Configure
Build your server

Useful OpenSSL Commands

Useful OpenSSL Commands 15 November 2023

Contents of Articles:

  1. Introduction
  2. Generation
  3. Verification
  4. Conversion
  5. Export
  6. Additional Commands

Introduction

In this article, we delve into the realm of OpenSSL, an open-source cryptographic package designed for SSL/TLS operations. Whether you're a seasoned IT professional or just getting started, these useful OpenSSL commands will empower you to navigate the intricacies of certificate management with confidence.

OpenSSL is an open-source cryptographic package for SSL/TLS operations.

  • CRT (Certificate)
  • KEY (Key)
  • CSR (Certificate Signing Request)
  • DH (Diffie-Hellman Key)
  • PKCS#12 (PFX, P12) - Certificate with Private Key
  • DER - Binary Certificate Type
  • PEM - Base64 Certificate Type
  • P7B (PKCS#7) - Certificate Chain
  • DKIM (DomainKeys Identified Mail) - Email Authentication Method
  • RSA (Rivest–Shamir–Adleman) - Public Key Cryptosystem

Generation

Install OpenSSL on Debian:

sudo apt-get install openssl

Generate Private Key (4096 bits):

openssl genrsa -out server.key 4096

Generate CSR and Key Pair (2048 bits):

openssl req -out server.csr -new -newkey rsa:2048 -nodes -keyout server.key

Generate CSR for an existing Key:

openssl req -out server.csr -key server.key -new

Generate CSR for existing CRT and Key:

openssl x509 -x509toreq -in server.crt -out server.csr -signkey server.key

Generate Self-Signed CRT for one year:

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:4096 -keyout server.key -out server.crt

Generate v3 CRT for one year:

openssl x509 -days 365 -in myCSR.csr -extfile v3.ext -CA myCA.crt -CAkey myCA.key -CAcreateserial -out userCertificate.crt

Example v3.ext:

authorityKeyIdentifier=keyid,issuer
 basicConstraints=CA:FALSE
 keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment

Order of Certificates in a File:

  1. Server Certificate
  2. Intermediate Certificate
  3. Root Certificate

cat server.crt > server.pem
 cat intermediate.crt >> server.pem
 cat ca.crt >> server.pem

Generate DH parameters:

openssl dhparam -out dhparam.pem 2048

Verification

Verify CSR:

openssl req -text -noout -verify -in server.csr

verify OK

Verify Key:

openssl rsa -in server.key -check

RSA key OK

Verify Public Key:

openssl rsa -inform PEM -pubin -in pub.key -text -noout
openssl pkey -inform PEM -pubin -in pub.key -text -noout

Read CRT:

openssl x509 -in server.crt -text -noout

Read CSR:

openssl req -in server.csr -noout -text

Verification of CSR and KEY Correspondence

The hashes of the certificate and key must match.

openssl x509 -noout -modulus -in server.crt | md5sum
openssl rsa -noout -modulus -in server.key | md5sum

Verification of Matching CSR and CRT

The hashes of the certificate and the signing request must match.

openssl x509 -noout -modulus -in server.crt | md5sum
openssl req -noout -modulus -in server.csr | md5sum

PKCS#12 Verification

openssl pkcs12 -info -in server.p12

Display All Certificates

openssl s_client -connect internet-lab.ru:443

Conversion

DER to PEM Conversion

openssl x509 -inform der -in server.cer -out server.pem

PEM to DER Conversion

openssl x509 -outform der -in server.pem -out server.der

PKCS#12 to PEM Conversion

openssl pkcs12 -in server.pfx -out server.pem -nodes

PEM to PKCS#12 Conversion

openssl pkcs12 -export -out server.pfx -inkey server.key -in server.crt -certfile CACert.crt

Export

Exporting Public Key from Private Key

openssl rsa -in privkey.pem -pubout > key.pub

Exporting Public Key from Private CRT (Certificate)

openssl x509 -pubkey -noout -in cert.pem  > pubkey.pem

Additional Commands

Removing Password from Private Key

openssl rsa -in server.pem -out newserver.pem

List of Revoked Serial Numbers

openssl crl -inform DER -text -noout -in list.crl

File Encryption using rsautl

openssl rsautl -encrypt -in plaintext.txt -out encrypted.txt -pubin -inkey pubkey.pem

File Decryption using rsautl

openssl rsautl -decrypt -in encrypted.txt -out plaintext.txt -inkey privkey.pem

Elevate your server infrastructure without breaking the bank. At Newserverlife, we not only provide top-quality refurbished servers but also offer peace of mind with our commitment to reliability and performance.