# Cheatsheet & Examples: openssl

openssl is a versatile tool for managing cryptographic operations, including generating keys, creating certificates, and securing communications. It supports SSL/TLS protocols, digital signatures, encryption, and more.

## Generate a Self-Signed Certificate for Testing

Example Usage:
`openssl req -x509 -new -nodes -days 365 -keyout key.pem -out cert.pem`

What it does:
Creates a self-signed X.509 certificate valid for 365 days, with a private key stored in `key.pem` and the certificate in `cert.pem`.

Command-line Arguments Explained:

- `-x509`: Specifies that the output should be a self-signed certificate.
- `-new`: Generates a new certificate request (CSR).
- `-nodes`: Prevents the private key from being encrypted (no DES).
- `-days 365`: Sets the certificate validity period to 365 days.
- `-keyout key.pem`: Writes the generated private key to `key.pem`.
- `-out cert.pem`: Saves the certificate output to `cert.pem`.

## Test SSL/TLS Connections

Example Usage:
`openssl s_client -connect example.com:443`

What it does:
Establishes an SSL/TLS connection to a remote server (e.g., `example.com:443`) to inspect its certificate and protocol details.

Command-line Arguments Explained:

- `-connect`: Specifies the host and port to connect to (e.g., `example.com:443`).
- `-showcerts`: Displays all certificates in the chain (optional, not in the example but adds context).

## Generate a Private RSA Key

Example Usage:
`openssl genrsa -out private_key.pem 2048`

What it does:
Generates a 2048-bit RSA private key and saves it to `private_key.pem`.

Command-line Arguments Explained:

- `-out`: Specifies the output file for the private key.
- `2048`: Sets the key length (in bits) for the RSA key.

## Create a Certificate Signing Request (CSR)

Example Usage:
`openssl req -new -key private_key.pem -out csr.pem`

What it does:
Generates a CSR using an existing private key (`private_key.pem`), which is then submitted to a Certificate Authority (CA).

Command-line Arguments Explained:

- `-new`: Creates a new CSR.
- `-key`: Specifies the private key file to use.
- `-out`: Saves the CSR to `csr.pem`.

## View Certificate Details

Example Usage:
`openssl x509 -in cert.pem -text -noout`

What it does:
Displays the human-readable contents of a certificate file (`cert.pem`) without outputting the binary data.

Command-line Arguments Explained:

- `-in`: Specifies the input certificate file.
- `-text`: Prints the certificate details in text format.
- `-noout`: Prevents the certificate from being output in binary form.

## Convert Certificates Between Formats

Example Usage:
`openssl x509 -in cert.pem -outform DER -out cert.der`

What it does:
Converts a PEM-formatted certificate to DER (binary) format and saves it as `cert.der`.

Command-line Arguments Explained:

- `-in`: Input file in PEM format (`cert.pem`).
- `-outform DER`: Specifies the output format as DER (binary).
- `-out`: Saves the converted certificate to `cert.der`.

## Sign a CSR with a Private Key

Example Usage:
`openssl x509 -req -in csr.pem -CA ca_cert.pem -CAkey ca_key.pem -CAcreateserial -out signed_cert.pem`

What it does:
Signs a CSR (`csr.pem`) using a CA's private key (`ca_key.pem`) and certificate (`ca_cert.pem`), outputting a signed certificate (`signed_cert.pem`).

Command-line Arguments Explained:

- `-req`: Treats the input as a CSR.
- `-in`: Input CSR file (`csr.pem`).
- `-CA`: Path to the CA certificate.
- `-CAkey`: Path to the CA's private key.
- `-CAcreateserial`: Creates a serial file if it doesn't exist.
- `-out`: Saves the signed certificate.

## Check a Certificate's Validity Period

Example Usage:
`openssl x509 -in cert.pem -enddate -noout`

What it does:
Displays the certificate's expiration date (end date).

Command-line Arguments Explained:

- `-in`: Input certificate file (`cert.pem`).
- `-enddate`: Outputs the certificate's end date.
- `-noout`: Prevents the certificate from being output in binary.

## Generate Diffie-Hellman Parameters

Example Usage:
`openssl dhparam -out dhparam.pem 2048`

What it does:
Creates DH parameters (used in TLS) for a 2048-bit key exchange, saving them to `dhparam.pem`.

Command-line Arguments Explained:

- `-out`: Output file for DH parameters.
- `2048`: Key length in bits for DH parameters.

