📌
ibook
  • README
  • cheatsheet
    • bash
      • builtin
      • syntactic sugar
      • cmd
      • havefun
    • text-processing
      • awk
      • sed
      • html
      • json
      • regex
      • unicode
    • osx
    • curl
    • tricky
    • widget
    • proxy
    • colors
    • math
    • media
    • ssl
      • cheatsheet
      • keys
      • keystore
      • verification
      • server
      • client
      • tricky
    • windows
      • powershell
      • choco
      • wsl
      • wt
      • shortcut
      • clsid
      • env
      • shell:folder
  • vim
    • nvim
    • install
    • color
    • plugins
      • usage
      • other plugins
      • deprecated
    • tricky
    • viml
    • windows
    • troubleshooting
  • devops
    • admin tools
    • ssh
    • git
      • config
      • alias
      • submodule
      • eol
      • example
      • gerrit
        • gerrit API
      • github
      • troubleshooting
      • tricky
      • statistics
    • pre-commit
    • release-tools
    • tmux
      • cheatsheet
    • ansible
    • vault
    • artifactory
      • api
      • cli
      • aql
      • nginx cert
    • klocwork
      • kwadmin
      • kwserver
      • api
      • q&a
    • elk
    • mongodb
    • android
    • mobile
  • jenkins
    • config
      • windows
    • appearance
    • troubleshooting
    • jenkinsfile
      • utility
      • parallel
      • build
      • envvar
      • properties
      • trigger
      • node
    • script
      • job
      • build
      • stage
      • agent
      • security & authorization
      • exception
      • monitor
      • tricky
    • api
      • blueocean
    • cli
    • plugins
      • kubernetes
      • docker
      • shared-libs
      • lockable-resource
      • ansicolor
      • badge
      • groovy-postbuild
      • simple-theme
      • customizable-header
      • artifactory
      • jira-steps
      • job-dsl
      • build-timeline
      • crumbIssuer
      • coverage
      • uno-choice
      • tricky
  • virtualization
    • kubernetes
      • init
        • kubespray
        • kubeadm
          • environment
          • crio v1.30.4
          • docker v1.15.3
          • HA
        • addons
        • etcd
      • kubectl
        • pod
        • deploy
        • replicasets
        • namespace
        • secrets
      • node
      • certificates
      • events
      • kubeconfig
      • kubelet
      • troubleshooting
      • cheatsheet
      • auth
      • api
      • tools
        • monitor
        • helm
        • network
        • minikube
    • docker
      • run & exec
      • voume
      • remove
      • show info
      • dockerfile
      • dockerd
      • tricky
      • troubleshooting
      • windows
    • crio
    • podman
  • ai
    • prompt
  • osx
    • apps
      • init
      • brew
    • defaults
    • system
    • network
    • script
    • tricky
  • linux
    • devenv
    • util
      • time & date
      • output formatting
      • params
      • tricky
    • nutshell
    • disk
    • network
    • troubleshooting
    • system
      • apt/yum/snap
      • authorization
      • apps
      • x11
    • ubuntu
      • systemctl
      • x
    • rpi
  • programming
    • groovy
    • python
      • config
      • basic
      • list
      • pip
      • q&a
    • others
    • archive
      • angular
      • maven
      • mysql
        • installation
        • logs
      • ruby
        • rubyInstallationQ&A
  • tools
    • fonts
    • html & css
    • Jira & Confluence
    • node & npm
      • gitbook
      • hexo
      • github.page
      • code themes
    • app
      • microsoft office
      • vscode
      • virtualbox
      • iterm2
      • browser
      • skype
      • teamviewer
      • others
  • quotes
  • english
Powered by GitBook
On this page
  • Root CA
  • Intermediate CA
  • check certificate chain
  • transform

Was this helpful?

  1. cheatsheet
  2. ssl

keys

PreviouscheatsheetNextkeystore

Last updated 4 days ago

Was this helpful?

Root CA

[!TIP|label:Criteria]

  1. Subject == Issuer

  2. Basic Constraints == CA:TRUE

  3. Key Usage == Certificate Sign, CRL Sign

  4. No AKI ( Authority Key Identifier ) or AKI == SKI ( Subject Key Identifier )

$ key='Company Root CA.crt'

# subject == issuer
$ openssl x509 -in "${key}" -issuer -subject -noout
issuer=CN=Company Root CA V1
subject=CN=Company Root CA V

$ while read -r ext; do
    openssl x509 -in "${key}" -noout -ext "${ext}";
  done < <( xargs -n1 <<< "subjectKeyIdentifier authorityKeyIdentifier keyUsage basicConstraints")
X509v3 Subject Key Identifier:
    D4:1B:61:8A:74:67:B9:DC:B4:42:B9:72:AD:49:73:BD:CC:51:C7:08
No extensions in certificate                    # no AKI
X509v3 Key Usage:
    Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
    CA:TRUE

Intermediate CA

$ key='Company SC Issuing CA.crt'               # intermediate CA

$ openssl x509 -in "${key}" -issuer -subject -noout
issuer=CN=Company Root CA V1
subject=DC=com, DC=Company, CN=Company SC Issuing CA V1

