Key Points

Java supports full security management - stores, certificates, keys in different key stores ( see m Java Security Certificate Mgt )
Openssl provides CLI interface to fully manage certificates, stores, signing requests, key management etc

References

Reference_description_with_linked_URLs_______________________	Notes______________________________________________________________

https://www.openssl.org/
https://www.openssl.org/docs/ https://www.openssl.org/docs/man1.1.1/
https://www.openssl.org/docs/OpenSSLStrategicArchitecture.html
Openssl Cookbook - 2016 - gdrive openssl-cookbook.pdf	Openssl Cookbook - reasonably thorough
https://www.freecodecamp.org/news/openssl-command-cheatsheet-b441be1e8c4a/ openssl-common-rsa-commands-zmq_bi_2014_Magic Quadrant for Business Intelligence and Analytics Platforms.pdf	Common Openssl commands from freecodecamp
https://slproweb.com/products/Win32OpenSSL.html	Openssl Windows binaries
	Linux includes openssl ... openssl version -a ( shows details )
https://phoenixnap.com/kb/openssl-tutorial-ssl-certificates-private-keys-csrs	Tutorial creating ssl certificates with openssl

https://www.pixelstech.net/article/1408345768-Different-types-of-keystore-in-Java----Overview	Java Keystore types
https://docs.oracle.com/javase/9/tools/keytool.htm#JSWOR-GUID-5990A2E4-78E3-47B7-AE75-6D1826259549	Java keytool for CA administration

https://www.geotrust.com/resources/csr/apache_mod_ssl.htm openssl-create-server-cert-process-geotrust.com-Generate a Certificate Signing Request CSR.pdf	common openssl process to create a server certificate for ssl - geotrust

https://www.thewindowsclub.com/manage-trusted-root-certificates-windows windows10-certificate-trust-mgt-mmc-thewindowsclub.com-How to manage Trusted Root Certificates in Windows 10.pdf	Using Windows 10 Trust store with MMC
https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt	Mozilla keeps the trust store in the source code repository: This file contains the object definitions for the certs and other # information "built into" NSS.
https://support.google.com/a/answer/6342198?hl=en	Generate Keys and Certificates for SSO for a GSuite account how to create keys, certificates and link them to a GSuite account

https://letsencrypt.org/ https://letsencrypt.org/docs/ https://letsencrypt.org/how-it-works/	Let's encrypt or other root CAs - provides certs, CAAS - certificate admin as a service using a client agent on your server Let's Encrypt has short key rotation ( 90 days or less to expiration )
https://caddyserver.com/docs/automatic-https#overview	Caddy serves IP addresses and local/internal hostnames over HTTPS using self-signed certificates – Examples: `localhost`, `127.0.0.1` Caddy serves public DNS names over HTTPS using certificates from a public ACME CA such as Let's Encrypt or ZeroSSL.: `sub.example.com`, `*.example.com` Caddy keeps all managed certificates renewed and redirects HTTP

https://upcloud.com/community/tutorials/use-ssh-keys-authentication/	Using ssh with Openssl or Puttygen **

https://security.stackexchange.com/questions/146360/ssh-keypair-works-in-putty-but-not-in-openssh-inside-the-puttys-session	Puttygen keys are not compatible with OpenSSH or OpenSSL Puttygen's private key format (PPK) can by converted OpenSSL format

https://serverfault.com/questions/9708/what-is-a-pem-file-and-how-does-it-differ-from-other-openssl-generated-key-file	Common certificate and key file formats
https://www.https.in/ssl-security/renew-ssl-certificate-steps/ ssl-How to Renew SSL Certificate for my Website.pdf	Renew SSL certificates **
https://docs.aws.amazon.com/acm/index.html	AWS ACM certificate management **
https://awsbytes.com/certificate-manager-cli-commands/	AWS ACM CLI commands *

