The Most Useful OpenSSL Commands
Saturday, March 21, 2020 • edited Monday, February 22, 2021 • 7 minutes to read
OpenSSL is one of the most useful applications available on all major platforms. It is an open-source implementation of SSL and TLS protocols and cryptography algorithms. Useful on enterprise-level and for your personal needs. And this is my list of the most useful OpenSSL commands.
What are those all abbreviations?
This article is just a cheat sheet, a brief list of commands, not an introduction to cryptography. However, to clarify what those commands do, I need to introduce some abbreviations.
- 3DES - an encryption algorithm running three times DES algorithm; DES (Data Encryption Standard) is a symmetric-key encryption algorithm with a 56-bit key
- RSA - Rivest–Shamir–Adleman algorithm - an asymmetric encryption algorithm with 1024 to 4096 bits key
- PEM - Privacy-Enhanced Mail - a text format with base64 encoded keys/certificates
- CSR - Certificate Signing Request
- SHA-2 - a set of cryptographic hash functions
- SSL - Secure Socket Layer - secured transport protocol
- TLS - Transport Layer Security - secured transport protocol
- X.509 - a standardized format of public-key certificates
- DER - Distinguished Encoding Rules - a binary encoding
- PKCS - similar to X.509 a one more standardized form of public-key certificates
The private key operations.
How to create a 2048-bits RSA private key and encrypt it with a 3DES algorithm?
$ openssl genrsa -des3 -out example.key 2048
Generating RSA private key, 2048 bit long modulus
.............................+++
.........................+++
e is 65537 (0x10001)
Enter pass phrase for example.key:
Verifying - Enter pass phrase for example.key:
How to decrypt an encrypted RSA private key?
You need to know the key’s passphrase to run this command.
$ openssl rsa -in example.key -out decrypted.key
Enter pass phrase for example.key:
writing RSA key
How to encrypt a decrypted RSA private key with a 3DES algorithm?
$ openssl rsa -des3 -in decrypted.key -out encrypted.key
writing RSA key
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
How to verify an RSA private key?
This command writes to the standard output your key in PEM encoding. You need to know the key’s passphrase to run this command if your private key is encrypted.
$ openssl rsa -check -in example.key
Enter pass phrase for example.key:
RSA key ok
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
The Certificate Signing Request operations.
How to Create an RSA private key and a CSR?
The following command creates a new 2048-bits RSA private key without encryption and signs CSR with SHA-2.
$ openssl req -newkey rsa:2048 -nodes -keyout example.key -sha256 -out example.csr
Generating a 2048 bit RSA private key
....................+++
.............+++
writing new private key to 'example.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:City
Organization Name (eg, company) [Default Company Ltd]:Example Ltd
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:example.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
How to create a CSR from an existing RSA private key?
You need to fill out similar data like in the previous command - I did not include that part in the listing below. It also signs CSR with SHA-2.
$ openssl req -key example.key -new -sha256 -out example.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
How to Create a CSR from an existing certificate and RSA private key?
In case you already have a certificate and want to create a CSR from it, the following command is enough.
$ openssl x509 -in example.crt -signkey example.key -x509toreq -out example.csr
Getting request Private Key
Generating certificate request
How to verify a CSR?
$ openssl req -verify -text -noout -in example.csr
verify OK
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=US, L=City, O=Example Ltd., CN=example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha256WithRSAEncryption
The SSL/TLS certificate operations.
In most cases, you will receive a certificate from a Certificate Authority. However, you can still self-sign the certificate.
How to create a certificate from an existing RSA private key and CSR?
Adding -days 365
makes the certificate valid for 365 days counting from today.
$ openssl x509 -signkey example.key -in example.csr -req -days 365 -out example.crt
Signature ok
subject=/C=US/L=City/O=Example Ltd./CN=example.com
Getting Private key
How to create a certificate from an existing RSA private key without CSR?
You need to include similar information when creating a CSR.
$ openssl req -key example.key -new -sha256 -x509 -days 365 -out example.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
How to Create a certificate without a private key or CSR?
This command creates a 2048-bits RSA private key without encryption and a certificate valid for 365 days.
$ openssl req -newkey rsa:2048 -nodes -keyout example.key -x509 -sha256 -days 365 -out example.crt
Generating a 2048 bit RSA private key
................+++
..........................................................................+++
writing new private key to 'example.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:City
Organization Name (eg, company) [Default Company Ltd]:Example Ltd.
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:example.com
Email Address []:
How to view X.509 certificate entries?
This command prints on standard output information about certificate, including validity dates, subject, and signatures.
$ openssl x509 -text -noout -in example.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
a4:48:e5:90:4a:3e:17:c1
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, L=City, O=Example Ltd., CN=example.com
Validity
Not Before: Mar 21 21:15:04 2020 GMT
Not After : Mar 21 21:15:04 2021 GMT
Subject: C=US, L=City, O=Example Ltd., CN=example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
32:C1:57:AD:3F:11:6D:1D:C8:8A:E8:F4:1D:9C:4B:3D:5B:DB:24:2F
X509v3 Authority Key Identifier:
keyid:32:C1:57:AD:3F:11:6D:1D:C8:8A:E8:F4:1D:9C:4B:3D:5B:DB:24:2F
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
How to view PKCS#12 certificate entries?
$ openssl pkcs12 -info -in example.pfx
Enter Import Password:
MAC Iteration 2048
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Bag Attributes
localKeyID: A0 42 7B 57 A5 04 28 16 A1 82 3C 76 E1 E3 D4 2A 68 AD D6 58
subject=/C=US/L=City/O=Example Ltd./CN=example.com
issuer=/C=US/L=City/O=Example Ltd./CN=example.com
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Bag Attributes
localKeyID: A0 42 7B 57 A5 04 28 16 A1 82 3C 76 E1 E3 D4 2A 68 AD D6 58
Key Attributes: <No Attributes>
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----BEGIN ENCRYPTED PRIVATE KEY-----
-----END ENCRYPTED PRIVATE KEY-----
How to verify a certificate?
$ openssl verify -verbose example.crt
example.crt: C = US, L = City, O = Example Ltd., CN = example.com
error 18 at 0 depth lookup:self signed certificate
OK
Conversions between certificate formats.
IIS or Tomcat use PKCS formats, Apache or NGINX use PEM encoded X.509 formats.
How to Convert from DER to PEM?
$ openssl x509 -inform der -in example.cer -out example.pem
How to convert from PEM o DER?
$ openssl x509 -outform der -in example.crt -out example.cer
How to convert PKCS#12 file containing a certificate and private file to PEM encoded X.509 format?
$ openssl pkcs12 -nodes -in example.pfx -out example.pem
Enter Import Password:
MAC verified OK
How to convert a PEM encoded certificate file and a private key to PKCS#12?
$ openssl pkcs12 -export -inkey example.key -in example.crt -out example.pfx
Enter Export Password:
Verifying - Enter Export Password: