The Most Useful OpenSSL Commands

Saturday, March 21, 2020 • 7 minutes to read

OpenSSL is one of the most useful applications available on all major platforms. It is an open-source implementation of SSL and TLS protocols and cryptography algorithms. As useful on enterprise-level like for your personal needs. And this is my list of the most useful OpenSSL commands.

What are those all abbreviations?

This article is just a cheat sheet, a brief list of commands, not an introduction to cryptography. However, just for the sake of being clear what those commands do, I need to introduce some abbreviations.

Private key operations

Create a 2048-bits RSA private key and encrypt it with a 3DES algorithm.

$ openssl genrsa -des3 -out example.key 2048
Generating RSA private key, 2048 bit long modulus
.............................+++
.........................+++
e is 65537 (0x10001)
Enter pass phrase for example.key:
Verifying - Enter pass phrase for example.key:

Decrypt an encrypted RSA private key.

You need to know the key’s passphrase to run this command.

$ openssl rsa -in example.key -out decrypted.key
Enter pass phrase for example.key:
writing RSA key

Encrypt a decrypted RSA private key with a 3DES algorithm.

$ openssl rsa -des3 -in decrypted.key -out encrypted.key
writing RSA key
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

Verify an RSA private key.

This command writes to the standard output your key in PEM encoding. You need to know the key’s passphrase to run this command if your private key is encrypted.

$ openssl rsa -check -in example.key
Enter pass phrase for example.key:
RSA key ok
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----

Certificate Signing Request operations

Create an RSA private key and a CSR.

The following command creates a new 2048-bits RSA private key without encryption and signs CSR with SHA-2.

$ openssl req -newkey rsa:2048 -nodes -keyout example.key -sha256 -out example.csr
Generating a 2048 bit RSA private key
....................+++
.............+++
writing new private key to 'example.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:City
Organization Name (eg, company) [Default Company Ltd]:Example Ltd
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:example.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Create a CSR from an existing RSA private key.

You need to fill out similar data like in the previous command - that part was not included in the listing below. It also signs CSR with SHA-2.

$ openssl req -key example.key -new -sha256 -out example.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.

Create a CSR from an existing certificate and RSA private key.

In case you already have a certificate and want to create a CSR from it, the following command is enough.

$ openssl x509 -in example.crt -signkey example.key -x509toreq -out example.csr
Getting request Private Key
Generating certificate request

Verify a CSR.

$ openssl req -verify -text -noout -in example.csr
verify OK
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=US, L=City, O=Example Ltd., CN=example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption

SSL/TLS certificate operations

In most cases, you will receive a certificate from a Certificate Authority. However, you can still self-sign the certificate.

Create a certificate from an existing RSA private key and CSR.

Adding -days 365 makes the certificate valid for 365 days counting from today.

$ openssl x509 -signkey example.key -in example.csr -req -days 365 -out example.crt
Signature ok
subject=/C=US/L=City/O=Example Ltd./CN=example.com
Getting Private key

Create a certificate from an existing RSA private key, without CSR.

You need to include similar information like when creating a CSR.

$ openssl req -key example.key -new -sha256 -x509 -days 365 -out example.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.

Create a certificate without a private key or CSR.

This command creates a 2048-bits RSA private key without encryption and a certificate valid for 365 days.

$ openssl req -newkey rsa:2048 -nodes -keyout example.key -x509 -sha256 -days 365 -out example.crt
Generating a 2048 bit RSA private key
................+++
..........................................................................+++
writing new private key to 'example.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:City
Organization Name (eg, company) [Default Company Ltd]:Example Ltd.
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:example.com
Email Address []:

View X.509 certificate entries.

This command prints on standard output information about certificate, including validity dates, subject, and signatures.

$ openssl x509 -text -noout -in example.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            a4:48:e5:90:4a:3e:17:c1
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, L=City, O=Example Ltd., CN=example.com
        Validity
            Not Before: Mar 21 21:15:04 2020 GMT
            Not After : Mar 21 21:15:04 2021 GMT
        Subject: C=US, L=City, O=Example Ltd., CN=example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                32:C1:57:AD:3F:11:6D:1D:C8:8A:E8:F4:1D:9C:4B:3D:5B:DB:24:2F
            X509v3 Authority Key Identifier:
                keyid:32:C1:57:AD:3F:11:6D:1D:C8:8A:E8:F4:1D:9C:4B:3D:5B:DB:24:2F

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption

View PKCS#12 certificate entries.

$ openssl pkcs12 -info -in example.pfx
Enter Import Password:
MAC Iteration 2048
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Bag Attributes
    localKeyID: A0 42 7B 57 A5 04 28 16 A1 82 3C 76 E1 E3 D4 2A 68 AD D6 58
subject=/C=US/L=City/O=Example Ltd./CN=example.com
issuer=/C=US/L=City/O=Example Ltd./CN=example.com
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Bag Attributes
    localKeyID: A0 42 7B 57 A5 04 28 16 A1 82 3C 76 E1 E3 D4 2A 68 AD D6 58
Key Attributes: <No Attributes>
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----BEGIN ENCRYPTED PRIVATE KEY-----
-----END ENCRYPTED PRIVATE KEY-----

Verify a certificate.

$ openssl verify -verbose example.crt
example.crt: C = US, L = City, O = Example Ltd., CN = example.com
error 18 at 0 depth lookup:self signed certificate
OK

Convert between certificate formats

IIS or Tomcat use PKCS formats, Apache or NGINX use PEM encoded X.509 formats.

Convert from DER to PEM.

$ openssl x509 -inform der -in example.cer -out example.pem

Convert from PEM o DER.

$ openssl x509 -outform der -in example.crt -out example.cer

Convert PKCS#12 file containing a certificate and private file to PEM encoded X.509 format.

$ openssl pkcs12 -nodes -in example.pfx -out example.pem
Enter Import Password:
MAC verified OK

Convert a PEM encoded certificate file and a private key to PKCS#12.

$ openssl pkcs12 -export -inkey example.key -in example.crt -out example.pfx
Enter Export Password:
Verifying - Enter Export Password:
devopscheat sheetopensslcertificateencryption

Altered Carbon Season 2 - Review

Sex Education - Season 2