in DevOps, linux, security

Important OpenSSL Commands in Real World

OpenSSL cheat sheet.

1. Create new Private Key and Certificate Signing Request

openssl req -out server.csr -newkey rsa:2048 -nodes -keyout private.key

Above command will generate CSR and 2048-bit RSA key file. If you intend to get public certificate then you need to send this CSR file to certificate issuer authority and they will give you signed certificate.

2. Create Self-Signed Certificate

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout private.key -out cert.pem

# OR [optional]
# Sign with an upstream CA (needs CA cert and key)
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt

Above command will generate a self-signed certificate and key file with 2048-bit RSA. You may consider defining –days parameter to extend the validity.

3. Verify CSR file

openssl req -noout -text -in server.csr

Verification is important to ensure you are sending CSR to issuer authority with required details.

4. Create RSA Private Key

openssl genrsa -out private.key 2048

If you just need to generate RSA private key, you can use above command. I have included 2048 for stronger encryption.

5. Remove Passphrase from Key

openssl rsa -in private.key -out nopassphrase.key

If you are using passphrase in key file and using Apache then every time you start, you have to enter the password.

6. Verify Private Key

openssl rsa -in private.key -check

If you doubt on your key file, you can use above command to check.

7. Verify Certificate File

openssl x509 -in cert.pem -text -noout

If you would like to validate certificate data like CN, OU, etc then you can use above command which will give you certificate details.

Verifying that a Certificate is issued by a CA
openssl verify -verbose -CAfile cacert.pem server.crt

8. Verify the Certificate Signer Authority

openssl x509 -in cert.pem -noout -issuer -issuer_hash

Certificate issuer authority signs every certificate and in case you need to check them, you can use above command.

9. Check Hash Value of A Certificate

openssl x509 -noout -hash -in cert.pem

10. Convert DER to PEM format

openssl x509 -inform der -in sslcert.der -out sslcert.pem

Usually, certificate authority will give you SSL cert in .der format and if you need to use them in apache or .pem format, you can use above command to convert them.

11. Convert PEM to DER format

openssl x509 -outform der -in sslcert.pem -out sslcert.der

In case you need to change .pem format to .der

12. Convert Certificate and Private Key to PKCS#12 format

openssl pkcs12 -export -out sslcert.pfx -inkey key.pem -in sslcert.pem

If you need to use a cert with the java application or with any other who accept only PKCS#12 format, you can use above command, which will generate single pfx containing certificate & key file.

Tip: you can also include chain certificate by passing –chain as below.

openssl pkcs12 -export -out sslcert.pfx -inkey key.pem -in sslcert.pem -chain cacert.pem

13. Create CSR using existing private key

openssl req -out certificate.csr -key existing.key -new

If you don’t want to create a new private key instead using existing one, you can with above command.

14. Check contents of PKCS12 format cert

openssl pkcs12 -info -nodes -in cert.p12

PKCS12 is binary format so you won’t be able to view the content in notepad or another editor. So you got to use above command to view the contents of PKCS12 format file.

15. Convert PKCS12 format to PEM certificate

openssl pkcs12 -in cert.p12 -out cert.pem

If you wish to use existing pkcs12 format with Apache or just in pem format, this will be useful.

16. Test SSL certificate of particular URL

openssl s_client -connect -showcerts
# OR [optional]
# verify remote cert connectivity with private and CA
openssl s_client -connect -key private.key -CAfile ca.crt -state

I use this quite often to validate the SSL certificate of particular URL from the server. This is very handy to validate the protocol, cipher, and cert details.

17. Find out OpenSSL version

openssl version

If you are responsible for ensuring OpenSSL is secure then probably one of the first things you got to do is to verify the version.

  1. Check PEM File Certificate Expiration Date
openssl x509 -noout -in certificate.pem -dates

Useful if you are planning to put some kind of monitoring to check the validity. It will show you date in notBefore and notAfter syntax. notAfter is one you will have to verify to confirm if a certificate is expired or still valid.

19. Check Certificate Expiration Date of SSL URL

openssl s_client -connect 2>/dev/null | openssl x509 -noout -enddate

Another useful if you are planning to monitor SSL cert expiration date remotely or particular URL.

20. Check if SSL V2 or V3 is accepted on URL

To check SSL V2

openssl s_client -connect -ssl2

To Check SSL V3

openssl s_client -connect -ssl3

To Check TLS 1.0

openssl s_client -connect -tls1

To Check TLS 1.1

openssl s_client -connect -tls1_1

To Check TLS 1.2

openssl s_client -connect -tls1_2

If you are securing web server and need to validate if SSL V2/V3 is enabled or not, you can use above command. If enabled, you will get “CONNECTED” else “handshake failure

21. Verify if particular cipher is accepted on URL

openssl s_client -cipher 'ECDHE-ECDSA-AES256-SHA' -connect secureurl:443

If you are working on security findings and pen test results show some of the weak ciphers is accepted then to validate, you can use above command. Off course, you will have to change the cipher and URL, which you want to test against.

If mentioned cipher is accepted then you will get “CONNECTED” else “handshake failure”.

22. Better DH for nginx/Apache

openssl dhparam -out dhparam.pem 2048

For stronger DH Param and fix Weak Diffie Hellman Logjam Attack .

23. Base64 encoding/decoding

openssl enc -base64 -in myfile -out myfile.b64
openssl enc -d -base64 -in myfile.b64 -out myfile.decoded

echo username:passwd | openssl base64
echo dXNlcm5hbWU6cGFzc3dkCg== | openssl base64 -d