Last active
November 24, 2025 12:09
-
-
Save kepocnhh/fbb6c1b40eb2b9c55aa9b5683869c5f0 to your computer and use it in GitHub Desktop.
Private key -> csr -> certificate -> public key -> CA-Signed Certificate -> pkcs12
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Ecrypted 4096-bit RSA private key | |
| openssl genrsa -des3 -out foo.key 4096 | |
| # How to Decrypt an RSA Private Key Using OpenSSL | |
| # openssl rsa -in .excluded/rsa/foo.key.encrypted -out .excluded/rsa/foo.key.decrypted | |
| # Certificate Signing Request by private key | |
| openssl req -key foo.key -new -out foo.csr | |
| # We can also create both the private key and CSR with a single command | |
| # openssl req -newkey rsa:4096 -keyout foo.key -out foo.csr | |
| # A certificate that's signed with its own private key | |
| openssl x509 -req -signkey foo.key -in foo.csr -days 3650 -out foo.crt | |
| # Check certificates purposes | |
| openssl x509 -in foo.crt -noout -purpose | |
| # Check if the certificate expires after 0 seconds | |
| openssl x509 -in foo.crt -checkend 0 | |
| # We can even create a private key and a self-signed certificate with just a single command: | |
| # openssl req -newkey rsa:4096 -keyout foo.key -x509 -days 3650 -out foo.crt | |
| # Private key + CA self-signed certificate | |
| # openssl req -newkey rsa:4096 -passout pass:123456 -keyout CA.key -x509 -days 3560 -extensions v3_ca -out CA.crt | |
| # A public key by a certificate | |
| openssl x509 -pubkey -in foo.crt -noout -out foo.public | |
| # or public key by a private key | |
| # openssl rsa -in foo.key -passin pass:123456 -pubout -out foo.public | |
| echo "$(date +%s)" \ | |
| | openssl rsautl -encrypt -pubin -inkey foo.public \ | |
| | openssl rsautl -decrypt -inkey foo.key | |
| # Signature | |
| cat foo.1 foo.2 foo.3 | base64 > foo.b64 | |
| openssl dgst -sha256 -sign foo.key -out foo.sig foo.b64 | |
| openssl dgst -sha256 -verify foo.public -signature foo.sig foo.b64 | |
| openssl genrsa -des3 -out bar.key 4096 | |
| openssl req -key bar.key -new -out bar.csr | |
| # CA-Signed Certificate | |
| openssl x509 -req -CA foo.crt -CAkey foo.key -in bar.csr -out bar.crt -days 3650 -CAcreateserial | |
| # Convert PEM to PKCS12 | |
| openssl pkcs12 -inkey foo.key -in foo.crt -export -out foo.pkcs12 -name cauthority | |
| # Get an encrypted private key from pkcs12 keystore | |
| openssl pkcs12 -in foo.pkcs12 -nocerts -passin pass:123456 -passout pass:123456 -out foo.private.encrypted | |
| # Show a certificate from pkcs12 keystore | |
| openssl pkcs12 -in foo.pkcs12 -nokeys -passin pass:123456 | openssl x509 | |
| # Show a public key from pkcs12 keystore | |
| openssl pkcs12 -in foo.pkcs12 -nokeys -passin pass:123456 | openssl x509 -pubkey -noout | |
| # or | |
| openssl pkcs12 -in foo.pkcs12 -nocerts -passin pass:123456 -passout pass:123456 | openssl rsa -passin pass:123456 -pubout | |
| # PKCS12 -> Base64 | |
| base64 foo.pkcs12 > foo.pkcs12.base64 | |
| # Base64 -> PKCS12 -> X509 certificate | |
| base64 -d foo.pkcs12.base64 | openssl pkcs12 -nokeys | openssl x509 | |
| # Get certificate from PKCS12 | |
| keytool -keystore foo.pkcs12 -storepass 123456 -export -alias cauthority | openssl x509 -inform DER |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment