The Only OpenSSL CheatSheet You Will Need!


OpenSSL

In this tutorial we will cover different examples using openssl command, so in short let's get started with our openssl cheatsheet.

 

Generating Keys

1. RSA Keys

Generate a standard RSA key (2048 bits)

openssl genrsa -out rsa_private.key 2048

Generate a stronger RSA key (4096 bits)

openssl genrsa -out rsa_private.key 4096

Generate an RSA key with a custom exponent

openssl genrsa -out rsa_private.key 2048 -F4

 

2. EC (Elliptic Curve) Keys

Generate an EC key using a specific curve

openssl ecparam -name prime256v1 -genkey -out ec_private.key

List all available EC curves

openssl ecparam -list_curves

Generate an EC key with explicit parameters

openssl ecparam -name secp384r1 -param_enc explicit -genkey -out ec_private_explicit.key

 

3. DSA Keys

Generate a DSA key pair

openssl dsaparam -genkey 2048 -out dsa_private.key

 

4. EdDSA Keys (such as Ed25519)

Generate an Ed25519 private key

openssl genpkey -algorithm Ed25519 -out ed25519_private.key

 

5. Key with Encrypted Password Protection

Generate an RSA key encrypted with AES-256

openssl genrsa -aes256 -out rsa_private_encrypted.key 2048

Generate an EC key with password protection

openssl ecparam -name prime256v1 -genkey -out ec_private_encrypted.key -aes256

 

6. Convert Keys Between Formats

Convert a private key from PEM to DER format

openssl rsa -in rsa_private.key -outform DER -out rsa_private.der

Convert a private key to PKCS#8 format

openssl pkcs8 -topk8 -inform PEM -outform PEM -in rsa_private.key -out rsa_private_pkcs8.pem -nocrypt

 

Generate Private and Public Key

Generating an RSA Key Pair:

openssl genrsa -out private_key.pem 2048
openssl rsa -in private_key.pem -pubout -out public_key.pem

Generating an ECDSA Key Pair:

openssl ecparam -genkey -name prime256v1 -out private_key_ec.pem
openssl ec -in private_key_ec.pem -pubout -out public_key_ec.pem

Extract public key from certificate:

openssl x509 -in domain_ecdsa.crt -pubkey -noout

 

Generating CA certificate

1. Generate the Root Key

openssl genrsa -out ca.key 4096

2. Generate the Root Certificate

openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.crt

Now you can use these ca.crt and ca.key to sign certificates.

 

Creating Certificates

1. Generate Private Keys

First, you need a private key. The type and size of the key can vary depending on your security requirement.

RSA Private Key

openssl genrsa -out rsa_private.key 2048

ECDSA Private Key

openssl ecparam -name prime256v1 -genkey -out ecdsa_private.key

 

2. Generate a Certificate Signing Request (CSR)

A CSR is what you submit to a Certificate Authority (CA) to apply for a digital identity certificate. It includes your public key and other identity information.

Using an RSA Key

openssl req -new -key rsa_private.key -out rsa_csr.csr

Using an ECDSA Key

openssl req -new -key ecdsa_private.key -out ecdsa_csr.csr

 

3. Generating Self-Signed Certificates

Self-signed Certificate with RSA

openssl req -new -x509 -days 365 -key rsa_private.key -out rsa_certificate.crt

Self-signed Certificate with ECDSA

openssl req -new -x509 -days 365 -key ecdsa_private.key -out ecdsa_certificate.crt

 

4. Signing a CSR with Your CA

If you act as your own certificate authority or have access to a CA, you can sign CSRs to generate certificates.

openssl x509 -req -days 365 -in csr.csr -signkey ca.key -out signed_certificate.crt

 

5. Verify a Certificate

Verify a Certificate

openssl x509 -in certificate.crt -text -noout

 

 

Encrypting and Decrypting Files

1. Encrypting Files

Encrypt a file using AES-256 in CBC mode

openssl enc -aes-256-cbc -salt -in plainfile.txt -out encryptedfile.enc -k PASSWORD

Encrypt a file using AES-256 in GCM mode

openssl enc -aes-256-gcm -in plainfile.txt -out encryptedfile.enc -k PASSWORD

Encrypt a file using 3DES

openssl enc -des-ede3-cbc -salt -in plainfile.txt -out encryptedfile.enc -k PASSWORD

 

2. Decrypting Files

Decrypt a file using AES-256 in CBC mode

openssl enc -d -aes-256-cbc -in encryptedfile.enc -out decryptedfile.txt -k PASSWORD