Simple ssh - Using ssh with Openssl or Puttygen on Linux or Windows

https://upcloud.com/community/tutorials/use-ssh-keys-authentication/

_ssh-keys-How to use SSH keys for authentication.pdf

Use SSH on Mac Terminal vs Putty Option

On a Macbook, using the built-in "SSH" functionality within the Terminal app is generally considered easier than using PuTTY because it's already installed and seamlessly integrated with the Mac operating system, while PuTTY requires additional installation and may not offer the same level of user experience on a Mac environment; making "SSH" the more convenient choice.

https://www.ssh.com/academy/ssh/putty/mac

Key points:

Native integration:
Mac's Terminal app has built-in SSH functionality, so you don't need to install any extra software to use it.
User experience:
Many users find the Terminal interface on Mac more intuitive and user-friendly compared to PuTTY, especially when managing multiple SSH sessions.
Potential downsides of PuTTY on Mac:
Extra installation: Requires downloading and installing PuTTY separately.
May lack features: PuTTY might not fully utilize advanced features available on Mac's Terminal, like tabbed sessions or better integration with other system tools.

Login to server w private key

after public key stored on server,

then

run ssh with the private key for the user at the server address

ssh -i id_rsa jimmason@jim-macbook.local

https://docs.rackspace.com/support/how-to/logging-in-with-an-ssh-private-key-on-linuxmac

Key Concepts

Certificate Use Cases

Manage Client and Server SSL certificates for SSL encryption of messages

Client and server each have their own private key and matching public key pairs
Client and server can self-sign their private keys or create a CSR ( certificate signing request ) to have a root CA sign them for higher trust level
Client and server exchange public keys as certificates
For each message sent, the source system encrypts the message with the private key
For each message received, the receiver uses the public key to decrypt the message

Can use a variety of tools to generate an RSA 2048 key pair for SSL: Openssl, Java keytool, Puttygen

After generating the key pair file, copy the pair to the secure local key store ( PKCS12 format or ? )

Send the public key to the other end of the SSL connection to use to decrypt messages

Gopher blog on Key management for SSL setup

SSL notes from Gopher blog

You do not need to share secrets. You just need to exchange public keys securely between two parties.You stated that we can make an assumption: "secrets can be pre-shared". Given this problem, generate a certificate for each node and securely exchange their public keys.Now every node has a way to authenticate every other node with mutual TLS.To clarify, you do not need a certificate authority. This is out of scope for the problem. The certificate authority solves the problem of key distribution by delegating trust. You don't need to do that, because of your assumption that secrets (in this case, non-secrets) can be exchanged securely.To summarize, as long as each node has every other nodes public key, you have trust between them. Certificate authority, lets encrypt, etc are solutions for a problem that you don't actually need to solve.

Maria Gonzales  4 days ago
Thanks for your inputs. I started reading about TLS, but I was getting lost on the CAs part. So, if I understand correctly (and to get it right in my head), do I just need to generate 2 pairs of keys, exchange the public keys (out of band, preferentially) and there is no need to sign the certificates at all? (edited) 

Maria Gonzales  4 days ago
The part of signing the certificates (whether self-signed or not), was confusing me

Full CA keystore setup, generate of RSA certificates and management for SSL server

Typically a server is setup by a Certificate Authority administrator in a very secure environment.
The CA is often an intermediate CA with a trust chain back to a root CA ( Verisign, Thawte or other root CA )
Certificate files will often use a user, domain name or server name depending on planned usage
Private keys are generated and usually well protected in a secure key store.
A CSR ( Certificate Signing Request ) is generated for root CA authentication ( vs self signed certs )
the server CA reviews and approves the CSR providing a complete trust chain to a root CA
The public key is generated from the private key as a certificate PEM file normally. ( validate )
If needed, a PKCS12 file can be generated from the private key as a format to send the certificate to the client

Client setup for PKI certificates

Key management and distribution concepts

private keys can have a pass phrase to protect access

better use an encrypted wrapper with a password for key distribution via sftp or secure email

store in a secure location documented for trusted users only

send keys as encrypted messages ( PGP, zip or ? )

Document signing with the Private key

Create personal certificate for shared SSL

use a personal name or identity or a proxy name

Setup a Web Server with SSL

to configure and run a web server that supports SSL. That process consists of three steps:

(1) generate a strong private key,

(2) create a Certificate Signing Request (CSR) and send it to a CA, and

(3) install the CA-provided certificate in your web server.

