-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathssl_aliases
90 lines (77 loc) · 3.1 KB
/
ssl_aliases
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
# Some useful functions for bash, sed, openssl and awk to manage certs and a small CA
alias sslx='openssl x509'
alias sslr='openssl req'
alias sslp='openssl pkcs12'
# print out specific pem encoded certificate information
#
# -i prints the certificate issuer
# -s mycert.pem prints the certificate subject
# -d mycert.pem prints the validity dates
# -e mycert.pem prints the x509v3 extensions (e.g. subjectAltName)
#
# noargument simply prints the text version of the cert
sslcat() {
local arg=$1
if [ $# -gt 1 ]; then shift; fi
if [[ '-d' == $arg ]]; then
openssl x509 -in "$1" -noout -dates
elif [[ '-e' == $arg ]]; then
openssl x509 -in "$1" -noout -text | awk '/X509v3 extensions:/,/Signature Algorithm/' | sed -e 's| ||'
elif [[ '-s' == $arg ]]; then
openssl x509 -in "$1" -noout -subject
elif [[ '-i' == $arg ]]; then
openssl x509 -in "$1" -noout -issuer
else
openssl x509 -in "$1" -noout -text
fi
}
# Generate a new RSA key with 4096 bits and corresponding certificate request
# Will also generate a private key (REMEMBER THE PASSPHRASE OR WRITE IT DOWN)
newrsareq() {
openssl req -new -newkey rsa:4096 -out "${1}.csr" -keyout "${1}.key.pem" -sha256
}
# Generate a 1024 bit DSA key and corresponding certificate request
newdsareq() {
openssl dsaparam -noout -out "${1}.key.pem" -genkey 1024
openssl req -new -key "${1}.key.pem" -out "${1}.csr" -sha256
}
# Generate a 256 bit elliptic curve key and corresponding certificate request
# You might want to switch the curve depending on your security needs (e.g. distrust the NSA)
newecreq() {
openssl ecparam -out "${1}.key.pem" -name 'prime256v1' -genkey
openssl req -new -key "${1}.key.pem" -out "${1}.csr" -sha256
}
# Print the text version of a pem encoded certificate signing request
reqtxt() {
openssl req -in "$1" -noout -text
}
# Print the subject of a pem encoded certificate signing request
reqsub() {
openssl req -in "$1" -noout --subject
}
# Create a new pem encoded certificate signing request from a pem encoded certificate
# Requires the private key as second argument to sign the request
reqre() {
openssl x509 -x509toreq -in "$1" -signkey "$2" -out "${1%.*}.csr"
}
# Convert a pem encoded certificate and key to pkcs12 format
# Requires the private key as second argument to aggregate into the new format
pem2pkcs() {
openssl pkcs12 -export -out "${1%.*}.pfx" -inkey "$2" -in "$1" -certfile "$3"
}
# Convert a pkcs12 encoded certificate to pem encoded key and certificate
# Both key and cert will be in the same file
pkcs2pem() {
openssl pkcs12 -in "$1" -out "${1%.*}.pem" -nodes
}
# Create a selfsigned ssl certificate with a 4096 bit RSA key
sslselfsign() {
openssl req -x509 -nodes -days 730 -sha256 -newkey rsa:4096 -keyout "${1}.key.pem" -out "${1}.crt.pem"
}
# Compare if a private key and certificate belong to each other
# This only compare moduluses which should suffice but remember md5sums can collide
sslmodcompare() {
local certmd5=$(openssl x509 -in "$1" -noout -modulus | md5sum)
local keymd5=$(openssl rsa -in "$2" -noout -modulus | md5sum)
[[ $certmd5 == $keymd5 ]] && echo "$?"
}