In this tutorial we will cover different examples using openssl command, so in short let's get started with our openssl cheatsheet.
Generating Keys
1. RSA Keys
Generate a standard RSA key (2048 bits)
openssl genrsa -out rsa_private.key 2048
Generate a stronger RSA key (4096 bits)
openssl genrsa -out rsa_private.key 4096
Generate an RSA key with a custom exponent
openssl genrsa -out rsa_private.key 2048 -F4
2. EC (Elliptic Curve) Keys
Generate an EC key using a specific curve
openssl ecparam -name prime256v1 -genkey -out ec_private.key
List all available EC curves
openssl ecparam -list_curves
Generate an EC key with explicit parameters
openssl ecparam -name secp384r1 -param_enc explicit -genkey -out ec_private_explicit.key
3. DSA Keys
Generate a DSA key pair
openssl dsaparam -genkey 2048 -out dsa_private.key
4. EdDSA Keys (such as Ed25519)
Generate an Ed25519 private key
openssl genpkey -algorithm Ed25519 -out ed25519_private.key
5. Key with Encrypted Password Protection
Generate an RSA key encrypted with AES-256
openssl genrsa -aes256 -out rsa_private_encrypted.key 2048
Generate an EC key with password protection
openssl ecparam -name prime256v1 -genkey -out ec_private_encrypted.key -aes256
6. Convert Keys Between Formats
Convert a private key from PEM to DER format
openssl rsa -in rsa_private.key -outform DER -out rsa_private.der
Convert a private key to PKCS#8 format
openssl pkcs8 -topk8 -inform PEM -outform PEM -in rsa_private.key -out rsa_private_pkcs8.pem -nocrypt
Generate Private and Public Key
Generating an RSA Key Pair:
openssl genrsa -out private_key.pem 2048 openssl rsa -in private_key.pem -pubout -out public_key.pem
Generating an ECDSA Key Pair:
openssl ecparam -genkey -name prime256v1 -out private_key_ec.pem openssl ec -in private_key_ec.pem -pubout -out public_key_ec.pem
Extract public key from certificate:
openssl x509 -in domain_ecdsa.crt -pubkey -noout
Generating CA certificate
1. Generate the Root Key
openssl genrsa -out ca.key 4096
2. Generate the Root Certificate
openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.crt
Now you can use these ca.crt and ca.key to sign certificates.
Creating Certificates
1. Generate Private Keys
First, you need a private key. The type and size of the key can vary depending on your security requirement.
RSA Private Key
openssl genrsa -out rsa_private.key 2048
ECDSA Private Key
openssl ecparam -name prime256v1 -genkey -out ecdsa_private.key
2. Generate a Certificate Signing Request (CSR)
A CSR is what you submit to a Certificate Authority (CA) to apply for a digital identity certificate. It includes your public key and other identity information.
Using an RSA Key
openssl req -new -key rsa_private.key -out rsa_csr.csr
Using an ECDSA Key
openssl req -new -key ecdsa_private.key -out ecdsa_csr.csr
3. Generating Self-Signed Certificates
Self-signed Certificate with RSA
openssl req -new -x509 -days 365 -key rsa_private.key -out rsa_certificate.crt
Self-signed Certificate with ECDSA
openssl req -new -x509 -days 365 -key ecdsa_private.key -out ecdsa_certificate.crt
4. Signing a CSR with Your CA
If you act as your own certificate authority or have access to a CA, you can sign CSRs to generate certificates.