Common certificate and key file formats

https://serverfault.com/questions/9708/what-is-a-pem-file-and-how-does-it-differ-from-other-openssl-generated-key-file

SSL has been around for long enough you'd think that there would be agreed upon container formats. And you're right, there are. Too many standards as it happens. So this is what I know, and I'm sure others will chime in.

    .csr - This is a Certificate Signing Request. Some applications can generate these for submission to certificate-authorities. The actual format is PKCS10 which is defined in RFC 2986. It includes some/all of the key details of the requested certificate such as subject, organization, state, whatnot, as well as the public key of the certificate to get signed. These get signed by the CA and a certificate is returned. The returned certificate is the public certificate (which includes the public key but not the private key), which itself can be in a couple of formats.
    .pem - Defined in RFCs 1421 through 1424, this is a container format that may include just the public certificate (such as with Apache installs, and CA certificate files /etc/ssl/certs), or may include an entire certificate chain including public key, private key, and root certificates. Confusingly, it may also encode a CSR (e.g. as used here) as the PKCS10 format can be translated into PEM. The name is from Privacy Enhanced Mail (PEM), a failed method for secure email but the container format it used lives on, and is a base64 translation of the x509 ASN.1 keys.
    .key - This is a PEM formatted file containing just the private-key of a specific certificate and is merely a conventional name and not a standardized one. In Apache installs, this frequently resides in /etc/ssl/private. The rights on these files are very important, and some programs will refuse to load these certificates if they are set wrong.
    .pkcs12 .pfx .p12 - Originally defined by RSA in the Public-Key Cryptography Standards (abbreviated PKCS), the "12" variant was originally enhanced by Microsoft, and later submitted as RFC 7292. This is a passworded container format that contains both public and private certificate pairs. Unlike .pem files, this container is fully encrypted. Openssl can turn this into a .pem file with both public and private keys: openssl pkcs12 -in file-to-convert.p12 -out converted-file.pem -nodes

A few other formats that show up from time to time:

    .der - A way to encode ASN.1 syntax in binary, a .pem file is just a Base64 encoded .der file. OpenSSL can convert these to .pem (openssl x509 -inform der -in to-convert.der -out converted.pem). Windows sees these as Certificate files. By default, Windows will export certificates as .DER formatted files with a different extension. Like...
    .cert .cer .crt - A .pem (or rarely .der) formatted file with a different extension, one that is recognized by Windows Explorer as a certificate, which .pem is not.
    .p7b .keystore - Defined in RFC 2315 as PKCS number 7, this is a format used by Windows for certificate interchange. Java understands these natively, and often uses .keystore as an extension instead. Unlike .pem style certificates, this format has a defined way to include certification-path certificates.
    .crl - A certificate revocation list. Certificate Authorities produce these as a way to de-authorize certificates before expiration. You can sometimes download them from CA websites.

In summary, there are four different ways to present certificates and their components:

    PEM - Governed by RFCs, its used preferentially by open-source software. It can have a variety of extensions (.pem, .key, .cer, .cert, more)
    PKCS7 - An open standard used by Java and supported by Windows. Does not contain private key material.
    PKCS12 - A Microsoft private standard that was later defined in an RFC that provides enhanced security versus the plain-text PEM format. This can contain private key material. Its used preferentially by Windows systems, and can be freely converted to PEM format through use of openssl.
    DER - The parent format of PEM. It's useful to think of it as a binary version of the base64-encoded PEM file. Not routinely used very much outside of Windows.

Java Certificate Administration

Java Keystore Types

https://www.pixelstech.net/article/1408345768-Different-types-of-keystore-in-Java----Overview

Keystore is a storage facility to store cryptographic keys and certificates. They are most frequently used in SSL communications to prove the identity of servers and clients. A keystore can be a file or a hardware device. Three are three kinds of entries can be stored in a keystore depending on the types of keystores.

