Learn How to Use the Common OpenSSL Commands
The Most Common OpenSSL Commands are essential tools for anyone working with the OpenSSL cryptographic toolkit. OpenSSL provides a range of commands that allow you to generate keys and certificates, convert certificate formats, calculate message digests, encrypt and decrypt data, and more.
This article will provide an overview of some of the most commonly used OpenSSL commands like req, x509, rsa, encrypt, decrypt, s_client, s_server, and more. Whether you are a Linux administrator securing web servers or a developer implementing SSL/TLS connectivity in an application, having a solid grasp of the most common OpenSSL commands is crucial. With its wide-ranging cryptographic capabilities, OpenSSL is at the heart of many vital security systems and protocols.
By learning the most common OpenSSL commands, you will gain the ability to fully utilize this powerful open-source toolkit for your encryption, certification, and SSL/TLS needs.
OpenSSL Quick Reference Guide
- Key and Certificate Management OpenSSL Commands
- Convert Certificate Formats with OpenSSL Commands
- OpenSSL Commands for Certificate Info
- OpenSSL Commands for Message Digests
- OpenSSL Commands for Encryption and Decryption
Key and Certificate Management OpenSSL Commands
Generate Private Key
The openssl genrsa command is used to generate an RSA private key.
openssl genrsa -out private.key 2048
This generates a 2048-bit RSA private key and saves it to the private.key file. The key size can be adjusted as needed. Larger key sizes are more secure but generate and process slower. 2048 bits is a reasonable minimum size for many applications.
Generate Public Key from Private Key
Once you have a private key, the openssl rsa command can be used to generate the corresponding public key.
openssl rsa -in private.key -pubout -out public.key
This reads the private key from private.key and outputs the public key to public.key.
Generate CSR
A certificate signing request (CSR) is required when applying for a digital certificate from a certificate authority (CA). The openssl req command generates a CSR.
openssl req -new -key private.key -out csr.pem
This creates a new CSR using the private key private.key and outputs the CSR to csr.pem. You will be prompted to enter details about your organization and domain.
Generate Self-Signed Certificate
Self-signed certificates can be used for testing or internal systems. They are not trusted by browsers by default since they are not signed by a trusted CA. To generate a self-signed certificate:
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
This creates a new 2048-bit RSA private key, does not encrypt (-nodes) the private key, generates a self-signed certificate valid for 365 days, and outputs the key and certificate to key.pem and certificate.pem respectively.
Convert Certificate Formats with OpenSSL Commands
OpenSSL can convert certificate formats between PEM, DER, and P7B.
To Convert a PEM file (.pem extension) to DER (.der)
openssl x509 -in certificate.pem -out certificate.der -outform DER
However, most major sites now use HTTPS by default for security and SEO reasons. Port 80 may redirect to an HTTPS site.
To Convert DER to PEM
openssl x509 -in certificate.der -inform DER -out certificate.pem -outform PEM
To Convert PEM to P7B (.p7b)
openssl crl2pkcs7 -nocrl -certfile certificate.pem -out certificate.p7b -certfile certificate.pem
OpenSSL Commands for Certificate Info
openssl x509 -in certificate.pem -text -noout
This will print out details including validity dates, issuer, subject, public key details, signature algorithm, and more.
To view a certificate in a human-readable format:
openssl x509 -in certificate.pem -noout -text
OpenSSL Commands for Message Digests
OpenSSL can be used to generate digests or hashes of messages. These are often used to verify the integrity of files.
To Generate an MD5 Digest
openssl dgst -md5 filename
For SHA1
openssl dgst -sha1 filename
Other algorithms like SHA256 and SHA512 are also available.
OpenSSL Commands for Encryption and Decryption
OpenSSL can encrypt and decrypt files using symmetric encryption algorithms like AES and DES.
To Encrypt a File
openssl enc -aes-256-cbc -salt -in file.txt -out file.txt.enc
This encrypts file.txt using 256-bit AES encryption in CBC mode with a salted password and outputs to file.txt.enc.
To Decrypt a File
openssl enc -d -aes-256-cbc -in file.txt.enc -out file.txt
The decryption cipher matches the encryption cipher and uses the same password.
OpenSSL also supports public key encryption which allows encrypting data using a public key that can only be decrypted with a private key.
To Encrypt a File Using a Public Key
openssl rsautl -encrypt -pubin -inkey public.key -in file.txt -out file.txt.enc
To Decrypt a File Using the Private Key
openssl rsautl -decrypt -inkey private.key -in file.txt.enc -out file.txt
Secure Communication with OpenSSL
OpenSSL is commonly used to secure communications between web servers and clients. Some of the relevant OpenSSL capabilities include:
- TLS/SSL Enabled Servers: OpenSSL can enable TLS/SSL on web servers like Apache and Nginx to allow encrypted HTTPS connections.
- Mutual Authentication: Server and client certificates can be used for mutual authentication between both parties.
- Perfect Forward Secrecy: OpenSSL supports Diffie-Hellman key exchange which provides Perfect Forward Secrecy, enhancing security.
- OCSP Stapling: For certificate validity checking, OpenSSL supports OCSP Stapling which improves efficiency.
Final Thoughts
OpenSSL is an open-source cryptographic toolkit that implements critical protocols and algorithms to secure communications and transactions. Learning core OpenSSL commands allows developers and administrators to fully leverage its encryption, certificates, hashes, and SSL/TLS capabilities. This protects sensitive data as it moves across networks. With robust cryptography and an active open-source community, OpenSSL powers internet security.
Mastering frequently used OpenSSL commands for certificates, keys, encryption, and digests enables users to deploy solutions that take advantage of industry-standard security protocols and functions. OpenSSL is a must-know tool for anyone working on secure systems and applications.
FAQs on OpenSSL Commands
Here are some frequently asked questions about OpenSSL:
Is OpenSSL free to use?
Yes, OpenSSL is open source software that is free to use under the terms of the Apache License 2.0.
What languages is OpenSSL written in?
OpenSSL is written mainly in the C programming language. It uses the C compiler on many platforms.
Where are OpenSSL keys and certificates stored on Linux?
Keys are stored under /etc/ssl/private. Certificates are under /etc/ssl/certs. CSRs also go under /etc/ssl/csr.
What is the relationship between OpenSSL and LibreSSL?
LibreSSL is a fork of OpenSSL created in 2014 with the goal of modernizing the codebase. It is maintained by OpenBSD. OpenSSL remains the dominant implementation.