how can i mask the middle line of a pem key in bash script

generate pem file for ssh
generate pem file openssl
generate pem file from public key
generate pem file from p12
generate pem file linux
generate pem file from private key
generate pem file online
generate pem file windows


how can I mask the middle lines of a PEM key in bash script

I need to echo my pem key with mask(*) the middle lines through a bash script
for example:-

-----BEGIN CERTIFICATE-----
MIICyjCCAbICCQDrpZYh8et7yTANBgkqhkiG9w0BAQsFADAnMQswCQYDVQQGEwJV
UzELMAkGA1UECAwCQ0ExCzAJBgNVBAcMAlNGMB4XDTE4MTExMjIwNDEwNVoXDTE4
MTIxMjIwNDEwNVowJzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQswCQYDVQQH
DAJTRjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJnIdgpml8+xk+Oj
1RGMCyJ1P15RiM6rdtszT+DFBg893Lqsjoyd5YgwELLz0Ux8nviG4L5OXOujEpAP
2cQBxTSLQjBELBZY9q0Qky3+2ewqV6lSfcXrcf/JuDJGR5K8HSqwNG35R3WGnZ+O
JhY0Dmx06IAs/FF8gP88zTQ8M7zuaThkF8MaF4sWPf6+texQwjzk4rewknGBFzar
9wFxVwNCyDD6ewIYPtgDxdJ1bwBVoX3KKKXm8GStl/Zva0aEtbSq/161J4VbTro2
dxArMPKzxjD6NLyF59UNs7vbzyfiw/Wq7BJzU7Kued5KdGt0bEiyWZYO+EvvxGmE
1pHfqysCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAavj4CA+7XFVHbwYMbK3c9tN/
73hkMvkAZWix5bfmOo0cNRuCeJnRIX+o6DmusIc8eXJJJV/20+zoSvUwlsLDPXoN
+c41GfIiEUSaSdSBtETMy8oPga718nIwAvNgYiUHXnV3B0nLYBUpYSnsD00/6VXG
xZUIEVBd7Ib5aRwmK8U5drxoWaBoG5qdvH9iapwTrCcPsRjsLBq7Iza2oBORGlfF
CjqiW2+KJzwRiTQj70yceniGVHM+VSpFYCLJ0mXeyLfITy7joqxr4AGYz+EhpLuf
iDpYDNYlr0JDVQqogskWjrnWOh0YcIJKgVtiTh2HDM5TdQgeXg4wv5IqLok0Tw==
-----END CERTIFICATE-----

as

-----BEGIN CERTIFICATE-----
MIICyjCCAbICCQDrpZYh8et7yTANBgkqhkiG9w0BAQsFADAnMQswCQYDVQQGEwJV
****************************************************************
iDpYDNYlr0JDVQqogskWjrnWOh0YcIJKgVtiTh2HDM5TdQgeXg4wv5IqLok0Tw==
-----END CERTIFICATE-----

I tried with awk but it failed:

awk 'BEGIN{FS=OFS=""} {for(i=2;i<='15';i++) $i="*"}1'

This might work for you (GNU sed):

sed -n '1p;1n;2p;2s/./*/gp;$!N;$!D;p' file

Turn off implicit printing by using the -n option.

Print the first and second lines, then replace every character of the second line by *'s and print that too.

Make a window of two lines throughout the remainder of the file and print it on the last line.

On reflection, a shorter solution:

sed 'N;2p;4s/\S/*/g;4P;$!D' file

does the same as the first solution but perhaps more cryptically.

How to create a .pem file for SSL Certificate Installations, Format-preserving encryption, tokenization, data masking, and key management SUSE Linux Enterprise Server How to create a PEM file with the help of an automated script: private key; public key (server crt); (conditional) password for private key; (conditional) any intermediate certificate chain file(s). If I understand you correctly, you want to mask user input with asterisks as s/he’s typing it in. It can sorta be done in pure bash by reading one character at a time with local echo turned off (i.e. read -s), and printing an asterisk for each character read.

Convert Certificate Files to One-Line PEM Format, You must then convert each .pem file to a one-line format that can be passed in a by any necessary intermediate CA certificates and root CA certificate. these . pem files with the PowerShell scripts attached to the blog post� The inner workings of the check_book.sh script are beyond the scope of this article. The script was chosen purely to illustrate a valid use of the sleep command. If you wish to read more about the two main components of the script, refer to the curl project page and the jq on-line manual.

I highly suggest using @WiktorStribizew's anser if the file is actually a fixed 16 lines long.

If it can vary (keys might have more or less bits), the simple way is to combine head and tail:

head -n2 key.pem ; echo 'XXXXXXX' ; tail -n2 key.pem

But if you're looking for a single command, take a look at this answer form a different question: https://stackoverflow.com/a/48002163/2284641

openssl(1), The openssl program is a command line tool for using the various this provides an easy way for shell scripts to test for the availability of ciphers in the openssl The certificate details will also be printed out to this file in PEM format, except that MASK : number: An explicit bitmask of permitted types, where number is a� Arguments can be added to a bash script after the the script’s name. Once provided they can be accessed by using $(position in the argument list). For example, the first argument can be accessed with $1, the second with $2, the third with $3, etc.

Here is what I did find work on our pem files

awk '/-----BEGIN/ {f=2} f-->0; /-----END/' etc/auth/server.pem
-----BEGIN CERTIFICATE-----
MIID8jCCAhoCCQDGQsEmfeBvJTANBgkqhkiG6w0BAQsFADB/MQswCQYDVQQGEwJV
-----END CERTIFICATE-----
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIF8jBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG6w0BBQwwDgQIpS+A9Ql+5uUCAggA
-----END ENCRYPTED PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MII8ejCCAmICCQCNHBN8tj/FwzANBgkqhkiG6w0BAQsFADB/MQswCQYDVQQGEwJV
-----END CERTIFICATE-----

It prints the header and footer of all cert + first line of cert.

