This is an old revision of the document!
OpenSSL Usage Notes
The openssl program is basically a dumping ground for all sorts of SSL related functions. What it does varies wildly based on the parameters passed in. Here is a usage summary of some of the more useful functions.
Notes
- SSL is based on RSA asymmetrical encryption (aka public key encryption)
- Two files are created; a certificate (the “cert”) and a key
- The cert is public. It contains information about the cert user (i.e. the “subject”). It also contains an encrypted hash “signature” of the cert contents.
- “Signing” a cert means that a secure hash of the cert is calculated and the secure hash is encrypted with the signing authority's (the “issuer”) secret key. This encrypted hash is then appended to the certificate.
- Check the integrity of the cert by calculating the secure hash of the cert and comparing it with the decrypted signature.
- Decrypt the signature by using the public key of the issuer.
- Cert trust is based on whether or not you trust the issuer and his ability to vouch for the “subject”
Definitions
| cert | Public X.509 format certificate. Contains subject's public key. |
| DER | Binary format used for keys |
| issuer | Entity that signs a cert |
| key | Subject's secret key |
| PEM | Straight ASCII (BASE64) format of a binary cert or key |
| sign | Calculate a secure hash and encrypt hash with issuer's public key |
| subject | The entity (person or organization) described in the cert |
Important OpenSSL Commands and Options
openssl command [ command_opts ] [ command_args ]
| Standard Commands | |
|---|---|
| ca | Certificate Authority (CA) Management. |
| req | X.509 Certificate Signing Request (CSR) Management. |
| x509 | X.509 Certificate Data Management. |
| Digest Commands | |
| md5 | MD5 Digest |
| sha1 | SHA-1 Digest |
| sha256 | SHA-256 Digest |
| Common Options | |
|---|---|
| -config filename | Configuration file to use. |
| -nodes | Not the English word “nodes”, but rather is “no DES”. When given as an argument, it means OpenSSL will not encrypt the private key in a PKCS#12 file. To encrypt the private key, you can omit -nodes and your key will be encrypted with 3DES-CBC. To encrypt the key, OpenSSL prompts you for a password and it uses that password to generate an encryption key. |
| -key file | Use the private key contained in file |
| -keyform arg | Key file format |
| CA Options | |
| -in filename | Input filename containing a single certificate request to be signed by the CA. |
| -ss_cert filename | A single self-signed certificate to be signed by the CA. |
| -out filename | File to output certificates to. |
| -cert | The CA certificate file. |
| -selfsign | Issued certificates are to be signed with the key the certificate requests were signed with (given with -keyfile). |
| -days arg | The number of days to certify the certificate for. |
| REQ Options | |
| -inform arg | Input format - DER or PEM |
| -outform arg | Output format - DER or PEM |
| -in arg | Input file |
| -out arg | Output file |
| -pubkey | Output public key |
| -keyout arg | File to send the key to |
| -new | New request |
| -x509 | Output a x509 structure instead of a cert request |
| -days | Number of days a certificate generated by -x509 is valid for |
| -newkey rsa:bits | Generate a new RSA key of 'bits' in size |
| -text | Text form of request |
| -noout | Do not output REQ |
Build a "root" (i.e. self-signed) Certificate of Authority
openssl ca -new -x509 -extensions v3_ca -keyout CA-key.pem -out CA-cert.pem -days 3650 -config openssl.cnf -nodes
Build a Certificate Signing Request (CSR)
openssl req -days 3650 -nodes -new -x509 -keyout ca.key -out ca.crt -config openssl.config
Sign a Certificate Signing Request (CSR)
openssl ca -days 3650 -out key.crt -in key.csr -config openssl.cnf
View a Certificate
openssl x509 -in certificate.crt -text -noout
Self-sign a Certificate
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout mysitename.key -out mysitename.crt