openssl x509 -req -days 365 -in csr.csr -signkey ca.key -out signed_certificate.crt
5. Verify a Certificate
Verify a Certificate
openssl x509 -in certificate.crt -text -noout
Encrypting and Decrypting Files
1. Encrypting Files
Encrypt a file using AES-256 in CBC mode
openssl enc -aes-256-cbc -salt -in plainfile.txt -out encryptedfile.enc -k PASSWORD
Encrypt a file using AES-256 in GCM mode
openssl enc -aes-256-gcm -in plainfile.txt -out encryptedfile.enc -k PASSWORD
Encrypt a file using 3DES
openssl enc -des-ede3-cbc -salt -in plainfile.txt -out encryptedfile.enc -k PASSWORD
2. Decrypting Files
Decrypt a file using AES-256 in CBC mode
openssl enc -d -aes-256-cbc -in encryptedfile.enc -out decryptedfile.txt -k PASSWORD
Decrypt a file using AES-256 in GCM mode
openssl enc -d -aes-256-gcm -in encryptedfile.enc -out decryptedfile.txt -k PASSWORD
Decrypt a file using 3DES
openssl enc -d -des-ede3-cbc -in encryptedfile.enc -out decryptedfile.txt -k PASSWORD
3. Encrypting Files with a Key and IV (Initialization Vector)
Generate a random key and IV for AES-256
openssl enc -aes-256-cbc -k secret -P -md sha1
Encrypt a file using the generated key and IV
openssl enc -aes-256-cbc -in plainfile.txt -out encryptedfile.enc -K [HEX_KEY] -iv [HEX_IV]
Decrypt a file using the generated key and IV
openssl enc -d -aes-256-cbc -in encryptedfile.enc -out decryptedfile.txt -K [HEX_KEY] -iv [HEX_IV]
4. Encrypting and Decrypting with Public and Private Keys
Encrypt a file with RSA public key
openssl rsautl -encrypt -inkey public.pem -pubin -in file.txt -out file.enc
Decrypt a file with RSA private key
openssl rsautl -decrypt -inkey private.pem -in file.enc -out file_decrypted.txt
Checking and Verifying Certificates
1. Viewing Certificate Details
openssl x509 -in certificate.crt -text -noout
2. Verifying a Certificate Against a Trusted CA
openssl verify -CAfile ca.crt certificate.crt
3. Checking a Certificate's Expiration Date
openssl x509 -in certificate.crt -noout -enddate
openssl verify -CAfile ca.crt -untrusted intermediate.crt server.crt
5. Checking for a Certificate Revocation List (CRL)
openssl verify -crl_check -CAfile ca.crt -CRLfile crl.pem server.crt
6. Checking Certificate Serial Number
openssl x509 -in certificate.crt -noout -serial
7. Checking Certificate's Signature Algorithm
openssl x509 -in certificate.crt -noout -text | grep "Signature Algorithm"
Generate certificate with SAN Field
Create a file called san.cnf
with the following content:
[ req ] default_bits = 2048 prompt = no default_md = sha256 distinguished_name = req_distinguished_name req_extensions = req_ext [ req_distinguished_name ] C = US ST = New York L = Rochester O = Example Corp OU = IT CN = www.example.com [ req_ext ] subjectAltName = @alt_names [ alt_names ] DNS.1 = www.example.com DNS.2 = example.com DNS.3 = subdomain.example.com IP.1 = 192.168.0.1
Generate your private key using the following command:
openssl genrsa -out example.key 2048
Using the configuration file and the private key, generate your CSR:
openssl req -new -key example.key -out example.csr -config san.cnf
Or to generate CSR using single line openssl command
openssl req -new -key example.key -out example.csr -subj "/C=US/ST=New York/L=Rochester/O=Example Corp/OU=IT/CN=www.example.com" -addext "subjectAltName=DNS:www.example.com,DNS:example.com,IP:192.168.0.1"
Generate the self-signed certificate using the CSR:
openssl x509 -req -days 365 -in example.csr -signkey example.key -out example.crt -extensions req_ext -extfile san.cnf
If you wish to sign using your ca.crt
and ca.key
then you can use:
openssl x509 -req -days 365 -in example.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out example.crt -extensions v3_ca -extfile <(echo -e "[v3_ca]\nsubjectAltName=DNS:www.example.com,DNS:example.com,IP:192.168.0.1")
Verify that your certificate contains the SAN fields:
openssl x509 -in example.crt -text -noout | grep -A 1 "Subject Alternative Name"
Creating and Managing CRLs
Generate a CRL
openssl ca -gencrl -keyfile ca.key -cert ca.crt -out ca.crl
