Reference Of Most Commonly Used OpenSSL Commands
openssl genrsa -out private.key 4096
Generates a private 4096 bit RSA key.
Certificate Signing Request (CSR) for an existing private key
openssl req -new -key private.key -days 1825 -sha256 -out file.csr
Generates a signing request with an sha256 signature. It also indicates to the signing authority that the issued certificate should be valid for 5 years.
Checking & Verifying
openssl x509 -text -noout -in file.crt
Certificate Signing Request (CSR)
openssl req -verify -text -noout -in file.csr
openssl rsa -check -text -noout -in file.key
Certificate Revocation List (CRL)
openssl crl -text -noout -in file.pem
OpenSSL can be used to generate a hash from standard input or create a hash for a file.
Standard Input (stdin)
echo -n "text to hash" | openssl ALGORITHM
-n option makes sure that no trailing newline character is added to the text.
openssl ALGORITHM FILE
|Possible values for ALGORITHM|
Please note that some of above hash algorithms are no longer safe for use.
Encrypting & Decrypting
|aes-256-cbc||the cipher used for encryption. To get a list of available ciphers: |
|-d||option to tell openssl to decrypt|
|-a||generate base64 encoded output|
|-in||the input file|
|-out||the output file|
|file||the filename that contains the password|
- If a password is specified on the command line, it will show up in the process list.
- The option -salt is used by default, thus there's no need to specify it explicitly.
Please note that
aes-256-cbc is a short form of
enc -aes-256-cbc. This means one can either use the cipher name as an option or write it as
Encrypt a file (the password is read from standard input):
openssl aes-256-cbc -in unencrypted.txt -out file.enc
Encrypt a file with the password specified in a file named
openssl aes-256-cbc -in unencrypted.txt -out file.enc -pass file:mypassword.txt
Attention: One might receive an error with OpenSSL 1.1.0 when trying to decrypt data that was encrypted with OpenSSL 1.0.2. To solve this problem, use the
-md md5 flag to decrypt the data.
Decrypt a file with the password specified on the command line:
openssl aes-256-cbc -d -in file.enc -out unencrypted.txt -pass pass:mySuperSecretPassword
Decrypt a base64 encoded file:
openssl aes-256-cbc -d -a -in file.enc -out unencrypted.txt
If you want to retrieve the fingerprint of a certificate, use the following command:
openssl x509 -noout -in file.crt -fingerprint -ALGORITHM
To verify the connection, the certificate chain, and the protocol and cipher negotiated, use the following:
openssl s_client -connect HOSTNAME:PORT
The above command will stay in interactive mode until Ctrl+C is pressed. If you want to return to the prompt right away (useful for scripting purposes) do this:
echo "Q" |openssl s_client -connect HOSTNAME:PORT