Summary
Question
OpenSSL is an open-source implementation of the SSL and TLS protocols.
KeyTool is java based Key and Certification Management Tool, which manages a keystore(database) of cryptographic keys, X.509 certificate chains, and trusted certificates.
This document shows its sample commands and help.
Answer
1. openssl command help
- openssl - command help.zip
- Standard commands
asn1parse ca ciphers cms
crl crl2pkcs7 dgst dh
dhparam dsa dsaparam ** ec
ecparam enc engine errstr
gendh gendsa ** genpkey genrsa **
nseq ocsp passwd pkcs12
pkcs7 pkcs8 pkey pkeyparam
pkeyutl prime rand req
rsa ** rsautl s_client s_server
s_time sess_id smime speed
spkac ts verify version
x509
Message Digest commands (see the `dgst' command for more details)
md2 md4 md5 rmd160
sha sha1
Cipher commands (see the `enc' command for more details)
aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb
aes-256-cbc aes-256-ecb base64 bf
bf-cbc bf-cfb bf-ecb bf-ofb
camellia-128-cbc camellia-128-ecb camellia-192-cbc camellia-192-ecb
camellia-256-cbc camellia-256-ecb cast cast-cbc
cast5-cbc cast5-cfb cast5-ecb cast5-ofb
des des-cbc des-cfb des-ecb
des-ede des-ede-cbc des-ede-cfb des-ede-ofb
des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb
des-ofb des3 desx idea
idea-cbc idea-cfb idea-ecb idea-ofb
rc2 rc2-40-cbc rc2-64-cbc rc2-cbc
rc2-cfb rc2-ecb rc2-ofb rc4
rc4-40 seed seed-cbc seed-cfb
seed-ecb seed-ofb zlib
2. keytool command help
- keytool - command help.zip
- Standard commands
-certreq Generates a certificate request
-changealias Changes an entry's alias
-delete Deletes an entry
-exportcert Exports certificate
-genkeypair Generates a key pair
-genseckey Generates a secret key
-gencert Generates certificate from a certificate request
-importcert Imports a certificate or a certificate chain
-importkeystore Imports one or all entries from another keystore
-keypasswd Changes the key password of an entry
-list Lists entries in a keystore
-printcert Prints the content of a certificate
-printcertreq Prints the content of a certificate request
-printcrl Prints the content of a CRL file
-storepasswd Changes the store password of a keystore
3. sample commands
1) environmental variables under windows
set OPENSSL=openssl
set JAVA_HOME="C:\Program Files\Java\jdk1.7.0_40\jre"
set KEYTOOL=%JAVA_HOME%\bin\keytool
set CAROOT_ALIAS=ca
set CAROOT_PASSWD=changeit
set CACERT_PASSWD=changeit
set TRUSTEDCLIENTS_KEYSTORE_PASSWD=changeit
set HOST_FQDN=hostA.domain1.com
set HOST_ALIAS=hostA.domain1.com
set HOST_PASSWD=changeit
2) Create private key for CA
%OPENSSL% genrsa -des3 -passout pass:%CAROOT_PASSWD% -out root/private.key 2048
3) Create Self-Signed Certificate for CA
%OPENSSL% req -new -key root/private.key ^
-x509 -days 1095 ^
-out root/rootcert.pem ^
-subj /CN=eric130.eric130d.com ^
-config ./openssl.conf ^
-passin pass:%CAROOT_PASSWD%
4) Import certificate into System-wide keystore, cacerts
copy %JAVA_HOME%\lib\security\cacerts %JAVA_HOME%\lib\security\cacerts.orig
#copy %JAVA_HOME%\lib\security\cacerts root\cacerts
%KEYTOOL% -import -trustcacerts -alias %CAROOT_ALIAS% -noprompt ^
-file root/rootcert.pem ^
-storepass %CACERT_PASSWD% ^
-keystore root/cacerts
copy root\cacerts root\trustedclients.keystore
copy root\cacerts %JAVA_HOME%\lib\security
5) Create private key for a host
@mkdir %HOST_FQDN%
%OPENSSL% genrsa -des3 -passout pass:%HOST_PASSWD% ^
-out %HOST_FQDN%/private.key 2048
# Generate Certificate Signing Request(CSR)
%OPENSSL% req -new -config openssl.conf ^
-passin pass:%HOST_PASSWD% ^
-key %HOST_FQDN%/private.key ^
-passout pass:%HOST_PASSWD% ^
-subj /CN=%HOST_FQDN% ^
-out %HOST_FQDN%/%HOST_FQDN%.csr
6) Sign CSR
%OPENSSL% x509 -req -days 1095 ^
-passin pass:%CAROOT_PASSWD% ^
-in %HOST_FQDN%/%HOST_FQDN%.csr ^
-CA root/rootcert.pem ^
-CAkey root/private.key ^
-CAcreateserial ^
-out %HOST_FQDN%/%HOST_FQDN%.pem
7) Import privatekey into keystore
%OPENSSL% pkcs12 -export -passin pass:%HOST_PASSWD% -passout pass:%HOST_PASSWD% ^
-name %HOST_ALIAS% ^
-inkey %HOST_FQDN%/private.key ^
-in %HOST_FQDN%/%HOST_FQDN%.pem ^
-out %HOST_FQDN%/%HOST_FQDN%.p12
%keytool% -importkeystore ^
-srcstorepass %HOST_PASSWD% -deststorepass %HOST_PASSWD% -srcstoretype PKCS12 ^
-srckeystore %HOST_FQDN%/%HOST_FQDN%.p12 ^
-destkeystore %HOST_FQDN%/%HOST_FQDN%.keystore
8) Export publickey from keystore
%KEYTOOL% -exportcert -storepass %HOST_PASSWD% -alias %HOST_FQDN% ^
-keystore %HOST_FQDN%/%HOST_FQDN%.keystore ^
-file %HOST_FQDN%/%HOST_FQDN%.pubkey
9) Import publickey into trustestore
%KEYTOOL% -delete -alias %HOST_ALIAS% ^
-storepass %TRUSTEDCLIENTS_KEYSTORE_PASSWD% -keystore root/trustedclients.keystore
%KEYTOOL% -importcert -alias %HOST_ALIAS% -noprompt ^
-file %HOST_FQDN%/%HOST_FQDN%.pubkey ^
-storepass %TRUSTEDCLIENTS_KEYSTORE_PASSWD% -keystore root/trustedclients.keystore
10) Change keystore's password for Propel purpose
set PROPEL_FQDN=propelA.domain1.com
set PROPEL_ALIAS=propelA.domain1.com
set PROPEL_PASSWD=propel2014
copy root\trustedclients.keystore %PROPEL_FQDN%\propel.truststore
%KEYTOOL% -storepasswd -new %PROPEL_PASSWD% ^
-storepass %TRUSTEDCLIENTS_KEYSTORE_PASSWD% ^
-keystore %PROPEL_FQDN%\propel.truststore
References:
- openssl cookbook