Openssl command for certficates and key generation

 1) To connect secure port using SSL we can use the below command

openssl s_client -connect hostname/localhostip:portnumber

ex :  openssl s_client -connect 127.0.0.1:443

2) To show the certificate from website we can use the below command

openssl s_client -showcerts -connect 127.0.0.1:443

3) To Print Certificate we can use OpenSSL

echo | openssl s_client www.google.con -connectwww.google.con:443 2>dev/null | openssl x509 text

4) To covert pkcs12 to pem format we can use OpenSSL

openssl pkcs12 -in "certificate in pkcs12 format" -nodes -out "new_cert.pem"

5) to convert the certificate from crt to pem format

openssl x509 -in "cert.crt" -out "cert.pem"

6) to convert the certificate from cer to pem format

openssl x509 -in "cert.cer" -out "cert.pem"

7) to convert the certificate from pem to der format

openssl x509 -outform der -in "cert.pem" -out "cert.der"

8)  Openssl can used to generate public private key pair. Below uses pkcs8 format

openssl genrsa 4096 | openssl pkcs8 -topk8 -inform PEM -out rsa_key_4096.p8 -nocrypt

openssl rsa -in rsa_key_4096.p8 -pubout rsa_key_4096.pub

9)  Openssl can used to generate public private key pair. Below uses pkcs8 format

orapki utility commands

 1) Create a wallet using below command

orapki wallet create -wallet client_wallet -auto_login -pwd "wallet password"

2) change permission for wallet

   chmod 664 ewallet.p12

    chmod 664 cwallet.sso 

3) Convert jks file into wallet

orapki wallet jks_to_pcks12 -wallet client_wallet -pwd "wallet password" -keystore key.jks -jkspwd "wallet password"

3) Add Trust certificate into exisitng wallet

orapki wallet add -wallet "walletlocation"  -pwd "wallet password" -trusted_cert -cert "certificatename.crt"

4) To display the certificates in wallet. Summary option means it will display onlycertificate details.

orapki wallet display -wallet "walletlocation"  -pwd "wallet password"  -summary

4) To display the certificates in wallet. Complete option means it will display complete certificate details. 

orapki wallet display -wallet "walletlocation"  -pwd "wallet password"  -complete

5) To Remove the certificate from wallet

ikeycmd commands for kdb database files

 1) Below command will display certificate details like expiry date in the kdb file keystore.kdb

ikeycmd -cert -details -label "Certificate name in KDB" -db keystore.kdb -pw "password of kdb file"

2) Below command will display list of certificates in kdb file

ikeycmd -cert  -list  -db keystore.kdb -pw "password of kdb file"

3) Below command will display ca certificates in kdb file

ikeycmd -cert  -list ca -db keystore.kdb -pw "password of kdb file"

4) Below command will display personal certificates in kdb file

ikeycmd -cert  -list personal -db keystore.kdb -pw "password of kdb file"

5) Below command will validate given certificate in kdb file

ikeycmd -cert  -validate -label  "Certificate name we need  to validate in KDB file" -db keystore.kdb -pw "password of kdb file"

6) Below command will display the default certificate in kdb file

ikeycmd -cert  -getdefault  -db keystore.kdb -pw "password of kdb file"

7) Below command will set the default certificate in kdb file. This will help to set default personal certificate if there are multiple certificates

ikeycmd -cert  -setdefault  -db keystore.kdb  -label "personal certificate name in KDB file"  -pw "password of kdb file"

8) Below command will import certificate into kdb file. 

ikeycmd -cert  -import -file  "Certificate file"   -pw "password of  the certificate file"   -type pkcs12 -label "personal certificate name to be in KDB file"  

-target_pw   "password of kdb file" -target_type CMS

9) Below command will help to delete certificate from kdb file. 

ikeycmd -cert  -delete -label  "Certificate name we need  to delete from KDB file" -db keystore.kdb -pw "password of kdb file" 

10) Below command will display expiry of ca certificate from kdb file

ikeycmd -cert  -list ca -db keystore.kdb -pw "password of kdb file" -expiry

11) Below command will add the certificate to the exisitng kdb file

ikeycmd -cert -add -file "Filename.crt" -db keystore.kdb -pw "password of kdb file" 

Keytool Commands

which keytool
The will display the default keytool path.

 1) keytool -list -cacerts
This will show cacerts in the server.

2) keytool -list -keystore cacerts

This will show keystore file. It will prompt for keystore password. You need to provide the password for keystore.

3) keytool --v list -keystore cacerts -storepassword "password"

This will show the certificate in verbose mode.


4) keytool --importcert -trustcacerts -noprompt -file "certificatename.cer" -cacerts -alias "certificatelabelname" -storepass "password of the file"
This will import the certificate into cacerts 

5) keytool --importkeystore -srckeystore "file.pfx" -srcstoretype pkcs12 -destkeystore "file.jks"-deststoretype JKS -srcstorepass "source keystore password" -deststorepass "destination key store password"
This will import pcks12 certificate that contains root and intermediate into jks format. 

5) keytool --importcert -alias "certificatename in targetfile" -file "file.crt" -keystore "file.jks" -storepass "password of store key password"
This will import new ca certificate into the jks file.

6) keytool  -printcert -file certificate.crt 

This will print the certificate of the file with certificate name , its validitiy and finger print.

7) keytool  -showinfo -tls

This will show the TLS version of the environment and chipers available in this.

8) keytool  -v -list -cacerts -alias "certificatename"

This will show the alias certificate name.

9) keytool -list -keystore -storetype pkcs12 -storepass "keystore password"

This will show the keystore in the server.

10) keytool -import -trustcacerts -alias "certificate alias name "-file C:\temp\mdeCert.cer -keystore cacerts

This will import the certificate into keystore

11. keytool -v -list -keystore wallet.p12

This command will show the certificate in pcks12 format

12. keytool -changealias -keystore keystore.jks -alias 'old name' -destalias 'new aliasname'

This command will help to change alias for the certificate names.