ORACLE-JRE
# to create a keystore.jks file (pair of keys)$ keytool -genkey -keyalg RSA -alias benefits -keystore keystore.jks \-storepass 123456 -keysize 2048 # to export/store a certificate in a file $ keytool -export -alias benefits -file root.cer -keystore identity.jks -storepass mypass# to import a certificate into keystore$ keytool -importcert -file certificate.cer -keystore keystore.jks -alias "Alias"# to create a csr request in form of myapp.csr file $ keytool -certreq -alias benefits -keystore keystore.jks -file myapp.csr # to generate the certificate as myapp.crt $ keytool -exportcert -alias benefits -keystore keystore.jks -v -file myapp.crt# command to convert .pfx to .jks$ keytool -importkeystore -srckeystore abc.com.pfx \-destkeystore servercertstore.jks -srcstoretype PKCS12 \-deststoretype JKS -srcstorepass w3bl0g1c -deststorepass pa55w0rd -noprompt# command to change alias name$ keytool -changealias -alias "oldAlias" -destalias "newAlias" -keypass w3bl0g1c \-keystore servercertstore.jks -storepass pa55word# command to delete a certificate from Keystore$ keytool -delete -noprompt -alias ${cert.alias} -keystore ${keystore.file} -storepass ${keystore.pass}
IBM-JRE
# to create jks type DB$ ikeycmd -keydb -create -db keystore.jks -pw password -type jks -expire 365 # request for CSR $ ikeycmd -certreq -create -db keystore.jks -label mylabel \
-dn "CN=mysite.com,O=cloudnetes,OU=IT,C=IN" -size 2048 -sig_alg SHA256_WITH_RSA -file mysite.com.csr # import certficates into DB $ ikeycmd -cert -add -db keystore.jks -label ca_intermediate -file ca-inter.crt $ ikeycmd -cert -add -db keystore.jks -label ca_root -file ca-root.crt # validate personal/end-entity cert $ ikeycmd -cert -receive -file mysite-identity.crt -db keystore.jks
IBM-MQ
# add a cert in cert-key DB$ runmqakm -cert -add -db keystore.kdb -stashed -label ca_root -file ca_root.crt # check all certs $ runmqakm -cert -list -db keystore.kdb -stashed # delete a cert $ runmqakm -cert -delete -label mylabel -db keystore.kdb -stashed # check cert expiry $ runmqakm -cert -details -db keystore.kdb -stashed -label mylabel | grep -i "Not After"
CERTUTIL
# to view certificate installed on sunone instance$ certutil -d -P https-pricer-pfix-wxvrw99a0016- -L -n Server-Cert# to list certificate installed on sunone instance with alias name $ certutil -d /opt/sunone617/suitespot/alias \-P https-saXXXit2.abc.com-wsszw2057- -L -n Server-Cert# listing the details of Server-Cert $ certutil -L -n Server-Cert -d /instance-name/ -P instance-name # Generating a CSR & output it to the file serverCert.req $ certutil -R -s "CN=abc.com,OU=IT, O=CTS, l=Bangalore, st=karnataka, c=IN" -o serverCert.req -a -d /instance_path/P instance -g 2048 # Deleting the existing cert with name Server-Cert $ certutil -D -n Server-Cert -d /Instance-Name/ -P instance-name- # Import the cert $ certutil -A -n Server-Cert -t "u,u,u" -i /instance-path/instance.pem -d /instance-name -P https-instance
OPENSSL
# Decode a CSR$ openssl req -in mycsr.csr -noout -text# Decode a certificate$ openssl x509 -in certificate.crt -text -noout# Generate a key pair: (.key) $ openssl genrsa -des3 -out |.key file name| 2048# Generate self-signed certificate$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.crt# Generate CSR to request CA-signed certificate$ openssl req -new -newkey rsa:4096 -nodes -keyout server.key -out server.csr# Create certificates: (.pem)$ openssl x509 -in name.crt -noout -text $ openssl x509 -subject -dates -issuer -noout -in name.crt # To open key file and check modules $ openssl rsa -noout -text -in application.key -modulus
CERTIFICATE CHECK/DETAILS
$ openssl x509 -in certName.crt -noout -text$ openssl x509 -subject -dates -issuer -noout -in file$ keytool -list -v -keystore keystoreName.jks$ certutil -L -d certDbName-cert8.db# Print available ciphers in any Linux host$ openssl ciphers -v | awk '{print $2}' | sort | uniq
CURL WITH JAVA KEYSTORE
Curl doesn't support Java Keystore file, so the file should be converted to a PEM format(PKCS12).
It consists of the following 3/4 steps:
It consists of the following 3/4 steps:
STEP1 - Convert keystore to p12 file
STEP2 - Convert p12 file to pem file
STEP3 - Export Private key (valid for 2 way mTLS)
STEP3 - Export Private key (valid for 2 way mTLS)
STEP4 - Run curl command with pem files
1way TLS/Authentication
STEP1 - Convert keystore to p12 file
keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.pk12 -srcstoretype JKS -deststoretype PKCS12
STEP2 - Convert P12 to pem file
openssl pkcs12 -in truststore.pk12 -out trusted-certs.pem
STEP3 - Run curl command with pem files ****************
curl secret --cacert trusted-certs.pem https://localhost:8443/api/hello
STEP1 - Convert keystore to p12 file
keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -srcstoretype JKS -deststoretype PKCS12
STEP2 - Convert p12 file to pem file
openssl pkcs12 -in identity.p12 -nokeys -out client-cert.pem
openssl pkcs12 -in identity.p12 -nocerts -out client-key.pem
STEP3 - Export Private key
openssl pkcs12 -in truststore.pk12 -nodes -nocerts -out client-key.pem
STEP4 - Run curl command with pem files
curl --key client-key.pem --cert client-cert.pem --cacert trusted-certs.pem https://localhost:8443/api/hello