Master OpenSSL Commands for Certificate and Key Management

OpenSSL is the power user’s toolkit for all things SSL/TLS, cryptography, and X.509 certificates. It’s a staple for developers, system administrators, and security professionals working across various operating systems. Let’s explore some of the most common and useful OpenSSL commands.

Certificate Management

• Generate a Certificate Signing Request (CSR): Bashopenssl req -new -newkey rsa:2048 -nodes -keyout private.key -out mycsr.csr
  • Initiates the process of obtaining a signed certificate, this creates a private key and CSR for submission to a Certificate Authority (CA).
• View Certificate Information: Bashopenssl x509 -in certificate.crt -text -noout
  • Displays detailed contents of a certificate, including issuer, validity period, and subject.
• Check Certificate Expiration: Bashopenssl x509 -in certificate.crt -checkend <seconds>
  • Verify if a certificate will be valid at a given time (replace <seconds> with seconds since the Unix Epoch).

Key Management

• Generate a Private Key: Bashopenssl genrsa -out private.key 2048
  • Creates an RSA private key (adjust the key size as needed).
• Extract Public Key from a Private Key: Bashopenssl rsa -in private.key -pubout -out public.key
  • Generates a corresponding public key from a private key file.

Conversions

• PEM to PKCS#12 (PFX): Bashopenssl pkcs12 -export -out bundle.pfx -inkey private.key -in certificate.crt -certfile ca_chain.crt
  • Bundles a private key, certificate, and optional intermediate CA chain into a password-protected PKCS#12 file.

More OpenSSL Functionality

• Encryption & Decryption: OpenSSL supports symmetric and asymmetric encryption algorithms.
• Hashing: Calculate hashes (e.g., MD5, SHA256) for file integrity.
• Server Testing: Analyze SSL/TLS configurations with openssl s_client.

Let’s delve into a few practical examples of using OpenSSL for encryption, decryption, and SSL testing.

Encryption & Decryption

Symmetric Encryption (AES-256)

Bash

# Encryption openssl enc -aes-256-cbc -salt -in myfile.txt -out myfile.enc -k <password> # Decryption openssl enc -d -aes-256-cbc -in myfile.enc -out myfile-decrypted.txt -k <password>

Explanation:

enc: OpenSSL’s encryption/decryption command.

-aes-256-cbc: Specifies the AES-256 cipher in CBC mode.

-salt: Adds salt for stronger key derivation.

-in: Input file.

-out: Output file.

-k: Provides a password (Be cautious with hardcoded passwords!)

Asymmetric Encryption (RSA)

Bash

# Encrypt with a public key openssl rsautl -encrypt -inkey public.key -pubin -in data.txt -out data.enc # Decrypt with a private key openssl rsautl -decrypt -inkey private.key -in data.enc -out data-decrypted.txt

Explanation

rsautl: Utility for RSA encryption/decryption.

-encrypt / -decrypt: Specifies the operation.

-inkey: Key file (public for encryption, private for decryption)

-pubin: Indicates that the input key is a public key.

SSL Testing with ‘s_client’

Bash

openssl s_client -connect www.example.com:443 -showcerts 

• Explanation:
  • s_client: Establishes an SSL/TLS connection to a server.
  • -connect: Server hostname and port (443 is the standard HTTPS port).
  • -showcerts: Displays the server’s certificate chain.

Important Reminders

• Key Security: Protect private keys with robust passwords and access controls.
• Responsible Password Usage: Explore more secure key derivation methods (like KDFs) and password managers instead of directly embedding passwords in scripts.
• Robust Testing: Analyze results from s_client carefully, including supported ciphers and protocol versions.

Key Points

• Version: Check your OpenSSL version with openssl version.
• Command Structure: Most commands follow the structure: openssl <command> <subcommand> <options> <arguments>
• Man Pages: Leverage the built-in manual pages for detailed usage – man openssl and man <command>.

Summary of OpenSSL Commands

Here are some common OpenSSL commands:

1. Generate a private key:

   openssl genpkey -algorithm RSA -out private_key.pem

2. Generate a certificate signing request (CSR) using an existing private key:

   openssl req -new -key private_key.pem -out csr.pem

3. Generate a self-signed certificate:

   openssl req -new -x509 -key private_key.pem -out self_signed_certificate.pem -days 365

4. View the contents of a certificate:

   openssl x509 -in certificate.pem -text -noout

5. Encrypt a file using a symmetric cipher:

   openssl enc -aes256 -salt -in plaintext.txt -out encrypted.txt

6. Decrypt a file encrypted with a symmetric cipher:

   openssl enc -aes256 -d -in encrypted.txt -out decrypted.txt

7. Encrypt a file using a public key:

   openssl rsautl -encrypt -pubin -inkey public_key.pem -in plaintext.txt -out encrypted.txt

8. Decrypt a file encrypted with a public key:

   openssl rsautl -decrypt -inkey private_key.pem -in encrypted.txt -out decrypted.txt

9. Generate a hash of a file using a specific algorithm:

   openssl dgst -sha256 file.txt

10. Generate a Diffie-Hellman parameters file:
    openssl dhparam -out dhparams.pem 2048

These are just a few examples of what you can do with OpenSSL. The toolset is quite extensive and can be used for a wide range of cryptographic operations and tasks.

In Conclusion

Mastering these OpenSSL commands will give you control over certificate and key management tasks for secure communications. This is just a taste of OpenSSL’s vast capabilities!

Read also:

• How to Check SSL Certificate Expiration Date in Linux
• Guide To Check Certificate Expiration Dates with OpenSSL
• How to Check PEM Certificate Expiration Date in Linux
• How to Check SSL Certificate Expiration Date in Ubuntu