Decrypt a file using AES-256 in GCM mode

openssl enc -d -aes-256-gcm -in encryptedfile.enc -out decryptedfile.txt -k PASSWORD

Decrypt a file using 3DES

openssl enc -d -des-ede3-cbc -in encryptedfile.enc -out decryptedfile.txt -k PASSWORD

 

3. Encrypting Files with a Key and IV (Initialization Vector)

Generate a random key and IV for AES-256

openssl enc -aes-256-cbc -k secret -P -md sha1

Encrypt a file using the generated key and IV

openssl enc -aes-256-cbc -in plainfile.txt -out encryptedfile.enc -K [HEX_KEY] -iv [HEX_IV]

Decrypt a file using the generated key and IV

openssl enc -d -aes-256-cbc -in encryptedfile.enc -out decryptedfile.txt -K [HEX_KEY] -iv [HEX_IV]

 

4. Encrypting and Decrypting with Public and Private Keys

Encrypt a file with RSA public key

openssl rsautl -encrypt -inkey public.pem -pubin -in file.txt -out file.enc

Decrypt a file with RSA private key

openssl rsautl -decrypt -inkey private.pem -in file.enc -out file_decrypted.txt

 

Checking and Verifying Certificates

1. Viewing Certificate Details

openssl x509 -in certificate.crt -text -noout

2. Verifying a Certificate Against a Trusted CA

openssl verify -CAfile ca.crt certificate.crt

3. Checking a Certificate's Expiration Date

openssl x509 -in certificate.crt -noout -enddate

4. Verify a Certificate Chain

openssl verify -CAfile ca.crt -untrusted intermediate.crt server.crt

5. Checking for a Certificate Revocation List (CRL)

openssl verify -crl_check -CAfile ca.crt -CRLfile crl.pem server.crt

6. Checking Certificate Serial Number

openssl x509 -in certificate.crt -noout -serial

7. Checking Certificate's Signature Algorithm

openssl x509 -in certificate.crt -noout -text | grep "Signature Algorithm"

 

Generate certificate with SAN Field

Create a file called san.cnf with the following content:

[ req ]
default_bits       = 2048
prompt             = no
default_md         = sha256
distinguished_name = req_distinguished_name
req_extensions     = req_ext

[ req_distinguished_name ]
C  = US
ST = New York
L  = Rochester
O  = Example Corp
OU = IT
CN = www.example.com

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1   = www.example.com
DNS.2   = example.com
DNS.3   = subdomain.example.com
IP.1    = 192.168.0.1

Generate your private key using the following command:

openssl genrsa -out example.key 2048

Using the configuration file and the private key, generate your CSR:

openssl req -new -key example.key -out example.csr -config san.cnf

Or to generate CSR using single line openssl command

openssl req -new -key example.key -out example.csr -subj "/C=US/ST=New York/L=Rochester/O=Example Corp/OU=IT/CN=www.example.com" -addext "subjectAltName=DNS:www.example.com,DNS:example.com,IP:192.168.0.1"

Generate the self-signed certificate using the CSR:

openssl x509 -req -days 365 -in example.csr -signkey example.key -out example.crt -extensions req_ext -extfile san.cnf

If you wish to sign using your ca.crt and ca.key then you can use:

openssl x509 -req -days 365 -in example.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out example.crt -extensions v3_ca -extfile <(echo -e "[v3_ca]\nsubjectAltName=DNS:www.example.com,DNS:example.com,IP:192.168.0.1")

Verify that your certificate contains the SAN fields:

openssl x509 -in example.crt -text -noout | grep -A 1 "Subject Alternative Name"

 

Creating and Managing CRLs

Generate a CRL

openssl ca -gencrl -keyfile ca.key -cert ca.crt -out ca.crl

Revoke a Certificate

openssl ca -revoke client.crt -keyfile ca.key -cert ca.crt

Update a CRL

openssl ca -gencrl -keyfile ca.key -cert ca.crt -out ca.crl

Check Certificate Against CRL

openssl verify -crl_check -CRLfile ca.crl -CAfile ca.crt client.crt

Using OCSP to Check Certificate Status

openssl ocsp -CAfile ca.crt -url http://ocsp.server.com -issuer ca.crt -cert client.crt

Configuring OpenSSL for OCSP: Add the following to your openssl.cnf configuration file under the relevant CA section:

[ ca ]
# OCSP responder URL
authorityInfoAccess = OCSP;URI:http://ocsp.server.com

[ ocsp ]
# OCSP signing configuration
default_ca = OCSP_signing

Convert CRL to Human-Readable Format

openssl crl -in ca.crl -inform DER -text -noout

 

Converting Certificate Formats

1. PEM to DER

openssl x509 -in certificate.pem -outform der -out certificate.der

2. DER to PEM

openssl x509 -in certificate.der -inform der -out certificate.pem

3. PEM to PKCS#12

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.pem -certfile CAcert.pem

4. PKCS#12 to PEM

openssl pkcs12 -in certificate.pfx -out certificate.pem -nodes

 

Working with SSL Connections

Test SSL Connection:

openssl s_client -connect www.example.com:443

View Server Certificate Details:

openssl s_client -connect www.example.com:443 -showcerts

Check SSL/TLS Protocols and Ciphers:

openssl s_client -connect www.example.com:443 -tls1_2

Print List all ciphers:

openssl s_client -connect www.example.com:443 -cipher 'ALL'

 

Managing Passwords and Hashes

1. Generating Secure Passwords

openssl rand -base64 16

2. Creating Cryptographic Hashes

openssl dgst -sha256 filename.txt
echo -n "password" | openssl dgst -sha256

3. Password-Based Key Derivation Functions

openssl enc -pbkdf2 -k password -S salt -iter 10000 -md sha256

4. Hash a Password with a Salt

echo -n "passwordSALT" | openssl dgst -sha256

 

One liner OpenSSL commands

1. Generate an RSA Key and Extract Its Public Key

openssl genrsa -out private.key 2048 && openssl rsa -in private.key -pubout -out public.key

2. Generate a Self-Signed Certificate with an RSA Private Key

openssl req -x509 -newkey rsa:2048 -nodes -keyout server.key -out server.crt -days 365 -subj "/C=US/ST=State/L=City/O=Organization/OU=Department/CN=www.example.com"

3. Generate a Self-Signed Certificate with an ECC Private Key

openssl req -newkey ec:<(openssl ecparam -name prime256v1 -genkey) -nodes -x509 -days 365 -keyout domain_ecdsa.key -out domain_ecdsa.crt -subj "/C=US/ST=State/L=City/O=Organization/OU=Department/CN=www.example.com"

4. Create a CSR, Self-Sign it, and Verify the Signature

openssl req -newkey rsa:2048 -nodes -keyout server.key -out server.csr -subj "/C=US/ST=State/L=City/O=Company/OU=Department/CN=www.example.com"
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
openssl verify -CAfile server.crt server.crt

5. Encrypt a File and Then Decrypt It

openssl enc -aes-256-cbc -salt -in plaintext.txt -out encrypted.enc -k secretkey
openssl enc -d -aes-256-cbc -in encrypted.enc -out decrypted.txt -k secretkey

6. Generate ECDSA Key Pair and Check the Key

openssl ecparam -name prime256v1 -genkey -out private_ec.key
openssl ec -in private_ec.key -pubout -out public_ec.key
openssl ec -in private_ec.key -text -noout

7. Create a PKCS#12 File from PEM files and Then Extract the Contents

openssl pkcs12 -export -out certificate.p12 -inkey privateKey.key -in certificate.crt -certfile CACert.crt -password pass:yourpassword
openssl pkcs12 -in certificate.p12 -out extractedContents.pem -nodes -password pass:yourpassword

8. Hash a File and Verify the Hash

openssl dgst -sha256 -out hash.txt file.txt
openssl dgst -sha256 -verify pubkey.pem -signature hash.txt file.txt

9. Generate CA certificate and sign Certificate

openssl req -newkey rsa:2048 -nodes -x509 -days 365 -keyout ca.key -out ca.crt -subj "/C=US/ST=State/L=City/O=Organization/CN=CA"
openssl req -newkey rsa:2048 -nodes -keyout client.key -out client.csr -subj "/C=US/ST=State/L=City/O=Organization/CN=Client"
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt

 

Deepak Prasad

Deepak Prasad

He is the founder of GoLinuxCloud and brings over a decade of expertise in Linux, Python, Go, Laravel, DevOps, Kubernetes, Git, Shell scripting, OpenShift, AWS, Networking, and Security. With extensive experience, he excels in various domains, from development to DevOps, Networking, and Security, ensuring robust and efficient solutions for diverse projects. You can connect with him on his LinkedIn profile.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

Leave a Comment