The three types of entries are:

PrivateKey : This is a type of keys which are used in asymmetric cryptography. It is usually protected with password because of its sensitivity. It can also be used to sign a digital signature.

Certificate : A certificate contains a public key which can identify the subject claimed in the certificate. It is usually used to verify the identity of a server. Sometimes it is also used to identify a client when requested.

SecretKey : A key entry which is sued in symmetric cryptography.

Depending on what entries the keystore can store and how the keystore can store the entries, there are a few different types of keystores in Java: JKS, JCEKS, PKCS12, PKCS11 and DKS. You can find the introduction of these keystore on Oracle's Java Cryptography Architecture description.

Next, we will have an overview of these keystore types.

JKS, Java Key Store. You can find this file at sun.security.provider.JavaKeyStore. This keystore is Java specific, it usually has an extension of jks. This type of keystore can contain private keys and certificates, but it cannot be used to store secret keys. Since it's a Java specific keystore, so it cannot be used in other programming languages. The private keys stored in JKS cannot be extracted in Java.

JCEKS, JCE key store(Java Cryptography Extension KeyStore). It is a super set of JKS with more algorithms supported. It is an enhanced standard added later by Sun. You can find this file at com.sun.crypto.provider.JceKeyStore. This keystore has an extension of jceks. The entries which can be put in the JCEKS keystore are private keys, secret keys and certificates. This keystore provides much stronger protection for stored private keys by using Triple DES encryption.

The provider of JCEKS is SunJCE, it was introduced in Java 1.4. Hence prior to Java 1.4, only JKS can be used.

PKCS12, this is a standard keystore type which can be used in Java and other languages. You can find this keystore implementation at sun.security.pkcs12.PKCS12KeyStore. It usually has an extension of p12 or pfx. You can store private keys, secret keys and certificates on this type. Unlike JKS, the private keys on PKCS12 keystore can be extracted in Java. This type is portable and can be operated with other libraries written in other languages such as C, C++ or C#.

The pkcs12 command allows PKCS#12 files (sometimes referred to as PFX files) to be created and parsed. PKCS#12 files are used by several programs including Netscape, MSIE and MS Outlook.

Currently the default keystore type in Java is JKS, i.e the keystore format will be JKS if you don't specify the -storetype while creating keystore with keytool. However, the default keystore type will be changed to PKCS12 in Java 9 because its enhanced compatibility compared to JKS. You can check the default keystore type at $JRE/lib/security/java.security file:

PKCS11, this is a hardware keystore type. It provides an interface for the Java library to connect with hardware keystore devices such as SafeNet's Luna, nCipher or Smart cards. You can find this implementation at sun.security.pkcs11.P11KeyStore. When you load the keystore, you no need to create a specific provider with specific configuration. This keystore can store private keys, secret keys and certificates. When loading the keystore, the entries will be retrieved from the keystore and then converted into software entries.

DKS, Domain KeyStore is a keystore of keystore. It abstracts a collection of keystores that are presented as a single logical keystore. Itself is actually not a keystore. This new keystore type is introduced in Java 8. There is a new class DomainLoadStoreParameter which closely relates to DKS.

This keystore is located at sun.security.provider.DomainKeyStore.java.

Windows-MY, this is a type of keystore on Windows which is managed by the Windows operating system. It stores the user private keys and certificates which can be used to perform cryptographic operations such as signature verification, data encryption etc. Since it's a kind of native keystore, Java doesn't have a general API to access it. Oracle provides a separate API to access the Windows-MY keystore -- SunMSCAPI. The provider class for this API is sun.security.mscapi.SunMSCAPI.

BKS, BoucyCastle keystore, is a keystore format provided the popular third party Java cryptographic library provider -- BouncyCastle. It is a keystore similar to the JKS provided by Oracle JDK. But it supports storing secret key, private key and certificate. It is frequently used in mobile application developments.

In Java, there are a few choices on how a keystore can be processed. Writing the Java code is apparently a choice. Apart from this, a tool comes along with the JDK can also be used, it is called keytool.

keytool is a command line tool. It can be used to create keystore, generate keys, import and export certificates etc. For a full list of commands keytool supports, you can refer to Oracle keytool guideline.

