OpenSSL example commands

0

OpenSSL
OpenSSL is a software library for applications that secure communications over computer networks against eavesdropping or need to identify the party at the other end. It is widely used in internet web servers, serving a majority of all web sites.
OpenSSL contains an open-source implementation of the SSL and TLS protocols. The core library, written in the C programming language, implements basic cryptographic functions and provides various utility functions. Wrappers allowing the use of the OpenSSL library in a variety of computer languages are available.
Versions are available for most Unix and Unix-like operating systems (including Solaris, Linux, macOS, QNX, and the various open-source BSD operating systems), OpenVMS and Microsoft Windows. IBM provides a port for the System i (OS/400).
https://en.wikipedia.org/wiki/OpenSSL

The following examples show how to create, check and manage (self-signed) certificates and certificate signing requests (CSR).

Generate private key and CSR
openssl req -utf8 -nodes -sha256 -newkey rsa:2048 -keyout server1.example.com.key -out server1.example.com.csr
OpenSSL_2
-utf8: input characters are UTF8 (default ASCII)
-nodes: don’t encrypt private keys
-sha256: to use the sha256 message digest algorithm
-newkey: rsa:bits generate a new RSA key of ‘bits’ in size
-keyout <arg>: file to send the key to
-out <arg>: output file – default stdout

Generate CSR from an existing private key
openssl req -out server1.example.com.csr -key server1.example.com.key -new
OpenSSL_3_
-out <arg>: output file – default stdout
-key <arg>: private Key file to use, in cert file if not specified (default is server.pem)
-new: new request

Generate CSR from an existing certificate
openssl x509 -x509toreq -in server1.example.com.crt -out server1.example.com.csr -signkey server1.example.com.key
OpenSSL_4
-x509toreq: output a certification request object
-in: infile – input filename
-out <arg>: output file – default stdout
-signkey <arg>: self sign cert with arg

Generate a self-signed certificate
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server1.example.com.key -out server1.example.com.crt
OpenSSL_5a_
-x509: output a x509 structure instead of a cert. req
-nodes: don’t encrypt private keys
-days <arg>: how long till expiry of a signed certificate – def 30 days
-newkey: rsa:bits generate a new RSA key of ‘bits’ in size
-keyout <arg>: file to send the key to
-out <arg>: output file – default stdout

Generate a self-signed certificate with CSR
openssl x509 -req -days 365 -in server1.example.com.csr -signkey server1.example.com.key -out server1.example.com.crt
OpenSSL_5b_
-req: input is a certificate request, sign and output.
-days <arg>: how long till expiry of a signed certificate – def 30 days
-in: infile – input filename
-signkey <arg>: self sign cert with arg
-out <arg>: output file – default stdout

Get public key from private key
openssl rsa -in server1.example.com.key -pubout
OpenSSL_6
-in: infile – input filename
-pubout: output a public key

Get public key from CSR
openssl req -in server1.example.com.csr -noout -pubkey
OpenSSL_7
-in: infile – input filename
-noout: don’t print key out
-pubkey: output public key

Check CSR
openssl req -text -noout -verify -in server1.example.com.csr
OpenSSL_8
-text: text form of request
-noout: don’t print key out
-verify: verify signature on REQ
-in: infile – input filename

Check private key
openssl rsa -in server1.example.com.key -check
OpenSSL_9
-in: infile – input filename
-check: verify key consistency

Check certificate
openssl x509 -in server1.example.com.crt -text -noout
OpenSSL_10
-in: infile – input filename
-text: text form of request
-noout: don’t print key out

Remove password from private key
openssl rsa -in server1.example.com.pem -out new_server1.example.com.pem
OpenSSL_11
-in: infile – input filename
-out <arg>: output file – default stdout

Resources
https://www.openssl.org/
https://wiki.openssl.org/

About Author

Ronnie is an Oracle consultant at AMIS. He is specialized in Oracle database (Data Guard, RAC, ASM, RMAN, SQL, PL/SQL) and has experience with EM Cloud Control, Oracle VM Server, Oracle Failsafe, Oracle Fusion Middleware, Oracle/Red Hat Linux, ODA (bare metal/virtualized).

Leave a Reply