Linux quick reference (od, openssl)

(octal debugger) dumps files in octal and other formats.

od [options] [file] ...

If the file arg is '-', or missing, od reads stdin.

od -A d -N 512 -h logo.gif

output the first 512 bytes of logo.gif file in hexadecimal format using decimal offset;

od -A d -N 512 --width=1 -h logo.gif

like previous, but output one byte per line;

Options

--help --version

-A r, --address-radix=r

specify how the file offsets are printed; r can be d (decimal), o (octal), x (hexadecimal), n (none);

-j n, --skip-bytes=n

skip n input bytes;

-N n, --read-bytes=n

limit dump to n input bytes;

-s n, --strings=n

output strings of at least n graphic chars (default is 3);

-v, --output-duplicates

do not use * to mark line suppression;

-w n, --width=n

output n bytes per line (default is 32);

Format options

`-a`	named characters (`-t a`);
`-b`	octal bytes (`-t oC`);
`-c`	ASCII chars or backslash escapes (`-t c`);
`-d`	unsigned decimal shorts (`-t u2`);
`-f`	floats (`-t fF`);
`-h`	hexadecimal shorts (`-t x2`);
`-i`	decimal shorts (`-t d2`);
`-l`	decimal longs (`-t d4`);
`-o`	octal shorts (`-t o2`);
`-x`	hexadecimal shorts (`-t x2`);

openssl

Some relevant abbreviations:

SSL - Secure Socket Layer,
TLS - Transport Layer Security,
CSR - Certificate Signing Request,
CRL - Certificate Revocation List,
MIME - Multipurpose Internet Mail Extensions.

OpenSSL is a cryptography toolkit implementing SSL v2/v3 and TLS v1 net protocols and related cryptography standards.

The openssl (cmdline app) provides various cryptography functions of OpenSSL's crypto library:

Creation and management of private keys, public keys and parameters
Public key cryptographic operations
Creation of X.509 certificates, CSRs and CRLs
Calculation of Message Digests
Encryption and Decryption with Ciphers
SSL/TLS Client and Server Tests
Handling of S/MIME signed or encrypted mail
Time Stamp requests, generation and verification

Some certificate-related file formats and standards

PKCS (Public-Key Cryptography Standards) are a group of public-key cryptography standards devised and published by RSA Security Inc, starting in the early 1990s.

PEM (Privacy Enhanced Mail Base64 encoded DER certificate) is the most common format used for certificates. File extensions used for PEM certificates are .cer, .crt, .pem. Technically they are Base64 encoded ASCII files.

DER (Distinguished Encoding Rules) is the binary form of the certificate. DER formatted certificates do not contain the "BEGIN CERTIFICATE/END CERTIFICATE" stmts. DER formatted certificates usually have .der ext.

PKCS#7 or P7B is used by Cryptographic Message Syntax Standard (CMS) - a standard for cryptographically protected messages. It can be used to digitally sign, digest, authenticate or encrypt any form of digital data. File extensions are .p7b or .p7c.

PKCS#8 (Private-Key Information Syntax Standard) is used to carry private certificate keypairs (encrypted or unencrypted).

PKCS#12 (successor to Microsoft's PFX) defines an archive file format for storing many cryptography objects as a single file. It's commonly used to bundle a private key with its X.509 certificate or to bundle all the members of a chain of trust. File extensions are .pfx or .p12. A PKCS#12 file may be encrypted and signed.

CRL (Certificate Revocation List) is a list of digital certificates that have been revoked by the issuing certificate authority (CA) before their scheduled expiration date and should no longer be trusted.

Examples

openssl s_client -connect google.com:443 | openssl x509 -text

requests info about google.com certificate; port 443 is default for HTTPS; cmd sends the output of openssl s_client to openssl x509, which formats cert info according to the X.509 standard;

openssl s_client -connect wikipedia.org:443 | openssl x509 -noout -subject -issuer

requests Wikipedia's server certificate info; in particular, cmd asks for the subject, which contains the server name info, and the issuer, which identifies the CA;

Convertions

X509 to PEM:

openssl x509 -in certname.cer -outform PEM -out certname.pem

PEM to DER:

openssl x509 -outform der -in certname.pem -out certname.der

DER to PEM:

openssl x509 -inform der -in certname.der -out certname.pem

PEM to P7B:

openssl crl2pkcs7 -nocrl -certfile certname.pem -out certname.p7b -certfile CACert.cer

PKCS#7 to PEM:

openssl pkcs7 -print_certs -in certname.p7b -out certname.pem

PFX to PEM:

openssl pkcs12 -in filename.pfx -out certname.pem

PKCS#12 to PEM.
(similar to prev; note that if your PKCS#12 file contains several items, like cert and key, the PEM file will contain those items too):

openssl pkcs12 -in filename.p12 -nodes -out certname.pem

PKCS#12 to PEM.
(the following two cmds extract cert and private key and put them into separate files):

openssl pkcs12 -in filename.p12 -out cert.pem -clcerts -nokeys

openssl pkcs12 -in filename.p12 -out key.pem -nocerts -nodes

PFX to PKCS#8.
(first, convert PFX to PEM, then convert PEM to PKCS#8):

openssl pkcs12 -in certname.pfx -nocerts -nodes -out certname.pem

openSSL pkcs8 -in certname.pem -topk8 -nocrypt -out certname.pk8

P7B to PFX.
(first, convert P7B to CER, then convert CER and Private Key to PFX):

openssl pkcs7 -print_certs -in certname.p7b -out certname.cer

openssl pkcs12 -export -in certname.cer -inkey privateKey.key -out certname.pfx -certfile cacert.cer

Creating a self-signed certificate

(Simple case, no CA)

Before you start, define CN (Common Name) for your future cert. The CN is the fully qualified name of the system that's going to use the certificate. In case of Dynamic DNS, your CN should have a wild-card, e.g. *.api.com. You can also use the hostname (even localhost, but it's not good) or IP address.

Besides that, prepare a password for the keystore (optional) and answers for the standard CSR (certificate signing request) question, because whenever you try to generate a CSR, you will face a dialog like this:

Country Name (2 letter code) []:
State or Province Name (full name) []:
Locality Name (e.g. city) []:
Organization Name (e.g. company) []:
Organizational Unit Name (e.g. section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

You can bypass those questions by adding -subj option to the certificate generation cmd, but you still have to provide some info. If you don't want to protect your private key with a passphrase, add -nodes option. The simple cert/key generation cmd can be like this:

openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out cert.pem

More complicated cmd (some names are not real and should not be used):

openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out cert.pem -subj "/C=US/ST=California/L=LA/O=Acme Company/CN=example.com"

To review the created certificate:

openssl x509 -text -noout -in cert.pem

Put your key and cert into a PKCS#12 bundle:

openssl pkcs12 -inkey key.pem -in cert.pem -export -out cert.p12

Validate PKCS#12 file:

openssl pkcs12 -in cert.p12 -noout -info