If you are using IBM JDK, there is one more tool which can be used, it is ikeyman. ikeyman is a GUI tool which can provide a straightforward view of the keystore. The entries in the keystore. Keys and certificates can be created using ikeyman as well. It is a tool used frequently by system administrators.

Below are the details of each keystore supported in Java.

Certificate administration options

Java keytool

https://docs.oracle.com/javase/9/tools/keytool.htm#JSWOR-GUID-5990A2E4-78E3-47B7-AE75-6D1826259549

Openssl command line on any platform

Free CA admin tools including Fabric

Openssl certficate adminisration

Use Linux default openssl if possible

includes default trust store for certificates

To create CA, keystore and manage certificates see these detail use cases then read the references below

Use case - Manage Client and Server SSL certificates for SSL encryption of messages

Use case - Full CA keystore setup, generate of RSA certificates and management for SSL server

see References :

openssl-cookbook.pdf

openssl-common-rsa-commands

Sample Openssl CA certificate management commands

use openssl to create pub key and PEM cert from private key

-----------
check the private rsa key 
>openssl rsa -check -inform PEM -in jmason-prv.key -noout -text

<
    ed:cd:05:4d:f9:25:f2:5a
RSA key ok



-----------
view the public key for a private key

openssl rsa -in jmason-prv.key -pubout



-----------
write out the public key from the private key 

openssl rsa -in jmason-prv.key -pubout  -outform PEM -out jmason-pub.PEM -RSAPublicKey_out

Openssl on Windows

install a valid Openssl binary from

Compile Openssl for Windows or get a binary package

only if needed ( usually on Windows if a binary not available )

add a trust store

Use or Create a Trust Store

either use system trust store or get Mozilla trust store

Windows Certificates Trust Store via mmc

Mozilla Root Certificate trust store text file

https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt

Unfortunately, their certificate collection is in a proprietary format, which is not of much

use to others as is. If you don’t mind getting the collection via a third party, the Curl project

provides a regularly-updated conversion in Privacy-Enhanced Mail (PEM) format, which you

can use directly:

http://curl.haxx.se/docs/caextract.html

But you don’t have to write a conversion script if you’d rather download directly from Mozilla.

Conversion scripts are available in Perl or Go. I describe both in the following sections.

Download & Install Windows Openssl binary

https://slproweb.com/products/Win32OpenSSL.html

For Windows, create openssl_start.bat

sets up openssl environment in Windows

openssl_start.bat.txt

WARNING: can't open config file: /usr/local/ssl/openssl.cnf

This can be solved as following:

Close OpenSSL.
Open a Command Prompt (CMD) as Administrator
Run the following command: SET OPENSSL_CONF=<<my openssl bin path>>\openssl.cnf

Create Keystore, Admin key, User key & cert

use pkcs12 keystore

all key types and portable to any language

Generate a private key for the admin

if using a protected passfile, store in protected zip w option name + dddd

D:\dsfw\files\keyhome>

openssl genrsa -aes256 -passout file:passfile.txt -out jemason1.key 2048

Generating RSA private key, 2048 bit long modulus

..............+++++

.........................................................................................................+++++

e is 65537 (0x010001)

The password file ideally is in UTF-8 encoding for openssl

type or cat the key file to see the encrypted text for the private key generated

type jemason1-pub.pem | more

-----BEGIN PUBLIC KEY-----
.... << more >> ...
-----END PUBLIC KEY-----

create the public key from the private key file

openssl rsa -in jemason1.key -out jemason1-pub.key -pubout

key files output:

jemason1-pub.key jemason1.key passfile.txt

OpenSSL on Linux

error - unknown option on openssl command - can't copy dashes

Search Results
Web results

openssl keeps giving me "unknown option" errors - Server Fault
https://serverfault.com › questions › openssl-keeps-giving-me-unknown-o...
2 answers
Aug 13, 2011 - Delete all of your dashes and re-type them on the command line. when you wish to copy and paste! the - in the out so use arrows to get there and remove - and then type - and press enter, the - near the out is the only - you need to delete and type then it works :D.

