How to Manage Public Key Infrastructure with OpenSSL

OpenSSL is an open source cryptographic toolkit with focus on Secure Socket Layer/Transport Layer Security or SSL/TLS, widely deployed on GNU/Linux systems, it performs key part on our daily experience on the Internet. Today I will point some commands to help you manage X.509 Public Key Infrastructure (PKI) and  also use this toolkit to and encrypt/decrypt files and other data using this great tool


This document is mostly based on examples, you can refer to the examples as needed, in some cases you will see more than one way to perform an operation, others there will be passwords that you should change before using on your environment.

 OpenSSL Key Management

Most of the operations are based on keys and here are some commands to deal with private and public keys.


RSA is one of the most deployed public-key cryptography algorithm system and here are some basic operations.

Generating Triple DES protected RSA private key 2048 bits long protected by the passphrase nonsense123

openssl genrsa -passout pass:nonsense123 -des3 -out rsa-2048-priv-key.pem 2048

You can write the corresponding public key to a file as you wish.

openssl rsa -in rsa-2048-priv-key.pem -pubout -out rsa-2048-public-key.pem

You can remove the password from a protected key and dump the key on a new file

openssl rsa -in priv-key.pem -out priv-key-no-pass.pem

The following command let verify your key.

openssl rsa -check -in server-key.pem


The Digital Signature Algorithm is an alternative to RSA.

Generate DSA parameters.

openssl dsaparam -out dsa.param 2048

Generate DSA key using the existing parameters.

openssl gendsa -des3 -out ca.key dsa.param

X.509 Certificates

Now we are going to show some commands to manage certificates, signing requests and revocation lists.

Generating certificate
Generating certificate

Generating certificate signing request using an existing private key.

openssl req -new -key server-key.pem -out server-csr.csr

Creating a new certificate signing request and a new RSA private key 2048 bits long.

openssl req -out service-csr.pem -new -newkey rsa:2048 -nodes -keyout service-key.pem

Verify the certificate signing request.

openssl req -in server-csr.pem -noout -verify -key server-key.pem

Signing a certificate request.

openssl x509 -req -days 3650 -signkey ca.key -in ca.csr -out ca.crt

Generating a self-signed certificate with key in batch mode.

openssl req -subj "/C=BR/L=Rio de Janeiro/O=My Company/" -newkey rsa:2048 -nodes -keyout domain.key -x509 -days 365 -out domain.crt

Dump certificate dates and info.

openssl x509 -noout -in apache.crt -text -purpose -dates -hash -ocspid
OpenSSL Certificate text info
OpenSSL Certificate text info

Revoke a certificate.

openssl ca -revoke mycert.pem

Generating a CRL.

openssl ca -gencrl -config openssl.cnf -crldays 7 -crlexts crl_ext -out $crl_dir/file.crl

Parsing objects with ASN1 to standard output.

openssl asn1parse -in ca.crt
ASN1 Parse certificate
ASN1 Parse certificate

Converting Encoding formats

There will be times that you will need to convert a certificate encoding to another,  you may face this for instance if you work on a mixed environment with Unices,  Windows and Java.

Converting DER, PEM and NET
Base64 encoded PEM on top, followed by the two bynaries,; the obsolete NET on the center and DER below it.

Convert a PEM encoded certificate to DER.

openssl x509 -inform PEM -outform DER -in ca.crt -out ca.der

So is the opposite, converting a DER to PEM.

openssl x509 -inform DER -outform PEM -in ca.der -out ca.pem

Testing with s_client and s_server subcommands

You can make tests on keys/ certificates and services with the s_client and the s_server.

Test your certificate and key starting s_server.

openssl s_server -key ca.key -cert ca.crt

Connecting to the test server using s_client.

openssl s_client -host localhost -port 4433 -CApath /etc/ssl/certs/

Another s_client connection using and showing certificate, key and in debug mode.

openssl s_client -connect localhost:4433 -key ca.k'ey -cert ca.crt -debug -showcerts

Start a Transport Layer Secured  to connection to a mail server.

openssl s_client -connect -starttls smtp -showcerts

File and Streams Encryption with OpenSSL

You can also use OpenSSL to encrypt data on your computer directly.

Encrypting files

Encrypt files using AES-256-CBC with SHA1 as Message Digest.

openssl enc -aes-256-cbc -md sha1 -e -in arquivo -out arquivo.crypt

Decrypting goes  AES-256-CBC file should be as follows.

openssl enc -aes-256-cbc -md sha1 -d -in arquivo.crypt -out arquivo

Encrypting file with Triple DES.

openssl enc -des3 -e -in arquivo -out arquivo

Decrypt the Triple DES encrypted file.

openssl enc -des3 -d -in arquivo.crypt -out arquivo.decrypted

Encrypting streams

Along with files, you can also encrypt streams such as network sockets, pipes and other *nix I/O. On the following example we use OpenSSL to safely send the passwd file through an insecure network link.


First we setup a Netcat server with that will be waiting for connection. You can download Netcat here.

nc -l -p 99 8| xz -d | openssl enc -aes-256-cbc -d > /client/bkp/etc/passwd


You could  now use netcat as client to connect and send your file.

cat /etc/passwd | openssl enc -e -aes-256-cbc  | xz -z | nc servidor 99


These are some of the most commonly used commands, you can use these commands to manage your keys, certificates and sensitive data. For more information please take a look at the official documentation, there you will find details of these and other commands and everything else to fit your needs.

Thanks for reading!

Leave a Comment