## Convert PKCS#12 (PFX) Files to PEM

Example Usage:
`openssl pkcs12 -in key_store.pfx -out key.pem -nodes`

What it does:
Extracts a certificate and private key from a PKCS#12 (PFX) file (`key_store.pfx`) into PEM format, saving them to `key.pem`.

Command-line Arguments Explained:

- `-in`: Input PKCS#12 file.
- `-out`: Output PEM file (contains certificate and private key).
- `-nodes`: Prevents password protection of the private key.

## Check SSL/TLS Server Configuration

Example Usage:
`openssl s_server -cert cert.pem -key private_key.pem -accept 443`

What it does:
Starts an SSL/TLS server listening on port 443, using `cert.pem` and `private_key.pem`.

Command-line Arguments Explained:

- `-cert`: Path to the server's certificate.
- `-key`: Path to the server's private key.
- `-accept`: Port to listen on (e.g., 443).

## Generate a Hash (Digest) of a File

Example Usage:
`openssl dgst -sha256 -out hash.txt file.txt`

What it does:
Computes the SHA-256 hash of `file.txt` and saves it to `hash.txt`.

Command-line Arguments Explained:

- `-sha256`: Specifies the hashing algorithm.
- `-out`: Output file for the hash result.
- `file.txt`: Input file to hash.

## Encrypt a File Using AES-256

Example Usage:
`openssl enc -aes-256-cbc -in input.txt -out encrypted.txt -pass pass:mysecretpassword`

What it does:
Encrypts `input.txt` using AES-256-CBC with the provided password, saving the result to `encrypted.txt`.

Command-line Arguments Explained:

- `-aes-256-cbc`: Specifies the encryption algorithm.
- `-in`: Input file to encrypt.
- `-out`: Output file for the encrypted data.
- `-pass`: Password for encryption (e.g., `pass:mysecretpassword`).

## Decrypt a File Using AES-256

Example Usage:
`openssl enc -d -aes-256-cbc -in encrypted.txt -out decrypted.txt -pass pass:mysecretpassword`

What it does:
Decrypts `encrypted.txt` using AES-256-CBC and the provided password, saving the result to `decrypted.txt`.

Command-line Arguments Explained:

- `-d`: Enables decryption mode.
- `-aes-256-cbc`: Encryption algorithm used during encryption.
- `-in`: Input file to decrypt.
- `-out`: Output file for the decrypted data.
- `-pass`: Password for decryption.

## Create a Password-Protected Private Key

Example Usage:
`openssl genrsa -aes256 -out secure_key.pem 2048`

What it does:
Generates a 2048-bit RSA private key and encrypts it with AES-256, prompting for a password.

Command-line Arguments Explained:

- `-aes256`: Encrypts the private key with AES-256.
- `-out`: Output file for the secured key.
- `2048`: Key length in bits.

## Generate a Random String for Passwords

Example Usage:
`openssl rand -base64 32`

What it does:
Generates a 32-byte random string encoded in Base64, suitable for passwords or tokens.

Command-line Arguments Explained:

- `-base64`: Outputs the random bytes in Base64 encoding.
- `32`: Number of random bytes to generate.

## Verify a Certificate Against a CA

Example Usage:
`openssl verify -CAfile ca_cert.pem cert.pem`

What it does:
Verifies that `cert.pem` is signed by the CA certificate in `ca_cert.pem`.

Command-line Arguments Explained:

- `-CAfile`: Path to the CA certificate used for verification.
- `cert.pem`: Certificate to verify.

## Check Connection to a Secure Server

Example Usage:
`openssl s_client -connect localhost:8443 -cert client_cert.pem -key client_key.pem`

What it does:
Connects to a secure server on `localhost:8443` using a client certificate and private key for mutual TLS authentication.

Command-line Arguments Explained:

- `-connect`: Host and port to connect to.
- `-cert`: Path to the client certificate.
- `-key`: Path to the client private key.

## Convert PEM to DER Format

Example Usage:
`openssl x509 -in cert.pem -outform DER -out cert.der`

What it does:
Converts a PEM-formatted certificate to DER (binary) format, saving it as `cert.der`.

Command-line Arguments Explained:

- `-in`: Input file in PEM format.
- `-outform DER`: Specifies DER as the output format.
- `-out`: Output file for the converted certificate.
