I have created private key and public key using below commands,
openssl genrsa -out privatekey.pem 1024
openssl req -new -x509 -key privatekey.pem -out publickey.cer -days 1825
Seems like both are in different format.
I need to convert rsa privatekey.pem to x509 format.
Is there any way i can do that?
Probably, you meant a conversion of the RSA private key to the PKCS8 format.
From starting with:
-----BEGIN RSA PRIVATE KEY-----
To:
-----BEGIN PRIVATE KEY-----
If so, use the following command:
openssl pkcs8 -topk8 -in rsa.private.key -out pkcs8.private.key -nocrypt
Related
I am trying to convert a .crt file to a .pfx file.
openssl pkcs12 -export -inkey privkey.pem -out my.pfx -in my.crt
The privkey.pem file is what I got when I created the .csr file.
When I execute the above openssl command I get that error:
No certificate matches private key
Interesting thing is that for another csr I request a certificate I could export the pfx.
But for this 2nd certificate its not possible.
Of course I created both csr in separated folders...
my.crt:
-----BEGIN CERTIFICATE-----
stuff
-----END CERTIFICATE-----
privkey.pem:
-----BEGIN PRIVATE KEY-----
stuff
-----END PRIVATE KEY-----
What is wrong?
I'm trying to import a certificate into AWS, the problem is my private key is not in pem format. I'd rather not have to create a new certificate as I've already had a CA sign mine. I've generated the key using this following command
keytool -genkey -alias info -keyalg RSA -keysize 2048 -keystore info
Which leaves me with a private key in binary format named info. I'm able to use this command to convert the private key into base64 I believe.
openssl rsa -inform DER -outform PEM -in info -out info.pem
The header and footer are missing
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
Which I append to their appropriate locations. Now when I'm attempt to upload my cert, it fails because the private key is not in pem format. AS per other questions regarding binary to pem format, I've tried this command.
openssl rsa -inform der -in info -outform pem -out info.pem
which results in this error "unable to load Private Key
140594255303104:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:../crypto/asn1/asn1_lib.c:101:"
How should go about converting a binary key generated from keytool into pem format?
I was able to convert it from jks to pem using these following commands.
keytool -importkeystore -srckeystore info -destkeystore info.p12 -srcalias info -srcstoretype jks -deststoretype pkcs12
openssl pkcs12 -in info.p12 -out info.pem
I am building a command line script to create a client certificate using OpenSSL "mini CA" feature.
I have a CA certificate and CA private key encrypted with a password. With those things I am trying to create the client certificate and stumbled upon the command line syntax. How do I specify the password for the CA's private key?
So far, I have ...
openssl x509
-req
-in client.csr
-signkey client.key
-passin pass:clientPK
-CA client-ca.crt
-CAkey client-ca.key
-CAkeypassin pass:client-caPK <-- does not work
-CAcreateserial
-out client.crt
-days 365
See the highlighted parameter. I expect something like this, but I cannot find it anywhere in the docs.
Corrected
Just for the records. The -signkey parameter is used for self signed certificates. CA's don't have access to the client's private key and so will not use this. Instead the -passin parameter refers to the CA's private key.
openssl x509
-req
-in client.csr
-CA client-ca.crt
-CAkey client-ca.key
-passin pass:CAPKPassword
-CAcreateserial
-out client.crt
-days 365
Use -passin pass as shown below.
openssl x509
-req
-in client.csr
-signkey client.key
-passin pass:clientPK
-CA client-ca.crt
-CAkey client-ca.key
-passin pass:secret <-- try this
-CAcreateserial
-out client.crt
-days 365
well i have tried the below
openssl x509 -req -in <cert_name>.csr -signkey <key_name>.key -out output.crt
but seems to throw an error
140735226307408:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: CERTIFICATE REQUEST
Any solutions?
The source of the problem is the form of your CSR : While working with X509, your data can be store using 2 forms : DER and PEM.
By default openssl assumes you are using PEM.
In your case, you should first convert the CSR in PEM format :
openssl req -inform DER -in <cert_name>.csr -out <cert_name>.pem
And then
openssl x509 -req -in <cert_name>.pem -signkey <key_name>.key -out output.crt
I have a public key, a 192 bit hash, and a 384 bit signature, all as .txt hex files, and the curve is prime192v1.
What command lines can I use to verify the message with OpenSSL?
For reference, the EC key can be created with the following command:
Create the EC key:
$ openssl ecparam -genkey -name prime192v1 > key.pem
Extract the public key:
$ openssl ec -in key.pem -pubout > pub.pem
Signing the hash of a message and verifying the signature with an EC key can be done the same way as with other key types:
Calculate the hash (use a hash funtion of your choice):
$ openssl dgst -sha256 -binary message.txt > hash.txt
Sign the hash with the private key:
$ openssl pkeyutl -sign -inkey key.pem -in hash.txt > sig.txt
Verify the signature with the public key:
$ openssl pkeyutl -verify -in hash.txt -sigfile sig.txt -inkey key.pem
Signature Verified Successfully