Cheatsheet & Examples: openssl

openssl is a versatile tool for managing cryptographic operations, including generating keys, creating certificates, and securing communications. It supports SSL/TLS protocols, digital signatures, encryption, and more.

Generate a Self-Signed Certificate for Testing

Example Usage: openssl req -x509 -new -nodes -days 365 -keyout key.pem -out cert.pem

What it does: Creates a self-signed X.509 certificate valid for 365 days, with a private key stored in key.pem and the certificate in cert.pem.

Command-line Arguments Explained:

• -x509: Specifies that the output should be a self-signed certificate.
• -new: Generates a new certificate request (CSR).
• -nodes: Prevents the private key from being encrypted (no DES).
• -days 365: Sets the certificate validity period to 365 days.
• -keyout key.pem: Writes the generated private key to key.pem.
• -out cert.pem: Saves the certificate output to cert.pem.

Test SSL/TLS Connections

Example Usage: openssl s_client -connect example.com:443

What it does: Establishes an SSL/TLS connection to a remote server (e.g., example.com:443) to inspect its certificate and protocol details.

Command-line Arguments Explained:

• -connect: Specifies the host and port to connect to (e.g., example.com:443).
• -showcerts: Displays all certificates in the chain (optional, not in the example but adds context).

Generate a Private RSA Key

Example Usage: openssl genrsa -out private_key.pem 2048

What it does: Generates a 2048-bit RSA private key and saves it to private_key.pem.

Command-line Arguments Explained:

• -out: Specifies the output file for the private key.
• 2048: Sets the key length (in bits) for the RSA key.

Create a Certificate Signing Request (CSR)

Example Usage: openssl req -new -key private_key.pem -out csr.pem

What it does: Generates a CSR using an existing private key (private_key.pem), which is then submitted to a Certificate Authority (CA).

Command-line Arguments Explained:

• -new: Creates a new CSR.
• -key: Specifies the private key file to use.
• -out: Saves the CSR to csr.pem.

View Certificate Details

Example Usage: openssl x509 -in cert.pem -text -noout

What it does: Displays the human-readable contents of a certificate file (cert.pem) without outputting the binary data.

Command-line Arguments Explained:

• -in: Specifies the input certificate file.
• -text: Prints the certificate details in text format.
• -noout: Prevents the certificate from being output in binary form.

Convert Certificates Between Formats

Example Usage: openssl x509 -in cert.pem -outform DER -out cert.der

What it does: Converts a PEM-formatted certificate to DER (binary) format and saves it as cert.der.

Command-line Arguments Explained:

• -in: Input file in PEM format (cert.pem).
• -outform DER: Specifies the output format as DER (binary).
• -out: Saves the converted certificate to cert.der.

Sign a CSR with a Private Key

Example Usage: openssl x509 -req -in csr.pem -CA ca_cert.pem -CAkey ca_key.pem -CAcreateserial -out signed_cert.pem

What it does: Signs a CSR (csr.pem) using a CA's private key (ca_key.pem) and certificate (ca_cert.pem), outputting a signed certificate (signed_cert.pem).

Command-line Arguments Explained:

• -req: Treats the input as a CSR.
• -in: Input CSR file (csr.pem).
• -CA: Path to the CA certificate.
• -CAkey: Path to the CA's private key.
• -CAcreateserial: Creates a serial file if it doesn't exist.
• -out: Saves the signed certificate.

Check a Certificate's Validity Period

Example Usage: openssl x509 -in cert.pem -enddate -noout

What it does: Displays the certificate's expiration date (end date).

Command-line Arguments Explained:

• -in: Input certificate file (cert.pem).
• -enddate: Outputs the certificate's end date.
• -noout: Prevents the certificate from being output in binary.

Generate Diffie-Hellman Parameters

Example Usage: openssl dhparam -out dhparam.pem 2048

What it does: Creates DH parameters (used in TLS) for a 2048-bit key exchange, saving them to dhparam.pem.

Command-line Arguments Explained:

• -out: Output file for DH parameters.
• 2048: Key length in bits for DH parameters.

