Windows, OpenSSL generate a new .pem from key.pem and cert.pem - windows

I have the following files Cert.pem, Key.pem, CACert.pem
I have been told that I need to decrypt the key.pem.
1) What is the windows OpenSSL command to do this?
I need to combine the decrypted key.pem file with the cert.pem file to produce a new cert.pem file.
2) What is the windows OpenSSL command to do this?
Thanks

Unix installations of OpenSSL should include man pages, but Windows versions often do not because Windows doesn't usually have any way of finding and displaying them. man pages for the currently supported releases, plus 'master' which is the development head, are available on the OpenSSL website at https://www.openssl.org/docs/manpages.html . All OpenSSL 'commands' are actually run by the (single) program openssl, thus you execute pkey some args by running
openssl pkey some args
rem if openssl.exe is on your PATH or in the current directory, otherwise
x:\path\to\openssl pkey some args
You don't mention having the password for the encrypted key file; I hope you do because you can't decrypt (or do anything else) without it.
For 1.0.0 up, pkey is the preferred way to convert private keys, including encrypting and decrypting; see its man page. In brief you simply tell pkey to read from the input file and write to the output file, and omit any specification of a cipher; that omission will cause it to write an unencrypted key. Note pkey will write the output in PKCS8 format, which is preferred for most purposes, but if you actually need a 'legacy' or 'traditional' format for some reason -- ask whoever 'told' you what software this file will be used with -- 1.1.0 pkey can do this but earlier cannot.
If you are stuck with a 0.9.x release, usually only on obsolete systems, use pkcs8 -topk8 -nocrypt for PCKS8 output; see that.
If you need legacy/traditional format (on a release below 1.1.0) you must use the 'legacy' per-algorithm commands, so you need to know what algorithm your key(file) is. Look at the first line where it says -----BEGIN something PRIVATE KEY----- . If something is RSA, use rsa; for DSA dsa; for EC ec; see the respective pages. If something is ENCRYPTED you must decrypt it to PkCS8 as above first, then look at it with asn1parse to determine which algorithm it is, but I expect it's not very likely someone who want a legacy unencrypted key will start with an PKCS8 encrypted one.
OpenSSL does not provide any special operation to combine PEM files, since concatenating files of many types is a common operation. On Unix this is canonically done with the cat program; on Windows it can be done by using the (builtin) copy command with plus-sign(s) in the source; on both Unix and Windows it can be done by creating a file and then appending to it like:
copy decryptedkey.pem combined.pem
type certificate.pem >> combined.pem
rem >> means redirect the output from that command ('type')
rem normally on the console to _the end of_ the named file.
In this case you want to modify cert.pem by adding the contents of decryptedkey.pem, so just do
type decryptedkey.pem >> cert.pem
Alternatively you can use a plaintext editor like notepad. Open both files; select all the text in the second file and copy (or cut) and paste it at the end of the first file; save the modified first file.

Related

How to convert a GPG key into a .asc file without knowing the passcode

I have lost the passcode to a GPG keypair, and need to recover it. In the process of doing so I need to convert into a .asc file for gpg2john. However the GPG cli askes for a password to convert it into the ascii-armored version... which I do not have. Is there anyway for me to get the .asc file from just the keys.
I can not use the below command as it requires a password.
gpg --export-secret-key --armor
Note: recover lost gpg password doesn't seem have any real answers.
Apparently (see recover lost gpg password), gnupg added code to require a passphrase for export in newer versions. If you install an old, old version, like
brew install gnupg#1.4
you can then call
gpg1 -a --export-secret-keys ID >exportedPrivateKey.asc
without having to enter a passphrase.
Needless to say, only use gpg1 for that one task, not for ongoing encryption ;)

Script for decrypting/encrypting a file in Windows with gpg

I use gpg for encrypting a file storing my passwords in Windows. This file is an MS Excel file, which I use for convenience. Every time I want to check or update my passwords (> once per day on average), I execute the following batch script, which decodes the encrypted file and encodes the updated xlsx file again when I close the application.
call gpg --output pass.xlsx --decrypt pass.xlsx.gpg
call "%ProgramFiles%\Microsoft Office\Office14\excel.exe" pass.xlsx
call gpg --batch --yes --recipient myName --encrypt pass.xlsx
del pass.xlsx
Obviously, this is a suboptimal solution as it creates a decrypted file, which in case of an interruption (e.g. accidentally closing the command line window or a system crash), the file remains unencrypted. Anyone with something better, e.g. using in-memory pipes or the like (in Windows)?

