Reference Of Most Commonly Used OpenSSL Commands
Creating Certificates
Private key
openssl genrsa -out private.key 4096
Generates a private 4096 bit RSA key.
Certificate Signing Request (CSR) for an existing private key
openssl req -new -key private.key -days 1825 -sha256 -out file.csr
Generates a signing request with an sha256 signature. It also indicates to the signing authority that the issued certificate should be valid for 5 years.
Checking & Verifying
Certificate
openssl x509 -text -noout -in file.crt
Certificate Signing Request (CSR)
openssl req -verify -text -noout -in file.csr
Private Key
openssl rsa -check -text -noout -in file.key
Certificate Revocation List (CRL)
openssl crl -text -noout -in file.pem
Hashing
OpenSSL can be used to generate a hash from standard input or create a hash for a file.
Standard Input (stdin)
echo -n "text to hash" | openssl ALGORITHM
The -n
option makes sure that no trailing newline character is added to the text.
File
openssl ALGORITHM FILE
Hash Algorithms
Possible values for ALGORITHM |
---|
md4 |
md5 |
mdc2 |
ripemd160 |
sha |
sha1 |
ssh224 |
sha256 |
sha384 |
sha512 |
whirlpool |
Please note that some of above hash algorithms are no longer safe for use.
Encrypting & Decrypting
Option | Description | |
---|---|---|
aes-256-cbc | the cipher used for encryption. To get a list of available ciphers: openssl list-cipher-commands
| |
-d | option to tell openssl to decrypt | |
-a | generate base64 encoded output | |
-in | the input file | |
-out | the output file | |
-pass | KEY | VALUE |
pass | your password | |
file | the filename that contains the password |
Attention:
- If a password is specified on the command line, it will show up in the process list.
- The option -salt is used by default, thus there's no need to specify it explicitly.
Encrypting
openssl aes-256-cbc [-a] -in INPUT_FILE -out ENCRYPTED_FILE [-pass KEY:VALUE]
Please note that aes-256-cbc
is a short form of enc -aes-256-cbc
. This means one can either use the cipher name as an option or write it as enc -CIPHER
.
Examples:
Encrypt a file (the password is read from standard input):
openssl aes-256-cbc -in unencrypted.txt -out file.enc
Encrypt a file with the password specified in a file named mypassword.txt
:
openssl aes-256-cbc -in unencrypted.txt -out file.enc -pass file:mypassword.txt
Decrypting
openssl aes-256-cbc -d [-a] -in ENCRYPTED_FILE -out OUTPUT_FILE [-pass KEY:VALUE] [-md md5]
Attention: One might receive an error with OpenSSL 1.1.0 when trying to decrypt data that was encrypted with OpenSSL 1.0.2. To solve this problem, use the -md md5
flag to decrypt the data.
Examples:
Decrypt a file with the password specified on the command line:
openssl aes-256-cbc -d -in file.enc -out unencrypted.txt -pass pass:mySuperSecretPassword
Decrypt a base64 encoded file:
openssl aes-256-cbc -d -a -in file.enc -out unencrypted.txt
Debugging
Fingerprint
If you want to retrieve the fingerprint of a certificate, use the following command:
openssl x509 -noout -in file.crt -fingerprint -ALGORITHM
Connection Information
To verify the connection, the certificate chain, and the protocol and cipher negotiated, use the following:
openssl s_client -connect HOSTNAME:PORT
The above command will stay in interactive mode until Ctrl+C is pressed. If you want to return to the prompt right away (useful for scripting purposes) do this:
echo "Q" |openssl s_client -connect HOSTNAME:PORT