Openssl Usage

OpenSSL is a toolkit for TLS and SSL protocols. It is also a general-purpose cryptography library.

Openssl

OpenSSL is licensed under an Apache-style license, which basically means that you are free to get and use it for commercial and non-commercial purposes subject to some simple license conditions.

OpenSSL provides:

• A command line application to perform a wide variety of cryptography tasks, such as creating and handling certificates and related files. OpenSSL commands
• A comprehensive and extensive cryptographic library libcrypto.
• A library for enabling SSL/TLS communications libssl to provide SSL and TLS Protocols support within clients or servers applications.

To display openssl version

$ openssl version -a
OpenSSL 1.1.0g  2 Nov 2017
built on: reproducible build, date unspecified
platform: debian-amd64
compiler: gcc 
......

To display summary

openssl -help

To display summary for a command

openssl [command] -help

enc

enc command is used for encryption and decryption. Enc is used for various block and stream ciphers using keys based on passwords or explicitly provided. It can also be used for Base64 encoding or decoding.

Synopsis

openssl enc -ciphername [options]

You can get a list a ciphers using the following command

openssl enc -ciphers

Example to encode a file using base64. encryption is the default so no need to include -e option.

openssl enc -base64 -in file.bin -out file.b64

Example to decode a file using base64

openssl enc -d -base64 -in file.b64 -out file.bin

Example to encode a file using aes-256. You need to provide a password to do the encryption.

openssl enc -aes256 -in file.txt -out file.enc
enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption password:

dgst

dgst - perform digest operations

Usage:

dgst [options] [file...]

Example to create md5 digest for a file

openssl dgst -md5 file.txt 

Example to create sha1 digest for a file

openssl dgst -sha1 -hex file.txt

Example to create sha256 digest for a file

openssl dgst -sha256 -hex file.txt

rand

rand - generate pseudo-random bytes

SYNOPSIS

openssl rand [-help] [-out file] [-rand file...] [-writerand file] [-base64] [-hex] num

The rand command outputs num pseudo-random bytes after seeding the random number generator once.

Example to generate 10 bytes and then display as hex string

$ openssl rand -hex 10
59405a642b9c3041401c

Example to generate 10 bytes and then print the base64 encoded output

$ openssl rand -base64 10
a7tvmW3bCHVUKg==

Example to generate a random key and use it for symmetric encryption.

$ openssl rand -base64 128 > key.txt
$ openssl enc -aes-256-cbc -salt -in file.txt -out file.txt.encoded -pass file:key.txt
$ openssl enc -d -aes-256-cbc -in file.txt.encoded -out file.txt.decoded -pass file:key.txt

genrsa

genrsa generate an RSA private key. Private and public keys are used in asymmetric encryption.

Example to generate private key

openssl genrsa -out private.pem 2048 

To secure the private, you can prompt the user to enter a password

openssl genrsa -aes256 -passout stdin -out private.pem 1024

Example to generate public key from private key

openssl rsa -in private.pem -pubout -out public.pem

Encrypt a file using public key

openssl rsautl -encrypt -pubin -inkey public.pem -in file.txt -out file.txt.enc

The data to be encrypted should be small. Otherwise it will throw an error

$ openssl rsautl -encrypt -pubin -inkey public.pem -in file.txt -out file.txt.enc
RSA operation error
140382596690368:error:0406D06E:rsa routines:RSA_padding_add_PKCS1_type_2:data too large for key size:../crypto/rsa/rsa_pk1.c:125:

Decrypt a file using private key

openssl rsautl -decrypt -inkey private.pem -in file.txt.encrypted -out file.txt.dec

Note: Do not use public key and private key to encrypt data. To send large data, generate a random symmetric key and encrypt it with RSA cipher(public key). After recipient receive and decrypt the symmetric key. The sender and receiver can use symmetric key to decrypt the message

Create Self-signed Certificate

First create private key

openssl genrsa -out privateKey.pem 4096

Add -des3 option to enter a pass phrase

Generate CSR(certificate signing request) using the private key. If the privateKey contains a pass phrase, you need to enter it. You will need to answsewr a series of questions here.

openssl req -new -key privateKey.pem -out req.csr

Optional: to examine a certificate request, use the following command

openssl req -in req.csr -text

Sign the CSR. -x509 option outputs a self signed certificate instead of a certificate request. If the privateKey contains a pass phrase, you need to enter it here.

openssl x509 -req -sha256 -days 365 -in req.csr -signkey privateKey.pem -out server.crt

To examine the certificate

openssl x509 -in server.crt -text -noout

Calculate fingerprint

Certificate Fingerprint is the hash of the der-encoded Certificate.

First convert the certificate to DER format

openssl x509 -in cert.crt -outform DER -out cert.cer

Then calculate the hash

$ openssl dgst -md5 cert.cer
$ openssl dgst -sha1 cert.cer
$ openssl dgst -sha256 cert.cer

Convert Formats

Convert PEM to DER

openssl x509 -in cert.crt -outform DER -out cert.cer

Convert DER to PEM

openssl x509 -in cert.cer -outform DER -out cert.crt

Convert PEM to PKCS7

openssl crl2pkcs7 -nocrl -certfile cert.crt -out cert.p7b

Convert PKCS7 to PEM

openssl pkcs7 -in cert.p7b -print_certs -out cert.crt

Convert PEM to PKCS12. You will need a private key and certificate.

openssl pkcs12 -inkey cert.key -in cert.crt -export -out cert.pfx

You will be prompted for key pass phrase and export password

Convert PKCS12 to PEM. the output file combines certificate and private key.

openssl pkcs12 -in cert.pfx -nodes -out cert.combined.crt

You will be prompted for the import password

Reference

• Openssl Homepage
• Openssl Overview
• self-signed-certificate-with-custom-ca.md
• OpenSSL Essentials by Mitchell Anicas
• Creating a Self-Signed SSL Certificate

Useful Links

• OpenSSL commands