$ while read -r ext; do
    openssl x509 -in "${key}" -noout -ext "${ext}";
  done < <( xargs -n1 <<< "subjectKeyIdentifier authorityKeyIdentifier keyUsage basicConstraints")
X509v3 Subject Key Identifier:
    61:D4:DF:60:66:86:3C:06:05:3D:29:BF:F9:60:9E:89:9C:9B:8A:43
X509v3 Authority Key Identifier:                # AKI == `Company Root CA`'s SKI
    D4:1B:61:8A:74:67:B9:DC:B4:42:B9:72:AD:49:73:BD:CC:51:C7:08
X509v3 Key Usage:
    Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
    CA:TRUE

check certificate chain

$ openssl s_client -showcerts -connect proxy.business.githubcopilot.com:443 </dev/null 2>/dev/null |
    sed -n -e '/BEGIN CERTIFICATE/,/END CERTIFICATE/ p' |
    awk -v cmd='openssl x509 -noout -subject -issuer; echo ""' '/BEGIN/{close(cmd)}; {print | cmd}'
subject=CN=*.business.githubcopilot.com
issuer=CN=Company_decrypt_trust

subject=CN=Company_decrypt_trust
issuer=DC=com, DC=Company, CN=Company SC Issuing CA V1

subject=DC=com, DC=Company, CN=Company SC Issuing CA V1
issuer=CN=Company Root CA V1

subject=CN=Company Root CA V1
issuer=CN=Company Root CA V1

# or
$ echo -n | openssl s_client -connect proxy.business.githubcopilot.com:443 -servername proxy.business.githubcopilot.com

fetch cert file from chain

# get full certificate file - combined cert chain file
$ openssl s_client -showcerts -connect proxy.business.githubcopilot.com:443 </dev/null 2>/dev/null |
    sed -n -e '/BEGIN CERTIFICATE/,/END CERTIFICATE/ p' > cert-chain.pem
# or
$ openssl s_client -showcerts -connect proxy.business.githubcopilot.com:443 </dev/null 2>/dev/null |
    awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/' > cert-chain.pem

# get single certificate file one by one
$ openssl s_client -showcerts -connect proxy.business.githubcopilot.com:443 </dev/null 2>/dev/null |
    awk '
      /BEGIN CERTIFICATE/ { n++ }
      /BEGIN CERTIFICATE/,/END CERTIFICATE/ { print > ("cert-" n ".pem") }
    '
$ ls
cert-1.pem  cert-2.pem  cert-3.pem  cert-4.pem

# or
$ openssl s_client -showcerts -connect proxy.business.githubcopilot.com:443 </dev/null 2>/dev/null |
    awk 'BEGIN{n=0}/BEGIN CERTIFICATE/{n++}{print > ("cert-" n ".pem")}'
$ ls
cert-0.pem  cert-1.pem  cert-2.pem  cert-3.pem  cert-4.pem

fetch the last certificate from chain ( root CA )

$ openssl s_client -showcerts -connect proxy.business.githubcopilot.com:443 </dev/null 2>/dev/null |
  awk '
    /BEGIN CERTIFICATE/,/END CERTIFICATE/ {
      temp = temp $0 ORS
      if (/END CERTIFICATE/) {
        cert = temp
        temp = ""
      }
    }
    END { printf "%s", cert }
  '

transform

TO
FROM
COMMAND

PEM

DER encoded binary X.509 (.CER)

$ openssl x509 -outform PEM -in <NAME>.cer -out <NAME>.pem -inform DER

PEM

Base-64 encoded X.509 (.CER)

$ openssl x509 -outform PEM -in <NAME>.cer -out <NAME>.pem -inform PEM

PEM

Cryptographic Message Syntax Standard PKCS #7 Certificates (.P7B)

$ openssl pkcs7 -outform PEM -in <NAME>.p7b -out <NAME>.pem -inform DER

TO
FROM
COMMAND

CRT

DER encoded binary X.509 (.CER)

$ openssl x509 -in <NAME>.cer -out <NAME>.crt -inform DER

CRT

Base-64 encoded X.509 (.CER)

$ openssl x509 -in <NAME>.cer -out <NAME>.crt -inform PEM

CRT

Cryptographic Message Syntax Standard PKCS #7 Certificates (.P7B)

$ openssl pkcs7 -in <NAME>.p7b -out <NAME>.crt -inform DER

TO
FROM
COMMAND

PEM

DER encoded binary X.509 (.CER)

$ openssl x509 -in <NAME>.crt -out <NAME>.pem -outform PEM -inform DER

PEM

Base-64 encoded X.509 (.CER)

$ openssl x509 -in <NAME>.crt -out <NAME>.pem -outform PEM -inform PEM

PEM

Cryptographic Message Syntax Standard PKCS #7 Certificates (.P7B)

$ openssl pkcs7 -in <NAME>.p7b -out <NAME>.pem -outform PEM -inform DER

tips

  • using base64 to convert DER to PEM format:

    $ file <NAME>.crt
    <NAME>.crt: Certificate, Version=3
    
    $ {
        echo "-----BEGIN CERTIFICATE-----";
        base64 -w 64 <NAME>.crt;
        echo "-----END CERTIFICATE-----"
      } > <NAME>.pem
    # or
    $ {
        echo "-----BEGIN CERTIFICATE-----";
        base64 -w0 <NAME>.crt | fold -w 64;
        echo "-----END CERTIFICATE-----"
      } > <NAME>.pem
    
    # verify
    $ diff <( { echo "-----BEGIN CERTIFICATE-----"; base64 -w 64 <NAME>.crt; echo "-----END CERTIFICATE-----"; } ) \
           <( openssl x509 -in <NAME>.crt -inform der -outform pem )

keys

KEYS
FORMAT

CRT

binary file

PEM

key type

KEY FORMAT
KEY TYPE
DETAILS

CRT

DER

PEM

P7B

DER

-----BEGIN CERTIFICATE-----
<.. 64 characters ..>
-----END CERTIFICATE-----
$ file file.crt
.crt: Certificate, Version=3
$ file .crt
.crt: PEM certificate
$ file .p7b
.p7b: DER Encoded PKCS#7 Signed Data
Root CA
Intermediate CA
check certificate chain
fetch cert file from chain
fetch the last certificate from chain ( root CA )
transform
tips
keys
key type