Greetings to all you geeks out there!

It’s a pleasure to have you here at geekcoding101.com!

With almost 20 years immersed in the vibrant world of Linux and security domain, I’ve encountered a myriad of tools and technologies that have shaped my journey. Today, I’m excited to introduce you OpenSSL and Certutil—two indispensable utilities that play pivotal roles in managing digital certificates and encryption. Whether you’re safeguarding your web servers or securing communications, understanding these tools is crucial. I’ve distilled my insights and tips into this post, aiming to arm you with the knowledge to leverage these powerful utilities effectively.

Enjoy!

Openssl

OpenSSL is an open-source software library that provides a robust, commercial-grade, and full-featured toolkit for SSL and TLS protocols, as well as a general-purpose cryptography library. It is widely used by internet servers, including the majority that implement secure web (HTTPS) connections, as well as in countless other security-sensitive applications. Here are some key aspects of OpenSSL:

Core Features

• Encryption: Offers cryptographic algorithms for encrypting data, ensuring that information can be transmitted or stored securely. This includes algorithms like AES, DES, RC4, and more.
• SSL/TLS Protocols: Facilitates secure communications over computer networks against eavesdropping, tampering, and message forgery. OpenSSL includes implementations of the SSL and TLS protocols to secure network communications.
• Cryptographic Hash Functions: Supports hash functions like SHA-1, SHA-256, and MD5, used for creating message digests that ensure the integrity of data.
• Digital Certificates: Manages X.509 certificates which are essential for establishing SSL/TLS connections. OpenSSL can generate certificate signing requests (CSRs), create certificates, and manage certificate chains.
• Public Key Infrastructure (PKI): Supports PKI essentials for managing public and private keys, including generating key pairs, signing certificates, and more.

Query Information

Query on Private Key:

openssl rsa -in privatekey.pem -check

Query All Information:

openssl x509 -in certificate.pem -text -noout

Query Subject:

openssl x509 -in certificate.pem -subject -noout

Query Validity:

openssl x509 -in certificate.pem -dates -noout

Query Purpose:

openssl x509 -in certificate.pem -purpose -noout

Example:

Certificate purposes:
SSL client : No
SSL client CA : Yes
SSL server : No
SSL server CA : Yes
Netscape SSL server : No
Netscape SSL server CA : Yes
S/MIME signing : No
S/MIME signing CA : Yes
S/MIME encryption : No
S/MIME encryption CA : Yes
CRL signing : No
CRL signing CA : Yes
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : Yes
Time Stamp signing : No
Time Stamp signing CA : Yes

Download Cert from Remote Server:

openssl s_client -ssl3 -showcerts -debug -connect ldap.XXXX.com:636 < /dev/null > /tmp/ldap.out 2>&1
sed -n '/BEGIN CERTIFICATE/,/END CERTIFICATE/p' /tmp/ldap.out  > /tmp/ldap.pem

PKCS#12 (PFX) File Management

Convert PFX to PEM:

openssl pkcs12 -in filename.pfx -out certificate.pem -nodes

Print Some Info About a PKCS#12 File:

openssl pkcs12 -info -in filename.pfx

Print Some Info About a PKCS#12 File in Legacy Mode:

openssl pkcs12 -info -in filename.pfx -legacy

Extract Only Client Certificates + Key:

openssl pkcs12 -in filename.pfx -clcerts -out clientcert.pem

Extract Only Client Cert:

openssl pkcs12 -in filename.pfx -clcerts -nokeys -out clientcert.pem

Extract Unencrypted Key File from PFX:

openssl pkcs12 -in filename.pfx -nocerts -nodes -out privatekey.pem

Extract CA Cert from PFX:

openssl pkcs12 -in filename.pfx -cacerts -nokeys -out cacert.pem

NSS Database Management

The NSS (Network Security Services) Database is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Applications can use NSS for SSL/TLS, PKI (Public Key Infrastructure) certificate management, cryptographic operations, and other security standards. The NSS Database, specifically, is a critical component for managing certificates, keys, and other security assets.

Key Features of the NSS Database

• Certificate and Key Storage: It stores and manages SSL/TLS certificates, private keys, and trust settings in a secure, encrypted database format. This storage is essential for applications needing to establish secure connections, authenticate themselves or their users, and ensure data integrity and confidentiality.
• Cross-Platform Support: NSS provides a platform-independent way to manage security assets, making it suitable for a wide range of operating systems and environments.
• Security: The database is designed with a strong focus on security, including support for various encryption algorithms and mechanisms to protect sensitive information.
• PKI Support: It supports a comprehensive range of PKI standards, allowing applications to perform tasks such as certificate signing, issuance, and revocation checking.

Components of the NSS Database

• CertDB: A database for storing certificates, including user, server, and CA (Certificate Authority) certificates.
• KeyDB: A database for storing private keys associated with the certificates.
• SecmodDB: A database for managing PKCS#11 module configurations. PKCS#11 modules are used to interface with cryptographic tokens like smart cards or hardware security modules (HSMs).

Management Tools

NSS comes with several command-line tools for managing the NSS Database, including:

• certutil: For managing certificates and keys within the database.
• pk12util: For importing and exporting certificates and keys in PKCS#12 format.
• modutil: For managing PKCS#11 modules.

Usage

NSS Databases are often used in web browsers (like Mozilla Firefox), email clients, and other networked applications requiring secure communication. By managing cryptographic keys and certificates, the NSS Database plays a crucial role in enabling secure internet communications and data protection efforts across various applications.

Import Cert/Key (PEM) into NSS:

certutil -A -n "certificate name" -t "TCu,Cu,Tu" -i certificate.pem -d sql:/path/to/nssdb

-t trustargs
Specify the trust attributes to modify in an existing certificate or to apply to a certificate when creating it or adding it to a database. There are three
available trust categories for each certificate, expressed in the order SSL, email, object signing for each trust setting. In each category position, use none,
any, or all of the attribute codes:

· p – Valid peer

· P – Trusted peer (implies p)

· c – Valid CA

· C – Trusted CA (implies c)

· T – trusted CA for client authentication (ssl server only)

The attribute codes for the categories are separated by commas, and the entire set of attributes enclosed by quotation marks. For example:

-t “TC,C,T”

Use the -L option to see a list of the current certificates and trust attributes in a certificate database.

Note that the output of the -L option may include “u” flag, which means that there is a private key associated with the certificate. It is a dynamic flag and you cannot set it with certutil.

certutil doesn't have an option to add private keys. You need to use pk12util for that.
You can refer to https://serverfault.com/questions/647658/how-to-add-an-existing-key-to-the-certutil-key-database

Import PFX into NSS DB:

pk12util -i filename.pfx -d sql:/path/to/nssdb

Export PEM from NSS DB:

certutil -L -n "certificate name" -d sql:/path/to/nssdb -a > certificate.pem

List Keys from NSS DB:

certutil -K -d sql:/path/to/nssdb

Remove Key from NSS DB:

certutil -D -n "certificate name" -d sql:/path/to/nssdb

Cool! I believe that’s a lot for today’s topic!
Let’s wrap up and see you next time!