PGP TarBall File Signature Keys Verification fails with no valid OpenPGP data found

This is the first time I figured I had better check the keys of the bind software I want to install. So I downloaded what I think is a OpenPGP key ...
$ wget ftp://ftp.isc.org/isc/bind9/9.9.4/bind-9.9.4.tar.gz.sha1.asc
... then I tried to "import" this key like this ...
$ gpg --import bind-9.9.4.tar.gz.sha1.asc
... but I get this error message:
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
What am I doing wrong?
Thanks!
The command syntax is gpg bind-9.9.4.tar.gz.sha1.asc. Of course, this gives an error that no public key is found. You can download public keys from pgpkeys.mit.edu.
This article explains the process step-by-step.
Sometimes, you read words like these: “It is essential that you verify the integrity of the downloaded files using the PGP or MD5 signatures […] using the following commands […]”.
gpg --import KEYS
gpg --verify <software-bundle>.asc
You know you should do. And without reading all of it, you may think: Two commands, one to attach the signature file and one to verify the downloaded software. It is not.
KEYS does not refer to the downloaded asc file, but to a special file named KEYS that you need to download separately. See the step “Download KEYS”. The link is not pointing to the asc file as you might think. It points to something else. These KEYS are needed to check the integrity of the asc file itself. The second command seems to perform both checks then. It verifies the asc file given as parameter (using the imported keys), but if you try to run it on the standalone asc file, it says:
gpg: no signed data
gpg: can't hash datafile: No data
So I think it also verifies the integrity of the software, too, which is expected to be a file with the same name except the tailing .asc in the same directory. (But I didn’t find a proof for this to be true by now.)

Linux / Windows Shell Scripting to Unlock PGP File

I have a sequence of scripts which downloads PGP files from a FTP server. I then unzip these files with a private key using PGPKeys. The unzipped files are then picked up by a SQL Server job which appends the data onto our database. I'd like to automate the entire process. Is there anyway to unzip a PGP locked file using shell scripting (either Linux or Windows)?
That's a perfect task to automize, I can help you in Linux.
First you can use wget to download a file
wget ftp://website.com/yourpgparchive.zip
If your ftp website requires authenticated access use
wget --ftp-user=USER --ftp-password=PASSWORD ftp://ftp.site/archive.zip.pgp
Then you need gpg (the open source PGP implementation) to decrypt the file
gpg -o file.zip -d file.zip.gpg
(If you need some suggestion on how to import keys and get started with gpg check here)
Then you can just unzip the file with
unzip file.zip
You may need to install gnupg and unzip from your package manager.
Yes, GPG. In your case, it's just gpg -d filename (or just gpg -d to read from stdin).
And, what you probably wanted to say is decrypt instead of unzip and encrypted instead of locked.

Use terminal in Mac for file transfer

I am using terminal in Mac for SSH access and it is great. But is there any way for me to do file transfer with the remote server that I SSH into in Mac?
Thanks
scp is your friend, enough said :)
(I realize this is a late reply, but I just stumbled upon this question and thought I'd contribute a tip...)
A quick & dirty way of transferring files over Terminal is:
On the remote side:
cat $file | openssl enc -base64
This will output a bunch of uppercase/lowercase/digits which represent Base64-encoded binary data. Select & copy this block text.
Then, in a separate Terminal window on your local machine:
pbpaste | openssl enc -base64 -d > $file
This will pipe the contents of the clipboard (the Base64-encoded data) to the openssl program (which is set to decode via the -d flag), and save the results in $file.
This works best for small files, and isn't terribly fast. I use it when I'm too lazy to construct a command line for scp or sftp. For larger/multiple files, you'll definitely want to use the latter two.

Resources