Creating Selfsigned Certificate with an Existing Key

Most OpenSSL documentation out there only shows you how to create a new key and signs it with in single command.  I wanted to use a self-signed in the interm while waiting for my third-party CA approve my certificate. I already had an existing key.   Here is the command to create a self-signed certificate from an existing RSA key.

#> openssl req -x509 -new -key {KEYFILE} -out {SELFSIGNEDCERT}


Batch dump SSL certificate bundles to single files


This perl script makes the process of unbundling certificates into single files an easy task. Just run the and it will dump the generated files to the current directory.


  • Perl
  • openssl
  • certificate bundle (PEM format)


Syntax: ./ <cert_bundle.crt>

Allow UID 0 accounts to login but not root over SSH


More than once, I've needed root access to a server over SCP.  As we all know, allowing SSH access with the root user is a blaring security hole because the user is a well-known userid with superuser access. This makes it the first thing that a hacker or script-kiddie will check.  If you create another user with userid number 0 and set PermitRootLogin to 'no' in the sshd_config file, you will still not be able to login.  The PermitRootLogin option actually blocks ANY user if their user id number equals 0.

Convert JKS and PKCS12 back and forth with keytool


Here are a few CLI commands to convert a java key store file to a PKCS12 encoded cert chain and back. This requires the java development kit (Sun/Oracle JDK) 6 or newer.  


JKS → P12

$> keytool -importkeystore \
-srckeystore keystore.jks \
-srcstoretype JKS \
-deststoretype PKCS12 \
-destkeystore keystore.p12

P12 → JKS

Importing an OpenSSL CSR into Windows CA server

To import a CSR in to a Windows Certificate Authority Server, you must define a certificate template.  OpenSSL does not do this because this is a Microsoft only concept.  With the use of the 'certreq' command, you can apply a template type during the request import process.  This command should be available on your Microsoft CA server. 

certreq -submit -attrib "CertificateTemplate:WebServer" request.csr



Gibson Research Corporation

Home of SpinRight and SheildsUp software.

Off-the-Record Messaging

Off-the-record IM encryption.  OTR supports multiple IM clients.
Syndicate content