CSR - Certificate Signing Request

http://pdfviewer.softgateon.net/?state=%7B%22ids%22:%5B%2211xXUkWZp59faRNh_jjCvXjM1XvQ7R4e9%22%5D,%22action%22:%22open%22,%22userId%22:%22106992337469837643773%22%7D

Once you have a private key, you can proceed to create a Certificate Signing Request

(CSR).

This is a formal request asking a CA to sign a certificate, and it contains the public key of the

entity requesting the certificate and some information about the entity. This data will all be

part of the certificate. A CSR is always signed with the private key corresponding to the public

key it carries.

CSR creation is usually an interactive process during which you’ll be providing the elements

of the certificate distinguished name. Read the instructions given by the openssl tool careful-

ly; if you want a field to be empty, you must enter a single dot (.)

Get details from the site admin for OU, Cname, email, challenge password etc first

 openssl req -new -key fd.key -out fd.cs

Create a pkcs12 file store for certificates

PKCS 12. In cryptography, PKCS #12 defines an archive file format for storing many cryptography objects as a single file. It is commonly used to bundle a private key with its X.509 certificate or to bundle all the members of a chain of trust. ... The filename extension for PKCS #12 files is .p12 or .pfx .

The PKCS#12 or PFX format is a binary format for storing the server certificate, intermediate certificates, and the private key in one encryptable file. PFX files usually have extensions such as .pfx and .p12. PFX files are typically used on Windows machines to import and export certificates and private keys

https://www.openssl.org/docs/man1.1.1/man1/openssl-pkcs12.html

For PKCS#12 file parsing only -in and -out need to be used for PKCS#12 file creation -export and -name are also used.

Controlling order of keys in pkcs12 file

If none of the -clcerts, -cacerts or -nocerts options are present then all certificates will be output in the order they appear in the input PKCS#12 files. There is no guarantee that the first certificate present is the one corresponding to the private key. Certain software which requires a private key and certificate and assumes the first certificate in the file is the one corresponding to the private key: this may not always be the case. Using the -clcerts option will solve this problem by only outputting the certificate corresponding to the private key. If the CA certificates are required then they can be output to a separate file using the -nokeys -cacerts options to just output CA certificates.

creates a pkcs12 file from a public key

 openssl pkcs12 -export -in jemason1-pub.key -out jemason1.p12 -name "jmason Certificate"

jemfebapr

Tutorial - Create SSL certificates with OpenSSL

https://phoenixnap.com/kb/openssl-tutorial-ssl-certificates-private-keys-csrs

On Ubuntu

ssl folder /usr/lib/ssl is a link to

/etc/ssl

which contains /certs openssl.cnf /private

openssl.cnf has default values for a CSR otherwise they must be entered on CLI

openssl req –out certificatesigningrequest.csr -new -newkey rsa:2048 -nodes -keyout privatekey.key

create the new key and csr request

openssl req –out jmason1.csr -new -newkey rsa:2048 -nodes -keyout jmason1.key

read the key

openssl req -in jmason1.csr -noout -text

Create a public key as a PEM file from private key

openssl rsa -in jmason1.key -outform PEM -pubout -out jmason1-pub.PEM

Create a PKCS12 format file that can be imported into a Windows keystore

Create self-signed certificate with openssl req

openssl-req, req - PKCS#10 certificate request and certificate generating utility

The req command primarily creates and processes certificate requests in PKCS#10 format. It can additionally create self signed certificates for use as root CAs for example.

openssl-x509, x509 - Certificate display and signing utility

https://www.openssl.org/docs/man1.1.1/

example 1 - create new self-signed root CA certificate, private and public key files and a password file

openssl req -x509 -sha256 -outform PEM -days 1000 -out jmason2-crt.pem -new -newkey rsa:2048 -nodes 
-keyout jmason2-key.pem -passin file:passfile.txt

Generating a RSA private key
...........................................................+++++
.....................................................................................+++++
writing new private key to 'jmason2-key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:US
State or Province Name (full name) [MA]:MA
Locality Name (eg, city) []:North Attleboro
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Paramount Software Solutions
Organizational Unit Name (eg, section) []:software
Common Name (e.g. server FQDN or YOUR name) []:Jim Mason
Email Address []:.

openssl req options

-outform DER|PEM

This specifies the output format, the options have the same meaning and default as the -inform option.

