OpenSSL

Because every time I need an OpenSSL command, I have to google it…

References:

• https://www.feistyduck.com/library/openssl-cookbook/online
• https://www.digicert.com/kb/ssl-support/openssl-quick-reference-guide.htm

OpenSSL Cheatsheet

Create Keys

• Generate RSA 2048bits key:

  openssl genpkey -out mypriv.key \
  -algorithm RSA
  -pkeyopt rsa_keygen_bits:2048 \
  -aes-128-cbc
  

  The -aes-128-cbc parameter specifies the symetric cypher used to encrypt the generated key (a passphrase will be asked during the generation).

• Generate ECDSA (Eliptic Curves Digital Signature Algorithm) 256bits key:

  openssl genpkey -out mypriv.key \
  -algorithm EC \
  -keyopt ec_paramgen_curve:P-256 \
  -aes-128-cbc
  

• View a key content:

  openssl pkey -in mypriv.key -text -noout
  

• Extract the public key:

  The generated key contains both private and public key. To extract the public key, use:

  openssl pkey -in mypriv.key -pubout -out mypub.key
  

• Remove an existing key passphrase:

  There are some situations where it is needed to have a key without a passphrase.

  openssl rsa -in mypriv.key -out myopenpriv.key
  

Create a CSR (Certificate Signing Request)

A CSR is needed to request a signed certificate to a CA. To create a CSR, a private key must be created before.

• Generate CSR:

  1. Interactively:

     openssl req -new -key mypriv.key -out test.csr
     

     A series of questions will be asked:

     Question	Description
     Country Name (2 letter code)	The two-letter country code where your company is legally located.
     State or Province Name (full name)	The state/province where your company is legally located.
     Locality Name (e.g., city)	The city where your company is legally located.
     Organization Name (e.g., company)	Your company’s legally registered name (e.g., YourCompany, Inc.).
     Organizational Unit Name (e.g., section)	The name of your department within the organization. (You can leave this option blank; simply press Enter.)
     Common Name (e.g., server FQDN)	The fully-qualified domain name (FQDN) (e.g., www.example.com).
     Email Address	Your email address. (You can leave this option blank; simply press Enter.)
     A challenge password	Leave this option blank (simply press Enter).
     An optional company name	Leave this option blank (simply press Enter).

  2. From a template:

     $ cat template.conf
     [ req ]
     prompt = no
     distinguished_name = dn
     req_extensions = req_ext
          
     [ dn ]
     CN = example.com
     emailAddress = admin@test.com
     O = My Organization Name
     OU = IT
     L = Zurich
     ST = Zurich
     C = CH
          
     [req_ext]
     subjectAltName = @alt_names
          
     [alt_names]
     DNS.0 = *.example.com
          
     $ openssl req -new -out test.csr -key mypriv.key -config template.conf
     

• Extract information from a CSR:

  openssl req -in test.csr -text -noout
  

Create a Self-Signed Certificates

Generating a self-signed certificate:

1. With a CSR and Key already generated:

   openssl x509 -req -days 1000 -in test.csr -signkey mypriv.key -out test.crt 
   

2. Without CSR and Key (generate them in one command):

   openssl req -new -x509 -newkey rsa:2048 -keyout mypriv.key -out test.crt
   

   A passphrase will be asked for the key, and the CSR questions will be asked.

Keys and Certificates Formats

Certificates and Keys can be stored in various formats. The most common are:

Certificates:

• Binary (DER) certificate:

  Contains the X.509 certificate in its raw form, using DER ASN.1 encoding

• ASCII (PEM) certificate(s):

  Contains the base64-encoded DER certificate, with -----BEGIN CERTIFICATE----- used as the header and -----END CERTIFICATE----- as the footer.

• PKCS#7 certificate(s):

  A complex format designed for the transport of signed or encrypted data, defined in RFC 2315. It’s usually seen with .p7b and .p7c extensions and can include the entire certificate chain as needed.

Keys:

• Legacy OpenSSL key format:

  Contains a private key in its raw form, using DER ASN.1 encoding. Historically, OpenSSL used a format based on PKCS #1. These days, if you use the proper commands (i.e., genpkey), OpenSSL defaults to PKCS#8.

• ASCII (PEM) key:

  Contains a base64-encoded DER key, sometimes with additional metadata (e.g., the algorithm used for password protection). The text in the header and footer can differ, depending on what underlying key format is used.

• PKCS#8 Key:

  The new default format for the private key store. PKCS#8 is defined in RFC 5208.

Concatenation:

• PKCS#12 (PFX) key and certificate(s):

  A complex format that can store and protect a server key along with an entire certificate chain. It’s commonly seen with .p12 and .pfx extensions. This format is commonly used in Microsoft products, but is also used for client certificates.

As for the different formats, certificates and keys can have a plethora of different extensions:

• One way done is to store the key in a .key file, and the certificate in a .crt file (independently of the format). The user must therefore cat the file to know in which format it is.
• The second way is to store them in file with extension matchin the format, for instance .der, .pem, .p7b, .pfx, etc… In this case, it is often a good idea to specify the file type (key or certificate) by combining the two methods: test.crt.pem.

Keys and Certificates Conversions

The usefull commands to convert certificates and key between different formats:

• PEM <-> DER conversions:

  Certificate:

  openssl x509 -inform PEM -in test.crt.pem -outform DER -out test.crt.der
  

  Key:

  openssl pkey -inform PEM -in test.key.pem -outform DER -out test.key.der
  

  PEM and DER can be swapped.

• PKCS#12 (PFX) conversions:

  One command is all that’s needed to convert the key and certificates in PEM format to PKCS#12. The following example converts a key (test.key), certificate (test.crt), and intermediate certificates (test-chain.crt) into an equivalent single PKCS#12 file:

  openssl pkcs12 -export \
    -name "My Certificate" \
    -out test.p12 \
    -inkey test.key \
    -in test.crt \
    -certfile test-chain.crt
  

  If you’re using OpenSSL3 and the pkcs12 can’t be read from a Windows machine, it’s possible that the -legacy option must be added because the Windows hasn’t the latest algorithms.

  The reverve conversion needs two steps. The first is to convert the pfx in a single pem file:

  openssl pkcs12 -in test.p12 -out test.pem -nodes
  

  The second step is to manually split the key, certificate and intermediate certificate by opening the output pem file in an editor.

• PKCS#7 conversions:

  PEM to PKCS#7:

  openssl crl2pkcs7 -nocrl -out test.p7b -certfile test.crt -certfile test-chain.crt
  

  PKCS#7 to PEM:

  openssl pkcs7 -in test.p7b -print_certs -out test.pem
  

  If the PKCS#7 were containing multiple certificates, the resulting file must be spitted in multiple files in an editor (as for PKCS#12).

Read a certificate content

To get the certificate information, like its issuer, algorithms, or validity:

openssl x509 -in cert.crt -text -noout

Validate that a private key corresponds to the certificate

To validate that a private key corresponds to a certificate:

• Get the modulus of the private key:

  openssl rsa -modulus -noout -in test.key | openssl md5
  

• Get the modulus of the public key in the certificate

  openssl x509 -modulus -noout -in test.crt | openssl md5
  

SSL Server connection

Openssl can also be used to verify the certificates chain of an SSL connection with a server:

openssl s_client -showcerts -connect server-name.test.com:443

If the request must pass through a proxy, add the -proxy host:port parameter