OpenSSL

OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) network protocols and related cryptography standards required by them.

The openssl program is a command line program for using the various cryptography functions of OpenSSL’s crypto library from the shell. It can be used for:

• Creation and management of private keys, public keys and parameters
• Public key cryptographic operations
• Creation of X.509 certificates, CSRs and CRLs
• Calculation of Message Digests and Message Authentication Codes
• Encryption and Decryption with Ciphers
• SSL/TLS Client and Server Tests
• Handling of S/MIME signed or encrypted mail
• Timestamp requests, generation and verification

Usage

openssl [command] [options]

Certificates (openssl req, openssl x509)

Generate a certificate

Usage: openssl req -x509 -key private_key.pem -out certificate.pem -days 365

Generate a signed certificate

# Create Certificate Request
openssl req -new -key entity.key -out entity.csr
 
# Sign with CA
openssl x509 -req -in entity.csr -CA ca.crt -CAkey ca.key -out entity.crt -CAcreateserial

Show information about a certificate

Usage: openssl x509 -in certificate.pem -text -noout

Digest (openssl dgst)

Use digest (hash) functions. (Use openssl dgst -list for a list of all available digests) Usage: openssl dgst [options] [file]

Options

Option	Description
-c	Print digest with seperating colons
-r	Print digest in coreutils format
-out <file>	Output to filename
-hex	Output as hex
-binary	Output in binary
-<digest>	Use <digest>

Encryption (openssl enc)

Encrypt and decrypt using ciphers (Use openssl enc -ciphers for a list of all available ciphers) Usage: openssl enc [options]

Options

Option	Description
-e	Do Encryption
-d	Do Decryption
-<cipher>	Use <cipher>
-in <input>	Input file
-k <val>	Passphrase
-kfile <file>	Read passphrase from file
-out <output>	Output file
-a, -base64	Base64 decode/encode data
-pbkdf2	Use password-based key derivation function 2
-iter <num>	Change iterations of -pbkdf2

RSA (openssl genrsa, openssl rsa, openssl pkeyutl)

Generate RSA Private Key (openssl genrsa)

openssl genrsa -out <keyfile> [-<cipher>] [-verbose] [-quiet] <numbits>

The -<cipher> option lets you protect the key with a password using the specified cipher algo (See openssl enc -ciphers for a list of available ciphers).

Generate RSA Public Key (openssl rsa)

openssl rsa -pubout -in <privatekey> [-passin file:<password_file>] -out <publickey>

Working with RSA (openssl pkeyutl)

# Sign with Private Key
openssl pkeyutl -sign -in <input> -inkey <private_key> [-passin file:<password_file>] -out <output> [-digest algo]
 
# Verify with Public Key
openssl pkeyutl -verify -in <input> -pubin -inkey <public_key> -sigfile <signature_file>
 
# Encrypt with Public Key
openssl pkeyutl -encrypt -pubin -inkey <public_key> -in <input> -out <output>
 
# Decrypt with Private Key
openssl pkeyutl -decrypt -inkey <private_key> [-passin file:<password_file>] -in <input> -out <output>

Password Hash (openssl passwd)

Generate hashed passwords Usage: openssl passwd [options] [password]

Options

Option	Description
-in infile	Read passwords from file
-noverify	Never verify when reading password from terminal
-stdin	Read passwords from stdin
-salt val	Use provided salt
-6	SHA512-based password algorithm
-5	SHA256-based password algorithm
-apr1	MD5-based password algorithm, Apache variant
-1	MD5-based password algorithm
-aixmd5	AIX MD5-based password algorithm

Prime Numbers (openssl prime)

Generate and verify prime numbers Usage: openssl prime [options] [num]

Options

Option	Description
-bits +int	Size of number in bits
-hex	Hex output
-generate	Generate a prime
-safe	When used with -generate, generate a safe prime

Random Data (openssl rand)

Generate random data. Usage: openssl rand [options] num

Options

Option	Description
-out outfile	Output file
-base64	Base64 encode output
-hex	Hex encode output
-rand val	Load the given file(s) into the random number generator