Certificates Archives - TEKSpace Blog

How to encrypt and decrypt files using openssl

Rahil — Wed, 30 Sep 2020 22:09:57 +0000

In this tutorial we will go over how to encrypt a text file that we can store in public storage without any security concerns. Suppose you are running an application in a cloud platform, and you are running daily backup of SQL files and want to store it securely in block storage somewhere in the cloud environment. In that case, using certificates to encrypt the file is very useful and worry free.

To get started, I am using a Linux operating system with OpenSSL.

Generating private and public certificate files

The below command will create 2 files on your Linux file systems.
example.priv.pem – This is your private key. You must store this somewhere secure.
example.pub.pem – This is your public key. That we will use to encrypt files with.

NOTE: The below command will create a private key with a password. I highly encourage using password to keep your private key secure. If you do not wish to use a password. Add -nodes to the below command, and it will create a private key without password.

openssl req -x509 -newkey rsa:4096 -keyout example.priv.pem -out example.pub.pem

Interactive view

Generating a 4096 bit RSA private key
.......................................................................................................................................................................................++
.......................................................................................++
writing new private key to 'example.priv.pem'
Enter PEM pass phrase: 
Verifying - Enter PEM pass phrase: 
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Texas
Locality Name (eg, city) [Default City]:Houston
Organization Name (eg, company) [Default Company Ltd]:Example
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:example
Email Address []:JohnSmith@example.com

Encrypt file

In the below example, I will encrypt a database.sql file. You can encrypt any file you desire. It can be text, pdf, logs, etc.

openssl smime -encrypt -binary -text -aes256 -in database.sql -out database.sql.enc -outform DER example.pub.pem

Now when you open your database.sql.enc file. It should look something like as shown below:

H<86>÷^M^A ^A^V^UJohnSmith@example.com^B ^@ñ<99>%<93>dÑñ40^M^F *<86>H<86>÷^M^A^A^A^E^@^D<82>^B^@^]<90>^\c1TÊUí»?<8b>b½Ü|P^X^F<87>nñfÅ" á^Mîma<9d>ô<94>½>³/Æ<82> >/s,[¸<8d>J<95>^Q<8b>[¯J^@WÜË{ü^Nú@½<99>5XJ^YA æË³Æ ÝN:÷ïìÒúÇe µ¹<99>^R^L^DX´<8a>^H2 Ùñ}Ú^E¥ç´Gë²Ô=JþÁ¾V^Q1Óq+Z£ñÔe´ä<95>^D|.¯Vq<93>Ó¸|û)i3<"^[Q¤\¿><98>ú<95>ö^\W^\^\í~)&<92>¡ÎrÈ<82>Æ·^?XäHs;'ý]<9b>Ü ¥¤<92>>\=¡5 <8a>ß9ßl<92>^T<8a>f"^A}=¸V^S^Qø=^YG÷WM@YØ|yxºÄ<95>\¢°Pbsn,nùãf¾>×Ó®¨ü4:RÁq<97>ÏKïÇ^X.]1^Z<8a>^R^KÜi<96><82>î^HòË%æ¸[eò7<89>,vùÎ8Áb'YõòÔCÝå<9e>hA7èn;ÑÚCê^@ìE÷<9a>¨8<81>Tn«4Ñ^\ª#^?ÁÍ^V^Bcj"£±tÙ<99>^Q^T<87>³§^V °¿z^V^Z^E<9d>%x|K<90>ël¼Á<8b>·»<96><9c>s¢<85>ÙvÚß<92>üs^G^XÚR«REÌ[3³û<9c>®9²´Zr¼^B<93>^P>(^Zü?^O<91>;RKÚ;«¡`,$+^C.C^NÇV1@^?¾^¡<87>^? IZè6MûyõÉð^B¦×{ó<9d>^Nb^^D^\¤¹Õý^LÒ^[^B9<96>á^^ÜæÍ<95>µb¿Há»¸C^D[<8b>^Q<9a>;6Ë¹Ãä<8d>º<81>p-<9d>îÄIq^Y£^YÌÑ¿<99>^_'*3ìòèÿ0<^F *<86>H<86>÷^M^A^G^A0^]^F `<86>H^Ae^C^D^A*^D^P<9a><84>¥^Qn<84>Á<90><95>Ûjá^A÷íT<80>^P^GA^@4¤^Q#jÉO^X<94>ñõ<9d>§" style="color:#d8dee9ff;display:none" aria-label="Copy" class="code-block-pro-copy-button">

