OpenSSL Common Usage

OpenSSL Common Usage

OpenSSL is a powerful Linux command for managing certificates. These are some common operations I frequently use.

Generate RSA Key Pair

This command generates a 2048 bits private key.

openssl genrsa -out example.key 2048

Verify private and public key by comparing the output of the following 2 commands.

ssh-keygen -yef id_rsa
ssh-keygen -yef id_rsa.pub

Generate Certificate Signing Request (CSR) With Existing Key

CSR is generated from existing private key. Make sure you keep your private key well.

openssl req -out example.csr -key example.key -new

Generate New Key And Certificate Signing Request (CSR)

Generate a new private key and new CSR using that key.

openssl req -new -newkey rsa:2048 -nodes -keyout example.key -out example.csr

Check Certificate Signing Request (CSR) Info

openssl req -in example.csr -noout -text

Generate Self-signed SSL Cert

Both private key and CSR are needed to generate SSL cert. Choose an appropriate expiry date for your cert.

openssl x509 -req -days 3650 -in example.csr -signkey example.key -out example.crt

Generate PKCS12 Cert From PEM Cert And Private Key

Note that the CA bundle file is needed for the certfile switch. certfile switch is optional.

openssl pkcs12 -export -out example.pfx -inkey example.key -in example.crt -certfile CACert.crt

Generate PKCS7 Cert To PEM Cert

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.pem

Check Cert Information

This is referring to x509 certs, which is used by Apache for SSL.

openssl x509 -in example.crt  -text

View a certificate encoded in PKCS#7 format

openssl pkcs7 -print_certs -in example.p7b

View a certificate and key pair encoded in PKCS#12 format

openssl pkcs12 -info -in example.pfx

Verification

RSA private key is used to generate CSR and cert. Verification can be performed by matching modulus that is embedded in key, CSR, and cert.

Get hashed modulus of key

openssl rsa -in example.key -noout -modulus | md5sum

"unable to load private key" Issue

If you are getting "unable to load private key" issue, and the first line in key file is -----BEGIN OPENSSH PRIVATE KEY----- instead of -----BEGIN RSA PRIVATE KEY-----, there is a workaround. Use the following command to convert it to regular REM format.

ssh-keygen -p -m PEM -f example.key

Get hashed modulus of CSR

openssl req -in example.csr -noout -modulus | md5sum

Get hashed modulus of cert

openssl x509 -in example.crt -noout -modulus | md5sum