OpenSSL example commands

OpenSSL
“OpenSSL is a software library for applications that secure communications over computer networks against eavesdropping or need to identify the party at the other end. It is widely used in internet web servers, serving a majority of all web sites.
OpenSSL contains an open-source implementation of the SSL and TLS protocols. The core library, written in the C programming language, implements basic cryptographic functions and provides various utility functions. Wrappers allowing the use of the OpenSSL library in a variety of computer languages are available.
Versions are available for most Unix and Unix-like operating systems (including Solaris, Linux, macOS, QNX, and the various open-source BSD operating systems), OpenVMS and Microsoft Windows. IBM provides a port for the System i (OS/400).”
— https://en.wikipedia.org/wiki/OpenSSL

The following examples show how to create, check and manage (self-signed) certificates and certificate signing requests (CSR).

Generate private key and CSR
openssl req -utf8 -nodes -sha256 -newkey rsa:2048 -keyout server1.example.com.key -out server1.example.com.csr

-utf8: input characters are UTF8 (default ASCII)
-nodes: don’t encrypt private keys
-sha256: to use the sha256 message digest algorithm
-newkey: rsa:bits generate a new RSA key of ‘bits’ in size
-keyout <arg>: file to send the key to
-out <arg>: output file – default stdout

Generate CSR from an existing private key
openssl req -out server1.example.com.csr -key server1.example.com.key -new

-out <arg>: output file – default stdout
-key <arg>: private Key file to use, in cert file if not specified (default is server.pem)
-new: new request

Generate CSR from an existing certificate
openssl x509 -x509toreq -in server1.example.com.crt -out server1.example.com.csr -signkey server1.example.com.key

-x509toreq: output a certification request object
-in: infile – input filename
-out <arg>: output file – default stdout
-signkey <arg>: self sign cert with arg

Generate a self-signed certificate
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server1.example.com.key -out server1.example.com.crt

-x509: output a x509 structure instead of a cert. req
-nodes: don’t encrypt private keys
-days <arg>: how long till expiry of a signed certificate – def 30 days
-newkey: rsa:bits generate a new RSA key of ‘bits’ in size
-keyout <arg>: file to send the key to
-out <arg>: output file – default stdout

Generate a self-signed certificate with CSR
openssl x509 -req -days 365 -in server1.example.com.csr -signkey server1.example.com.key -out server1.example.com.crt

-req: input is a certificate request, sign and output.
-days <arg>: how long till expiry of a signed certificate – def 30 days
-in: infile – input filename
-signkey <arg>: self sign cert with arg
-out <arg>: output file – default stdout

Get public key from private key
openssl rsa -in server1.example.com.key -pubout

-in: infile – input filename
-pubout: output a public key

Get public key from CSR
openssl req -in server1.example.com.csr -noout -pubkey

-in: infile – input filename
-noout: don’t print key out
-pubkey: output public key

Check CSR
openssl req -text -noout -verify -in server1.example.com.csr

-text: text form of request
-noout: don’t print key out
-verify: verify signature on REQ
-in: infile – input filename

Check private key
openssl rsa -in server1.example.com.key -check

-in: infile – input filename
-check: verify key consistency

Check certificate
openssl x509 -in server1.example.com.crt -text -noout

-in: infile – input filename
-text: text form of request
-noout: don’t print key out

Remove password from private key
openssl rsa -in server1.example.com.pem -out new_server1.example.com.pem

-in: infile – input filename
-out <arg>: output file – default stdout

Resources
https://www.openssl.org/
https://wiki.openssl.org/