0<82>^C ^F      *<86>H<86>÷^M^A^G^C <82>^Bú0<82>^Bö^B^A^@1<82>^B±0<82>^B^B^A^@0<81><94>0<81><86>1^K0   ^F^CU^D^F^S^BUS1^N0^L^F^CU^D^H^L^ETexas1^P0^N^F^CU^D^G^L^GHouston1^P0^N^F^CU^D
^L^GExample1^K0 ^F^CU^D^K^L^BIT1^P0^N^F^CU^D^C^L^Gexample1$0"^F *<86>H<86>÷^M^A ^A^V^UJohnSmith@example.com^B   ^@ñ<99>%<93>dÑñ40^M^F   *<86>H<86>÷^M^A^A^A^E^@^D<82>^B^@^]<90>^\c1TÊUí»?<8b>b½Ü|P^X^F<87>nñfÅ" á^Mîma<9d>ô<94>½>³/Æ<82> >/s,[¸<8d>J<95>^Q<8b>[¯J^@WÜË{ü^Nú@½<99>5XJ^YA æË³Æ ÝN:÷ïìÒúÇe µ¹<99>^R^L^DX´<8a>^H2 Ùñ}Ú^E¥ç´Gë²Ô=JþÁ¾V^Q1Óq+Z£ñÔe´ä<95>^D|.¯Vq<93>Ó¸|û)i3<"^[Q¤\¿><98>ú<95>ö^\W^\^\í~)&<92>¡ÎrÈ<82>Æ·^?XäHs;'ý]<9b>Ü ¥¤<92>>\=¡5     <8a>ß9ßl<92>^T<8a>f"^A}=¸V^S^Qø=^YG÷WM@YØ|yxºÄ<95>\¢°Pbsn,nùãf¾>×Ó®¨ü4:RÁq<97>ÏKïÇ^X.]1^Z<8a>^R^KÜi<96><82>î^HòË%æ¸[eò7<89>,vùÎ8Áb'YõòÔCÝå<9e>hA7èn;ÑÚCê^@ìE÷<9a>¨8<81>Tn«4Ñ^\ª#^?ÁÍ^V^Bcj"£±tÙ<99>^Q^T<87>³§^V °¿z^V^Z^E<9d>%x|K<90>ël¼Á<8b>·»<96><9c>s¢<85>ÙvÚß<92>üs^G^XÚR«REÌ[3³û<9c>®9²´Zr¼^B<93>^P>(^Zü?^O<91>;RKÚ;«¡`,$+^C.C^NÇV1@^?¾^¡<87>^?   IZè6MûyõÉð^B¦×{ó<9d>^Nb^^D^\¤¹Õý^LÒ^[^B9<96>á^^ÜæÍ<95>µb¿Há»¸C^D[<8b>^Q<9a>;6Ë¹Ãä<8d>º<81>p-<9d>îÄIq^Y£^YÌÑ¿<99>^_'*3ìòèÿ0<^F  *<86>H<86>÷^M^A^G^A0^]^F        `<86>H^Ae^C^D^A*^D^P<9a><84>¥^Qn<84>Á<90><95>Ûjá^A÷íT<80>^P^GA^@4¤^Q#jÉO^X<94>ñõ<9d>§

Decrypt file

Below command will decrypt previously encrypted file. In this example, we will decrypt database.sql.enc

openssl smime -decrypt -in database.sql.enc -binary -inform DEM -inkey example.priv.pem -out database-unencrypted.sql

You will be promoted for password after you execute above command.

Enter pass phrase for example.priv.pem:

Once you enter right password, you should have be able to read database-unencrypted.sql file.

Using key and crt files to encrypt and decrypt files

openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -out example.crt -keyout example.key

Above command will generate new .crt and .key files. Now we can reference these files to encrypt and decrypt files.

Encrypting file

openssl smime -encrypt -binary -text -aes256 -in database.sql -out database.sql.enc -outform DER example.crt

Decrypting file

openssl smime -decrypt -in database.sql.enc -binary -inform DEM -inkey example.key -out database-unencrypted.sql

The post How to encrypt and decrypt files using openssl appeared first on TEKSpace Blog.

