OpenSSL is a general purpose cryptography library that provides an open source implementation of the SSL and TLS protocols.OpenSSL libraries are used by a lot of enterprises in their systems and products.Following are a few common tasks you might need to perform with OpenSSL.
Some of the abbreviations related to certificates.
- SSL – Secure Socket Layer
- CSR – Certificate Signing Request
- TLS – Transport Layer Security
- PEM – Privacy Enhanced Mail
- DER – Distinguished Encoding Rules
- SHA – Secure Hash Algorithm
- PKCS – Public-Key Cryptography Standards.
Private keys should kept secret. Private keys generally used to decrypt data.
Public keys are provided every one and it not secret. Public keys generally used to encrypt data.
Certificates holds keys and related information. Certificates generally holds public keys.
1Generate Private Key and Certificate Signing Request
openssl req -out CertificateSigningRequest.csr -newkey rsa:2048 -nodes -keyout sysaix.key
We can generate a private key with a Certificate Signing Request. We can send generated
CertificateSigningRequest.csr to the Certificate Authority for approvel and then we can use sysaix.key. Above command will generate CSR and 2048-bit RSA key file. If you intend to use this certificate in Apache or Nginx.
2Generate Self-Signed Certificate
If we will use certificate in our development or test environment and systems we do not need to sign it by Global Certificate Authority.Below command will generate a self-signed certificate and key file with 2048-bit RSA. I have also included sha256 as it’s considered most secure at the moment.By default, it will generate self-signed certificate valid for only one month but we create for 1 year.
# openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout sysaixPrivateKey.key -out sysaixcert.crt
3Generate Certificate Signing Request (CSR) with Existing Certificate
If we have a certificate but we need to approve it by Global Certificate Authorities we need to generate Certificate Signing Request with the following command.
$ openssl req -out sysaix.csr -key privateKey.key -new
4Verify CSR file
Verification is essential to ensure you are sending CSR to issuer authority with required details.
$ openssl req -noout -text -in sysaix.csr
5Create RSA Private Key
If you just need to generate RSA private key, you can use below command. I have included 1024 for stronger encryption.
$ openssl genrsa -out sysaix.key 2048
6Remove Passphrase From Private Key
Private Keys generally stored as encrypted to make it more secure. But every time we want to use Private Key we have to decrypt it. To make it more practical we can extract Private Key and store as unencrypted.
$ openssl rsa -in sysaixprivate.pem -out newsysaixprivate.pem
7Check and Print Certificate Signing Request (CSR)
We can print every information provided by a Certificate Signing Request on the shell. We will use following command for this.
$ openssl req -text -noout -verify -in CertificatesysaixSignReq.csr
8Verify Private Key
If you doubt on your key file, you can use below command to check.
$ openssl rsa -in sysaix.key –check
9Verify Certificate File
If you would like to validate certificate data like CN, OU, etc. then you can use below command which will give you certificate details.
$ openssl x509 -in certfile.pem -text –noout
10Verify the Certificate Signer Authority
Certificate issuer authority signs every certificate and in case you need to check them, you can use below command.
$ openssl x509 -in certfile.pem -noout -issuer -issuer_hash
11Convert PEM To PKCS#12 (.pfx .p12)
We can convert PEM format to the PKCS#12 format with the following command.
$ openssl pkcs12 -export -out sysaix.pfx -inkey sysaixpri.key -in sysaixcert.crt -certfile sysaixCAcert.crt
12Convert PEM To DER
The reverse conversation from PEM to DER can be done with the following.
$ openssl x509 -outform der -in sysaix.pem -out sysaixcert.der
13Convert DER to PEM format
$ openssl x509 –inform der –in sysaixsslcert.der –out sysaixsslcert.pem
Usually, certificate authority will give you SSL cert in .der format, and if you need to use them in apache or .pem format, you can use above command to convert them.
14Convert PKCS#12 (.pfx .p12) To PEM
We can convert PKCS#12 format files to the PEM files with the following command.
$ openssl pkcs12 -in sysaixkeyStore.pfx -out sysaixkeyStore.pem -nodes
15Check contents of PKCS12 format cert
openssl pkcs12 –info –nodes –in sysaixcert.p12
PKCS12 is binary format so you won’t be able to view the content in notepad or another editor. So you got to use above command to see the contents of PKCS12 format file.
16Check Hash Value of A Certificate
$ openssl x509 -noout -hash -in sysaix.pem
17Find out OpenSSL version
$ openssl version
18Test SSL certificate of particular URL
$ openssl s_client -connect sysaix.com:443 –showcerts
19Check PEM File Certificate Expiration Date
$ openssl x509 -noout -in sysaixcert.pem -dates