Reference Of Most Commonly Used OpenSSL Commands

From evermeet.cx Wiki
Jump to navigation Jump to search

Creating Certificates

Private key

openssl genrsa -out private.key 4096

Generates a private 4096 bit RSA key.

Certificate Signing Request (CSR) for an existing private key

openssl req -new -key private.key -days 1825 -sha256 -out file.csr

Generates a signing request with an sha256 signature. It also indicates to the signing authority that the issued certificate should be valid for 5 years.

Checking & Verifying

Certificate

openssl x509 -text -noout -in file.crt

Certificate Signing Request (CSR)

openssl req -verify -text -noout -in file.csr

Private Key

openssl rsa -check -text -noout -in file.key

Certificate Revocation List (CRL)

openssl crl -text -noout -in file.pem

Hashing

OpenSSL can be used to generate a hash from standard input or create a hash for a file.

Standard Input (stdin)

echo -n "text to hash" | openssl ALGORITHM


The -n option makes sure that no trailing newline character is added to the text.

File

openssl ALGORITHM FILE

Hash Algorithms

Possible values for ALGORITHM
md4
md5
mdc2
ripemd160
sha
sha1
ssh224
sha256
sha384
sha512
whirlpool

Please note that some of above hash algorithms are no longer safe for use.

Encrypting & Decrypting

Option Description
aes-256-cbc the cipher used for encryption. To get a list of available ciphers: openssl list-cipher-commands
-d option to tell openssl to decrypt
-a generate base64 encoded output
-in the input file
-out the output file
-pass KEY VALUE
pass your password
file the filename that contains the password

Attention:

  • If a password is specified on the command line, it will show up in the process list.
  • The option -salt is used by default, thus there's no need to specify it explicitly.

Encrypting

openssl aes-256-cbc [-a] -in INPUT_FILE -out ENCRYPTED_FILE [-pass KEY:VALUE]


Please note that aes-256-cbc is a short form of enc -aes-256-cbc. This means one can either use the cipher name as an option or write it as enc -CIPHER.

Examples:

Encrypt a file (the password is read from standard input):

openssl aes-256-cbc -in unencrypted.txt -out file.enc

Encrypt a file with the password specified in a file named mypassword.txt:

openssl aes-256-cbc -in unencrypted.txt -out file.enc -pass file:mypassword.txt

Decrypting

openssl aes-256-cbc -d [-a] -in ENCRYPTED_FILE -out OUTPUT_FILE [-pass KEY:VALUE] [-md md5]


Attention: One might receive an error with OpenSSL 1.1.0 when trying to decrypt data that was encrypted with OpenSSL 1.0.2. To solve this problem, use the -md md5 flag to decrypt the data.

Examples:

Decrypt a file with the password specified on the command line:

openssl aes-256-cbc -d -in file.enc -out unencrypted.txt -pass pass:mySuperSecretPassword

Decrypt a base64 encoded file:

openssl aes-256-cbc -d -a -in file.enc -out unencrypted.txt

Debugging

Fingerprint

If you want to retrieve the fingerprint of a certificate, use the following command:

openssl x509 -noout -in file.crt -fingerprint -ALGORITHM

Connection Information

To verify the connection, the certificate chain, and the protocol and cipher negotiated, use the following:

openssl s_client -connect HOSTNAME:PORT

The above command will stay in interactive mode until Ctrl+C is pressed. If you want to return to the prompt right away (useful for scripting purposes) do this:

echo "Q" |openssl s_client -connect HOSTNAME:PORT