Convert PKCS#12 (PFX) Files to PEM

Example Usage: openssl pkcs12 -in key_store.pfx -out key.pem -nodes

What it does: Extracts a certificate and private key from a PKCS#12 (PFX) file (key_store.pfx) into PEM format, saving them to key.pem.

Command-line Arguments Explained:

• -in: Input PKCS#12 file.
• -out: Output PEM file (contains certificate and private key).
• -nodes: Prevents password protection of the private key.

Check SSL/TLS Server Configuration

Example Usage: openssl s_server -cert cert.pem -key private_key.pem -accept 443

What it does: Starts an SSL/TLS server listening on port 443, using cert.pem and private_key.pem.

Command-line Arguments Explained:

• -cert: Path to the server's certificate.
• -key: Path to the server's private key.
• -accept: Port to listen on (e.g., 443).

Generate a Hash (Digest) of a File

Example Usage: openssl dgst -sha256 -out hash.txt file.txt

What it does: Computes the SHA-256 hash of file.txt and saves it to hash.txt.

Command-line Arguments Explained:

• -sha256: Specifies the hashing algorithm.
• -out: Output file for the hash result.
• file.txt: Input file to hash.

Encrypt a File Using AES-256

Example Usage: openssl enc -aes-256-cbc -in input.txt -out encrypted.txt -pass pass:mysecretpassword

What it does: Encrypts input.txt using AES-256-CBC with the provided password, saving the result to encrypted.txt.

Command-line Arguments Explained:

• -aes-256-cbc: Specifies the encryption algorithm.
• -in: Input file to encrypt.
• -out: Output file for the encrypted data.
• -pass: Password for encryption (e.g., pass:mysecretpassword).

Decrypt a File Using AES-256

Example Usage: openssl enc -d -aes-256-cbc -in encrypted.txt -out decrypted.txt -pass pass:mysecretpassword

What it does: Decrypts encrypted.txt using AES-256-CBC and the provided password, saving the result to decrypted.txt.

Command-line Arguments Explained:

• -d: Enables decryption mode.
• -aes-256-cbc: Encryption algorithm used during encryption.
• -in: Input file to decrypt.
• -out: Output file for the decrypted data.
• -pass: Password for decryption.

Create a Password-Protected Private Key

Example Usage: openssl genrsa -aes256 -out secure_key.pem 2048

What it does: Generates a 2048-bit RSA private key and encrypts it with AES-256, prompting for a password.

Command-line Arguments Explained:

• -aes256: Encrypts the private key with AES-256.
• -out: Output file for the secured key.
• 2048: Key length in bits.

Generate a Random String for Passwords

Example Usage: openssl rand -base64 32

What it does: Generates a 32-byte random string encoded in Base64, suitable for passwords or tokens.

Command-line Arguments Explained:

• -base64: Outputs the random bytes in Base64 encoding.
• 32: Number of random bytes to generate.

Verify a Certificate Against a CA

Example Usage: openssl verify -CAfile ca_cert.pem cert.pem

What it does: Verifies that cert.pem is signed by the CA certificate in ca_cert.pem.

Command-line Arguments Explained:

• -CAfile: Path to the CA certificate used for verification.
• cert.pem: Certificate to verify.

Check Connection to a Secure Server

Example Usage: openssl s_client -connect localhost:8443 -cert client_cert.pem -key client_key.pem

What it does: Connects to a secure server on localhost:8443 using a client certificate and private key for mutual TLS authentication.

Command-line Arguments Explained:

• -connect: Host and port to connect to.
• -cert: Path to the client certificate.
• -key: Path to the client private key.

Convert PEM to DER Format

Example Usage: openssl x509 -in cert.pem -outform DER -out cert.der

What it does: Converts a PEM-formatted certificate to DER (binary) format, saving it as cert.der.

Command-line Arguments Explained:

• -in: Input file in PEM format.
• -outform DER: Specifies DER as the output format.
• -out: Output file for the converted certificate.