) cert
SSL Certificate Tools

# X.509
openssl x509 -text -noout -in certificate.pem
openssl x509 -text -noout -in certificate.cert

# DER
openssl req -text -noout -in certificate.csr

# PKCS#12 (.pfx or .p12)
openssl pkcs12 -info -in key.p12

# read RSA key
openssl rsa -in private.key -text -noout
openssl rsa -RSAPublicKey_in -in public.key -text -noout

conversion

SSL Converter - Convert SSL Certificates to different formats
Converting OpenSSH public keys - Odd Bits

# DER (.crt .cer .der) -> PEM
openssl x509 -inform der -in certificate.cer -out certificate.pem
# PEM -> DER
openssl x509 -outform der -in certificate.pem -out certificate.der
# PKCS#12 -> PEM
openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes
#  You can add -nocerts to only output the private key or add -nokeys to only output the certificates.
# PEM -> PKCS#12
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

troubleshooting

sudo su
sudo tcpdump -vvv -s 0 -nni <interface> -w <file> host <host> and port <port> &
openssl s_client -connect <host>:<port> -state -msg

# e.g.
sudo su
sudo tcpdump -vvv -s 0 -nni eno1 -w internal.cap host 10.6.64.170 and port 443 &
openssl s_client -connect 10.6.64.170:443 -state -msg

SOL15475 - Troubleshooting SSL/TLS renegotiation
SOL15292 - Troubleshooting SSL/TLS handshake failures
SOL10209 - Overview of packet tracing with the ssldump utility

CFSSL

#cfssl #cloudflare

Introducing CFSSL - CloudFlare's PKI toolkit

cloudflare/cfssl: CFSSL: Cloudflare's PKI and TLS toolkit
kubernetes-the-hard-way/02-client-tools.md at master · kelseyhightower/kubernetes-the-hard-way

myca.json:

{
  "CN": "k3s",
  "hosts": ["k3s"],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "SG",
      "ST": "SG",
      "L": "Singapore"
    }
  ]
}

cfssl gencert -initca myca.json | cfssljson -bare myca

serverRuest.json

{
   "CN": "registry",
   "hosts": [ "ubuntu" ],
   "key": {
      "algo": "rsa",
      "size": 2048
   }
}

cfssl gencert -ca=myca.pem -ca-key=myca-key.pem -config=ca-config.json -profile=server -hostname=ubuntu serverRequest.json | cfssljson -bare registry