Not exactly whats requested, but should be ok for the purpose of hiding the cert, and works with multiple cert in same pem file and multiple length of cert.

Or this is more correct (no counting lines, only awk)

awk '/-----BEGIN/ {f=2} f-->0; /-----END/ {print "****************************************************************\n" p "\n" $0}  {p=$0}' etc/auth/server.pem
-----BEGIN CERTIFICATE-----
MII8MjCCAhoCCQDGQsEmfeBvJTANBgkqhkiG9w0BAQsFADB/MQswCQYDVQQGEwJV
****************************************************************
WW/14Mz4
-----END CERTIFICATE-----
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIF8jBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIpS+A9Ql+5uUCAggA
****************************************************************
d9k=
-----END ENCRYPTED PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MII8ejCCAmICCQCNHBN8tj/FwzANBgkqhkiG9w0BAQsFADB/MQswCQYDVQQGEwJV
****************************************************************
ZZc1oaC0PKSzBmq+TpbR27B8Zra3gpoA+gavdRZj
-----END CERTIFICATE-----

awk '
  /-----BEGIN/ {f=2}
  f-->0; 
  /-----END/ {print "****************************************************************\n" p "\n" $0}
  {p=$0}
  ' etc/auth/server.pem

command line, This should work #!/bin/bash website="xplosa.com" certificate_file=$(mktemp) echo -n | openssl s_client -servername "$website" -connect� Let’s create a functions.sh Bash script which contains some function. # functions.sh function my_fake_ip() {echo '192.168.1.221'} Then will source this file inside exec.sh. This way, whenever exec.sh gets executed, it has the code of functions.sh and we can make use of it. To source an external Bash script, we use source command and provide a

How can I rsync without prompt for password, without using public , Note the space at the start of the command, in the bash shell this will stop the command You can use standard ssh identities to do passwordless login. This allows batching/scripting without exposing passwords, and the public key can be !Caution - that opens up man in the middle attacks and is general bad practice! You can do this with bash, but then you have to solve the problem of portably determining what special key this was. dialog both handles input of special keys and takes over (temporarily) your display. If you really want a simple command-line program, that isn't dialog.

How to easily add an SSH fingerprint to your known_hosts file in Linux, Let's say you've written a bash script that scans all of your Linux servers in your data center for uptime. Such a file could contain the following� Just to clarify here it is not the script that contains the "sudo ./playback_delete_data_patch.sh 09_delete_old_data_p.sql" line that should be specified in the sudoers file but the playback_delete_data_patch.sh script or whatever other command you want that user and/or their scripts to be able to run through sudo without specifying a password.

Static Secrets: Key/Value Secrets Engine, This guide covers rekeying and rotating Vault's encryption keys. This example reads the root certificate from a PEM file from the disk, and store it under the kv-v1 /prod/cert/mysql This allows you to enter the secret on a new line. You can configure your shell to avoid logging any vault commands to your history. In bash : The following script can be scheduled as a “CRON JOB”. It looks at all files (optionally with a file mask) in a given directory, and sends them to a specific SFTP site. This example uses a private key, and the name of that key file is passed as the -i argument on the stp command line.

Comments
  • What have you searched for, and what did you find? What have you tried, and how did it fail?
  • tried with awk but its failed awk 'BEGIN{FS=OFS=""} {for(i=2;i<='15';i++) $i="*"}1'
  • You can't use single quotes inside single quotes. The number should not be quoted at all anyway.
  • But perhaps a better fix would be 'NR>2 && NR < 16 { gsub(/./, "*") } 1' if you know the exact number of lines. To only print the first masked line, replace 1 with NR<=3 || NR >= 15 for example. To cope with a variable number of lines, keep the last few lines in memory and print in the END block.
  • @PradeepChandran, How many lines you want to mask? All apart from 1st and last? Can you please confirm once?
  • it works with most of the pem keys but not working with single lined pem keys like ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAhs3/WTw+nYEXM9daoBUA9Z76tjJ1qXRVUEyc/XjxY7A4xnSd+IQeU9PItu2pu/jIeXUM1ksLdCoTPdqDTgrojQqjRNMjKrjDgp4BHSR5t0z2IYFbnkOmlp4t6CJ2XjfMMeBKnGa+tHpcZ+THJIVOK+KjdBEcwgoU3D7V++XDRrb9GvTMQTnwM0WPkHFqPyJfRaEyl89RVRhlQtseI08uCRRwZnxIzWeghoGGc0vfjvyFJud4YfEjP0wvd07XGPBg/ubJNdoPNS/73XdrS935vsBGZy20AjsHOjs7ZErqA46Ija2TWQXS7UUOLaSukYRNqFzh5A40ePuVAkuflnS+XAgtw== test
  • fixed that issue, split the single line to multiple with fold command thanks for the help!!!!
  • Great solution. Actually, you could combine this into one sed statement, correct?
  • @Jotne yes if they have the same key size. No if key size varies.
  • @JohannesH.I did just check my works pem files on ubuntu and cert are on different size and also multiple cert in on pem file.
  • @PradeepChandran The second solution does not have any hardcoded line numbers, it is based on the assumption there are always two or more lines between START CERTITICATE and END CERTITICATE lines.
  • @PradeepChandran Then what are the requirements?