OpenSSL is an open source cryptographic toolkit with focus on Secure Socket Layer/Transport Layer Security or SSL/TLS, widely deployed on GNU/Linux systems, it performs key part on our daily experience on the Internet. Today I will point some commands to help you manage X.509 Public Key Infrastructure (PKI) and also use this toolkit to and encrypt/decrypt files and other data using this great tool
This document is mostly based on examples, you can refer to the examples as needed, in some cases you will see more than one way to perform an operation, others there will be passwords that you should change before using on your environment.
OpenSSL Key Management
Most of the operations are based on keys and here are some commands to deal with private and public keys.
RSA is one of the most deployed public-key cryptography algorithm system and here are some basic operations.
Generating Triple DES protected RSA private key 2048 bits long protected by the passphrase nonsense123
openssl genrsa -passout pass:nonsense123 -des3 -out rsa-2048-priv-key.pem 2048
You can write the corresponding public key to a file as you wish.
openssl rsa -in rsa-2048-priv-key.pem -pubout -out rsa-2048-public-key.pem
You can remove the password from a protected key and dump the key on a new file
openssl rsa -in priv-key.pem -out priv-key-no-pass.pem
The following command let verify your key.
openssl rsa -check -in server-key.pem
The Digital Signature Algorithm is an alternative to RSA.
Generate DSA parameters.
openssl dsaparam -out dsa.param 2048
Generate DSA key using the existing parameters.
openssl gendsa -des3 -out ca.key dsa.param
Now we are going to show some commands to manage certificates, signing requests and revocation lists.
Generating certificate signing request using an existing private key.
openssl req -new -key server-key.pem -out server-csr.csr
Creating a new certificate signing request and a new RSA private key 2048 bits long.
openssl req -out service-csr.pem -new -newkey rsa:2048 -nodes -keyout service-key.pem
Verify the certificate signing request.
openssl req -in server-csr.pem -noout -verify -key server-key.pem
Signing a certificate request.
openssl x509 -req -days 3650 -signkey ca.key -in ca.csr -out ca.crt
Generating a self-signed certificate with key in batch mode.
openssl req -subj "/C=BR/L=Rio de Janeiro/O=My Company/CN=www.mycomp.com" -newkey rsa:2048 -nodes -keyout domain.key -x509 -days 365 -out domain.crt
Dump certificate dates and info.
openssl x509 -noout -in apache.crt -text -purpose -dates -hash -ocspid
Revoke a certificate.
openssl ca -revoke mycert.pem
Generating a CRL.
openssl ca -gencrl -config openssl.cnf -crldays 7 -crlexts crl_ext -out $crl_dir/file.crl
Parsing objects with ASN1 to standard output.
openssl asn1parse -in ca.crt
Converting Encoding formats
There will be times that you will need to convert a certificate encoding to another, you may face this for instance if you work on a mixed environment with Unices, Windows and Java.
Convert a PEM encoded certificate to DER.
openssl x509 -inform PEM -outform DER -in ca.crt -out ca.der
So is the opposite, converting a DER to PEM.
openssl x509 -inform DER -outform PEM -in ca.der -out ca.pem
Testing with s_client and s_server subcommands
You can make tests on keys/ certificates and services with the s_client and the s_server.
Test your certificate and key starting s_server.
openssl s_server -key ca.key -cert ca.crt
Connecting to the test server using s_client.
openssl s_client -host localhost -port 4433 -CApath /etc/ssl/certs/
Another s_client connection using and showing certificate, key and in debug mode.
openssl s_client -connect localhost:4433 -key ca.k'ey -cert ca.crt -debug -showcerts
Start a Transport Layer Secured to connection to a mail server.
openssl s_client -connect test.smtp.org:25 -starttls smtp -showcerts
File and Streams Encryption with OpenSSL
You can also use OpenSSL to encrypt data on your computer directly.
Encrypt files using AES-256-CBC with SHA1 as Message Digest.
openssl enc -aes-256-cbc -md sha1 -e -in arquivo -out arquivo.crypt
Decrypting goes AES-256-CBC file should be as follows.
openssl enc -aes-256-cbc -md sha1 -d -in arquivo.crypt -out arquivo
Encrypting file with Triple DES.
openssl enc -des3 -e -in arquivo -out arquivo
Decrypt the Triple DES encrypted file.
openssl enc -des3 -d -in arquivo.crypt -out arquivo.decrypted
Along with files, you can also encrypt streams such as network sockets, pipes and other *nix I/O. On the following example we use OpenSSL to safely send the passwd file through an insecure network link.
First we setup a Netcat server with that will be waiting for connection. You can download Netcat here.
nc -l -p 99 8| xz -d | openssl enc -aes-256-cbc -d > /client/bkp/etc/passwd
You could now use netcat as client to connect and send your file.
cat /etc/passwd | openssl enc -e -aes-256-cbc | xz -z | nc servidor 99
These are some of the most commonly used commands, you can use these commands to manage your keys, certificates and sensitive data. For more information please take a look at the official documentation, there you will find details of these and other commands and everything else to fit your needs.
Thanks for reading!