How to generate self-signed certificate in Linux

Rahil — Wed, 30 Sep 2020 20:22:25 +0000

In this tutorial, I will be using CentOS 7 to generate self-signed certificates. You can use any Linux operating system as long as it is Openssl install. To install Openssl follow the below guide:

Openssl installation

CentOS, Redhat, Fedora:

sudo yum install openssl

Ubuntu, Debian

sudo apt install openssl

Generating certificate with password

Command:

openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -out example.crt -keyout example.key

Interactive view:

Generating a 4096 bit RSA private key
...............++
................................................................................                                                                                        ....................................................++
writing new private key to 'example.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Texas
Locality Name (eg, city) [Default City]:Houston
Organization Name (eg, company) [Default Company Ltd]:Example
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:example.com
Email Address []:JohnSmith@example.com

Verify output

$ ls -l example.*
-rw-rw-r-- 1 test test 2110 Sep 30 20:14 example.crt
-rw-rw-r-- 1 test test 3406 Sep 30 20:14 example.key

Generating certificate without password

Command:

openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -out example1.crt -keyout example1.key -nodes

Interactive view:

Generating a 4096 bit RSA private key
......................................................................................................++
................................................................................................................++
writing new private key to 'example1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Texas
Locality Name (eg, city) [Default City]:Houston
Organization Name (eg, company) [Default Company Ltd]:Example
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:example1.com
Email Address []:JohnSmith@example.com

Verify output

$ ls -l example1.*
-rw-rw-r-- 1 test test 2110 Sep 30 20:40 example1.crt
-rw-rw-r-- 1 test test 3406 Sep 30 20:40 example1.key

The post How to generate self-signed certificate in Linux appeared first on TEKSpace Blog.

Generate Self-Signed certificate in Windows 7

Rahil — Tue, 20 Feb 2018 20:13:48 +0000

To generate self-signed certificates we will use makecert.exe. You will need to first download Windows SDK for Windows 7 or later.

Download and install Windows SDK.

Once you have downloaded and installed Windows SDK. Go to SDK folder by executing the below command.

cd C:\Program Files (x86)\Windows Kits\10\bin\x64

Generate Root CA

Now, we will generate a root certificate. We will use the root ca certificate to bind with client certificate later in this article.

makecert -sky exchange -r -n "CN=MyRootCert" -pe -a sha256 -len 2048 -ss Root

The above command will generate root ca and load it in Trusted Root Certificate -> Certificates folder.

Create client certificate

makecert.exe -n "CN=client.example.com" -pe -sky exchange -m 96 -ss My -in "MyRootCert" -is root -a sha256

The above command will create client certificate called client.example.com with MyRootCert binded together and load it in Personal -> Certificates folder under your user profile.

NOTE: If you have Windows 10 or Windows Server 2016 OS. You can use native PowerShell cmdlets to generate self-signed certificates.

The post Generate Self-Signed certificate in Windows 7 appeared first on TEKSpace Blog.

Convert certificate from pfx to base64 with PowerShell

Rahil — Thu, 15 Feb 2018 19:44:25 +0000

To convert a certificate that is in .pfx to base64 format in PowerShell, you can use .NET namespace available in PowerShell to convert. I had a scenario where I was required to use base64 encoding to upload a certificate to Azure to secure communication to backend instance. Since Microsoft Azure provides a rich API to work with. I was able to make a patch request and push a certificate to Azure.

In this tutorial, I will show you how to convert a certificate from .pfx to base64.

Open PowerShell as an administrator.

Now that we have a PowerShell console opened. Let’s first load the content into a variable.

$pfx_cert = get-content 'c:\certificate.pfx' -Encoding Byte

The above command will load the content with byte encoding. If you print $pfx_cert in the PowerShell console, you will see random numbers. In order to convert to base64 format, we will use system namespace from Windows system.

To convert a certificate in base64, execute the below command.

$base64 = [System.Convert]::ToBase64String($pfx_cert)

The above command will save it in $base64 variable, and now you can use this variable or output it to a file depending on your scenario.

The post Convert certificate from pfx to base64 with PowerShell appeared first on TEKSpace Blog.