-in filename

This specifies the input filename to read a request from or standard input if this option is not specified. A request is only read if the creation options (-new and -newkey) are not specified.

-x509

This option outputs a self signed certificate instead of a certificate request. This is typically used to generate a test certificate or a self signed root CA. The extensions added to the certificate (if any) are specified in the configuration file. Unless specified using the set_serial option, a large random number will be used for the serial number.

If existing request is specified with the -in option, it is converted to the self signed certificate otherwise new request is created.

Openssl simple CA app to sign requests

https://www.openssl.org/docs/man1.1.0/man1/ca.html

openssl.org-ca.pdf

Potential Value Opportunities

Potential Challenges

Puttygen key formats not compatible with OpenSSH and OpenSSL

https://security.stackexchange.com/questions/146360/ssh-keypair-works-in-putty-but-not-in-openssh-inside-the-puttys-session

Puttygen uses a new proprietary key format that OpenSSH and OpenSSL do not.

Puttygen has a conversion tool that can convert the Puttygen key format back to the older OpenSSL format

testing a converted Puttygen to OpenSSL format worked:

openssl rsa -in jmason-prv-ssh3b.key -noout -text

Enter pass phrase for jmason-prv-ssh3b.key:
Private-Key: (2048 bit)
modulus:
00:92:db:ff:65:08:32:42:c8:04:3d:43:65:52:23:
65:2a:a5:d8:18:55:20:47:ef:61:a2:e9:c4:77:84:

Tip to convert OpenSSL key format to new Puttygen format

https://gist.github.com/twelve17/0449491d86158960fdb630160799ff23

It looks like as of this writing, the PuTTY Gen conversion code only accepts keys that use the AES-128-CBC or DES-EDE3-CBC ciphers. Otherwise, it will complain with a "unsupported cipher" error. (The latest release version at the moment is beta 0.67.)

For example, one of my private keys was using AES-256-CBC:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,xxxxxxx

Note that if your key is encrypted with a passphrase or has a MAC(?), you might only see a header like:

-----BEGIN RSA PRIVATE KEY-----
xx252xljbl.....

The "openssl" tool can be used to convert an existing private key to one of the acceptable formats above. Which of the two is another discussion, but hey, here is some insight.

openssl.exe rsa -in /path/to/your/private_key -out /path/to/your/new_private_key -outform PEM -des-ede3-cbc

openssl supported cipher formats include:

Cipher commands (see the `enc' command for more details)

openssl help

aes-128-cbc	aes-128-ecb	aes-192-cbc	aes-192-ecb
aes-256-cbc	aes-256-ecb	base64	bf
bf-cbc	bf-cfb	bf-ecb	bf-ofb
camellia-128-cbc	camellia-128-ecb	camellia-192-cbc	camellia-192-ecb
camellia-256-cbc	camellia-256-ecb	cast	cast-cbc
cast5-cbc	cast5-cfb	cast5-ecb	cast5-ofb
des	des-cbc	des-cfb	des-ecb
des-ede	des-ede-cbc	des-ede-cfb	des-ede-ofb
des-ede3	des-ede3-cbc	des-ede3-cfb	des-ede3-ofb
des-ofb	des3	desx	idea
idea-cbc	idea-cfb	idea-ecb	idea-ofb
rc2	rc2-40-cbc	rc2-64-cbc	rc2-cbc
rc2-cfb	rc2-ecb	rc2-ofb	rc4
rc4-40	seed	seed-cbc	seed-cfb
seed-ecb	seed-ofb

des-ede3-cbc is the Puttygen format for keys

Candidate Solutions

Step-by-step guide for Example

sample code block

sample code block

Recommended Next Steps

Related articles