Notes for openssl

Private key :

# Add a password to a PEM private key file
openssl rsa -aes256 -in unprotected.pem -out protected.pem -passout "pass:toto"
# Read a PEM private key file with password
openssl rsa -in  password.pem -passin "pass:toto"
openssl rsa -in  password.pem -passin "file:password.txt"

Certificate :

# Read a certificate PEM file
openssl x509 -in certificate.pem
# Fingerprint for the certificate
openssl x509 -noout -in certificate.pem -sha256 -fingerprint
# Certificate chain
openssl x509 -noout -subject -issuer -in  certificate.pem

Verify certificate

# sign fil with private key
openssl dgst -sha256 -sign tstpri.pem -out tst.sig fil
# verify the signature with matching public key
openssl dgst -sha256 -verify tstpub.pem -signature tst.sig fil

File extensions can be (very) loosely seen as a type system.

.pem

a base64 encoding with header and footer lines. 
The contents of the PEM are detailed in the header and footer line 
[Examples](https://stackoverflow.com/questions/5215771/how-can-i-check-if-the-certificate-file-i-have-is-in-pem-format)
 CRT
 -----BEGIN CERTIFICATE-----
 -----END CERTIFICATE-----
 PEM
 -----BEGIN RSA PRIVATE KEY-----
 -----END RSA PRIVATE KEY----

.der

as PEM this is binary encoding method, conversion : 
openssl x509 -in example.pem -out example.der -outform DER

.key

can be any kind of key, but usually it is the private key.
OpenSSL can wrap private keys for all algorithms (RSA, DSA, EC) in a generic and standard PKCS#8 structure 
the encoding could be PEM or DER, both can protect the key with password-based 

.crt or .cer

stands simply for certificate, usually an X509v3 certificate, 
the encoding could be PEM or DER
a certificate contains the public key, but it contains much more information (most importantly the signature by the Certificate Authority over the data and public key, of course).

.csr or .req or sometimes .p10

stands for Certificate Signing Request as defined in PKCS#10; 
the encoding could be PEM or DER
it contains information such as the public key and common name required by a Certificate Authority to create and sign a certificate for the requester, 

.p12 or .pfx

is a PKCS#12 defined key store, commonly password protected. 
It can contain trusted certificates, private key(s) and their certificate chain(s), but also other information such as secret keys and (
p12 is usually binary / DER encoded. 

.crl

is a Certificate Revocation List which is defined within the X.509v3 certificate specifications, and this is usually DER encoded as well.

To avoid java exception when connecting using IP

No subject alternative names present

Add the IP address in the certificate as a subjectAltName

[req]
default_bits  = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_req
prompt = no

[req_distinguished_name]
countryName = XX
stateOrProvinceName = N/A
localityName = N/A
organizationName = MyCertificate
commonName = 10.0.10.2:MyCertificate

[req_ext]
subjectAltName = @alt_names

[v3_req]
subjectAltName = @alt_names

[alt_names]
IP.1 = 10.0.10.2

Clé privée :

# Clé privée : KEY
# Certificate Signing Request : CSR (utilisé pour le CRT)
openssl req -nodes -newkey rsa:2048 -keyout certifssl.key -out certifssl.csr

Clé publique :

# Certificat publique : CRT
openssl x509 -req -in certifssl.csr -signkey certifssl.key -out certifssl.crt -days 999

Using keytool

keytool -genkey -alias myAlias 
              -keystore myStore.p12
              -storepass myPassword
              -storetype PKCS12
              -dname cn=mytest,dc=domain,dc=com
              -keyalg RSA 
              -validity 730 -keysize 2048
              -ext SAN=IP:10.0.0.1,DNS:mytest.domain.com

import SSL certificate to Java

echo -n | openssl s_client -connect www.example.com:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/examplecert.crt

show all certificates in PEM format

openssl s_client -showcerts -verify 5 -connect google.fr:443 < /dev/null |
awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/{ if(/BEGIN CERTIFICATE/){a++}; out="cert"a".pem"; print >out}'
    for cert in *.pem; do
        newname=$(openssl x509 -noout -subject -in $cert | sed -nE 's/.*CN ?= ?(.*)/\1/; s/[ ,.*]/_/g; s/__/_/g; s/_-_/-/; s/^_//g;p' | tr '[:upper:]' '[:lower:]').pem
        echo "${newname}"; mv "${cert}" "${newname}"
done

(http://hoab.fr/shaarli/?Ve3UZg)

keytool -import -trustcacerts -keystore /usr/local/jre/lib/security/cacerts -storepass changeit -noprompt -alias mycert -file /tmp/examplecert.crt
keytool -import -trustcacerts -keystore /usr/lib/jvm/java-8-oracle/jre/lib/security/cacerts -storepass changeit -noprompt -alias mycert -file /tmp/examplecert.crt
keytool -import -trustcacerts -keystore /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts -storepass changeit -noprompt -alias mycert -file /tmp/examplecert.crt

see also :
https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html?jnffe22999=2

 $JAVA_HOME/bin/keytool -list -v -keystore ${JAVA_HOME}/lib/security/cacerts

Export public certificate :

keytool -export -alias certalias -keystore newkeystore.jks -file <public key name>.pem

Debug SSL :

-Djavax.net.debug=ssl,handshake 

Get SSL certificate from command line :

openssl s_client -connect {HOSTNAME}:{PORT} -showcerts

check also : http://shaarli.hoab.fr/?4rTEfA (openssl s_client using a proxy - Stack Overflow)