Randomness

Generate 33 random bytes (wrapped in 44 characters)

openssl rand -base64 33 -out pass.txt

Output random bytes in hex format

openssl rand -hex 33

Certificate Authority

Create a CA certificate (refer to openssl-ca.cnf file)

openssl req -x509 -config openssl-ca.cnf -newkey rsa:4096 -sha256 -days 3000 -out cacert.pem -keyout cakey.pem -passout file:pass.txt

Inspect the certificate

openssl x509 -in cacert.pem -noout -text
openssl x509 -in cacert.pem -noout -purpose

Create a new (RSA) private key and a corresponding CSR (refer to openssl-server.cnf file)

openssl req -config openssl-server.cnf -newkey rsa:2048 -sha256 -out servercert.csr -keyout serverkey.pem -nodes

Create a CSR for an existing private key

openssl req -new -config openssl-server.cnf -key serverkey.pem -sha256 -out servercert.csr -nodes
openssl req -verify -in servercert.csr -text -noout

Initiate the database for signing certs

touch index.txt
echo '01' > serial.txt
mkdir newcerts

Sign the CSR by the CA certificate

openssl ca -config openssl-ca.cnf -policy signing_policy -extensions signing_req -out servercert.pem -passin file:pass.txt -infiles servercert.csr

PKCS #12 (RFC7292)

Package a PKCS8 private key into PKCS12 keystore

openssl pkcs12 -export -in private.pem -out private.p12 -name mykey -nocerts

Package a private key with a certificate chain into PKCS12 keystore

openssl pkcs12 -export -in servercert.pem -inkey serverkey.pem -out keystore.p12 -name server -CAfile cacert.pem -caname root -chain

Generate a (symmetric AES) secret key and package it into the keystore

keytool -genseckey -alias symkey -keyalg AES -keysize 256 -storetype PKCS12 -keystore symkeystore.p12

Import a secret (password) into the existing keystore

keytool -importpass -alias mypass -keystore keystore.p12

Import a (trusted) certificate into the keystore

keytool -importcert -file cert.cer -keystore keystore.p12 -alias name

Merge multiple PKCS12 keystores

keytool -importkeystore -srckeystore keystore2.p12 -srcstoretype PKCS12 -destkeystore keystore.p12 -deststoretype PKCS12

List the keystore content

keytool -list -keystore keystore.p12

Print keys and certificates from the keystore (openssl does not support secrets)

openssl pkcs12 -in keystore.p12
openssl pkcs12 -in keystore.p12 -out keystore.pem

Elliptic Curves (RFC5915)

Generate elliptic curve private key

openssl ecparam -genkey -name prime256v1 -noout -out private.key

Convert elliptic curve private key to PKCS8 PEM format

openssl pkcs8 -topk8 -in private.key -out private.pem -nocrypt

Extract elliptic curve public key from the private key

openssl ec -in private.pem -pubout -out public.pem

PKCS #7 (RFC2315) and CMS (RFC5652)

Encrypt the file for the recipient in CMS format

openssl cms -encrypt -recip servercert.pem -binary -in file -outform der -out file.p7
openssl cms -encrypt -recip servercert.pem -binary -in file -outform pem -out file.pem

Encrypt the file for the recipient in PKCS7 format

openssl smime -encrypt -binary -in file -outform pem -out file.pem servercert.pem

Decrypt the CMS message with the private key

openssl cms -decrypt -inkey serverkey.pem -in file.p7  -inform der -out file
openssl cms -decrypt -inkey serverkey.pem -in file.pem -inform pem -out file