Differences

This shows you the differences between two versions of the page.

--- comandos_openssl_utiles_para_certificados [2021/08/04 22:45] – busindre
+++ comandos_openssl_utiles_para_certificados [2023/07/12 15:38] (current) – busindre
@@ Line 53: / Line 53: @@
 Generar una solicitud de certificado csr (Certificate Signing Request) a partir de un certificado existente.
-<code bash>openssl x509 -sha512 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key</code>
+<code bash>openssl x509 -sha512 -x509toreq -x509toreq -copy_extensions -in certificate.crt -out CSR.csr -signkey privateKey.key</code>
 Generar certificado autofirmado con SAN. (SHA-512 / RSA 4096 o EC).
@@ Line 86: / Line 86: @@
 # RSA
 openssl req -x509 -nodes -sha512 -days 365 -newkey rsa:4096 -keyout privateKey.key -out certificate.crt -config req.cnf -extensions 'v3_req'
-# EC
+# EC (Depende del cliente / navegador que conecte con el certificado, la curva debe elegirse acorde a la compatibilidad, actualmente 2021 muy pocas están soportadas por los navegadores)
 openssl req -x509 -nodes -sha512 -days 365 -newkey ec -pkeyopt ec_paramgen_curve:sect571r1 -keyout privateKey.key -out certificate.crt -config req.cnf -extensions 'v3_req'
+# Mensaje de Curl al acceder a un certificado https que usa EC.
+# curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
 </code>
@@ Line 259: / Line 262: @@
 Convertir llaves DER (.crt .cer .der) al estandar PEM y viceversa.
-<code bash>openssl rsa -inform der -in certificate.cer -out certificate.pem
+<code bash># RSA
-openssl rsa -outform der -in certificate.pem -out certificate.der</code>
+openssl rsa -inform der -in certificate.cer -out certificate.pem
+openssl rsa -outform der -in certificate.pem -out certificate.der
+# EC PEM to DER
+openssl ec -in certificate.der -inform DER -outform PEM -out certificate.pem
+openssl ec -in certificate.pem -inform PEM -outform DER -out certificate.der
+</code>
 Convertir ficheros PKCS#12 (.pfx .p12) con llave privada y certificado a PEM.
@@ Line 308: / Line 317: @@
 Obtener el "SPKI fingerprint" (Base64) a partir de una clave privada.
-<code>openssl rsa -in file.key -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64</code>
+<code># RSA
+openssl rsa -in file.key -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64
+# EC
+openssl ec -in file.key -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64
+</code>
 Obtener el "SPKI fingerprint" (Base64) a partir de un csr (certificate signing request).
@@ Line 314: / Line 327: @@
 Obtener el "SPKI fingerprint" (Base64) a partir de un certificado.
-<code>openssl x509 -in file.crt -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64</code>
+<code># RSA
+openssl x509 -in file.crt -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
+# EC
+openssl x509 -in file.crt -pubkey -noout | openssl ec -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
+</code>
 Obtener el "SPKI fingerprint" (Base64) de un servidor HTTPS.
-<code>openssl s_client -servername www.busindre.com -connect www.busindre.com:443 | openssl x509 -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64</code>
+<code># RSA
+openssl s_client -servername www.busindre.com -connect www.busindre.com:443 | openssl x509 -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
+# EC
+openssl s_client -servername www.busindre.com -connect www.busindre.com:443 | openssl x509 -pubkey -noout | openssl ec -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
+</code>
 **Crear CSR / Firmar CSR multidominio** (SAN): [[crear_y_firmar_csrs_multidominio_san]]