Revoke a Certificate
openssl ca -revoke client.crt -keyfile ca.key -cert ca.crt
Update a CRL
openssl ca -gencrl -keyfile ca.key -cert ca.crt -out ca.crl
Check Certificate Against CRL
openssl verify -crl_check -CRLfile ca.crl -CAfile ca.crt client.crt
Using OCSP to Check Certificate Status
openssl ocsp -CAfile ca.crt -url http://ocsp.server.com -issuer ca.crt -cert client.crt
Configuring OpenSSL for OCSP: Add the following to your openssl.cnf
configuration file under the relevant CA section:
[ ca ] # OCSP responder URL authorityInfoAccess = OCSP;URI:http://ocsp.server.com [ ocsp ] # OCSP signing configuration default_ca = OCSP_signing
Convert CRL to Human-Readable Format
openssl crl -in ca.crl -inform DER -text -noout
Converting Certificate Formats
1. PEM to DER
openssl x509 -in certificate.pem -outform der -out certificate.der
2. DER to PEM
openssl x509 -in certificate.der -inform der -out certificate.pem
3. PEM to PKCS#12
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.pem -certfile CAcert.pem
4. PKCS#12 to PEM
openssl pkcs12 -in certificate.pfx -out certificate.pem -nodes
Working with SSL Connections
Test SSL Connection:
openssl s_client -connect www.example.com:443
View Server Certificate Details:
openssl s_client -connect www.example.com:443 -showcerts
Check SSL/TLS Protocols and Ciphers:
openssl s_client -connect www.example.com:443 -tls1_2
Print List all ciphers:
openssl s_client -connect www.example.com:443 -cipher 'ALL'
Managing Passwords and Hashes
1. Generating Secure Passwords
openssl rand -base64 16
2. Creating Cryptographic Hashes
openssl dgst -sha256 filename.txt echo -n "password" | openssl dgst -sha256
3. Password-Based Key Derivation Functions
openssl enc -pbkdf2 -k password -S salt -iter 10000 -md sha256
4. Hash a Password with a Salt
echo -n "passwordSALT" | openssl dgst -sha256
One liner OpenSSL commands
1. Generate an RSA Key and Extract Its Public Key
openssl genrsa -out private.key 2048 && openssl rsa -in private.key -pubout -out public.key
2. Generate a Self-Signed Certificate with an RSA Private Key
openssl req -x509 -newkey rsa:2048 -nodes -keyout server.key -out server.crt -days 365 -subj "/C=US/ST=State/L=City/O=Organization/OU=Department/CN=www.example.com"
3. Generate a Self-Signed Certificate with an ECC Private Key
openssl req -newkey ec:<(openssl ecparam -name prime256v1 -genkey) -nodes -x509 -days 365 -keyout domain_ecdsa.key -out domain_ecdsa.crt -subj "/C=US/ST=State/L=City/O=Organization/OU=Department/CN=www.example.com"
4. Create a CSR, Self-Sign it, and Verify the Signature
openssl req -newkey rsa:2048 -nodes -keyout server.key -out server.csr -subj "/C=US/ST=State/L=City/O=Company/OU=Department/CN=www.example.com" openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt openssl verify -CAfile server.crt server.crt
5. Encrypt a File and Then Decrypt It
openssl enc -aes-256-cbc -salt -in plaintext.txt -out encrypted.enc -k secretkey openssl enc -d -aes-256-cbc -in encrypted.enc -out decrypted.txt -k secretkey
6. Generate ECDSA Key Pair and Check the Key
openssl ecparam -name prime256v1 -genkey -out private_ec.key openssl ec -in private_ec.key -pubout -out public_ec.key openssl ec -in private_ec.key -text -noout
7. Create a PKCS#12 File from PEM files and Then Extract the Contents
openssl pkcs12 -export -out certificate.p12 -inkey privateKey.key -in certificate.crt -certfile CACert.crt -password pass:yourpassword openssl pkcs12 -in certificate.p12 -out extractedContents.pem -nodes -password pass:yourpassword
8. Hash a File and Verify the Hash
openssl dgst -sha256 -out hash.txt file.txt openssl dgst -sha256 -verify pubkey.pem -signature hash.txt file.txt
9. Generate CA certificate and sign Certificate
openssl req -newkey rsa:2048 -nodes -x509 -days 365 -keyout ca.key -out ca.crt -subj "/C=US/ST=State/L=City/O=Organization/CN=CA" openssl req -newkey rsa:2048 -nodes -keyout client.key -out client.csr -subj "/C=US/ST=State/L=City/O=Organization/CN=Client" openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt