Handy openssl commands
My Handy openssl
command list;
Generate a password hash
1 | openssl passwd -1 |
Really handy, if you vitally need to store users passwords in you system
Generate Randomness
1 | openssl rand -base64 128 |
A nice comparison of this wold be with
1 | cat /dev/urandom | head -c 128 | base64 |
Although it seems openssl
actually uses /dev/urandom
under the hood, when hardware is specified
Generating Keys
RSA Key
1 | openssl genrsa -aes256 -out node.key 2048 |
Public Key
1 | openssl rsa -in node.key -pubout -out node.pub.key |
DSA key
1 | openssl dsaparam -genkey 2048 -out node.dsa.key |
or simpler;
1 | openssl dsaparam -genkey 2048 | openssl dsa -out node.key -aes256 |
ECDSA key
1 | openssl ecparam -genkey -name secp256r1 -out node.ecdsa.key |
or simpler;
1 | openssl ecparam -genkey -name secp256r1 | openssl ec -out node.key -aes256 |
Self signed Keys
In order to request a new self signed certificate, and a new private key:
1 | openssl req -new -x509 -keyout privkey.pem -newkey rsa:2048 |
req
: certificate request and certificate generating utilitynew
: generates a new certificate requestx509
: creates a test certificate or a self signed root CAkeyout
: the filename to write the newly created private keynewkey
: creates a new certificate request and a new private key
Also
Examine and verify certificate request
1 | openssl req -in node.key -text -verify -noout |
Creating a csr with a key
1 | openssl req -new -key node.key -out node.csr |
Requesting a custom siggning certificate
1 | openssl x509 -req -days 365 -in node.csr -signkey node.key -out node.crt |
or without a csr
1 | openssl req -new -x509 -days 365 -key node.key -out node.crt |
Then creating a csr from an existing certificate
1 | openssl x509 -x509toreq -in node.crt -ou node.csr -signkey node.key |
x509
Display the contents of a certificate:
1 | openssl x509 -in cert.pem -noout -text |
Display the certificate serial number:
1 | openssl x509 -in cert.pem -noout -serial |
Display the certificate subject name:
1 | openssl x509 -in cert.pem -noout -subject |
Display the certificate subject name in RFC2253 form:
1 | openssl x509 -in cert.pem -noout -subject -nameopt RFC2253 |
Display the certificate subject name in oneline form on a terminal supporting UTF8:
1 | openssl x509 -in cert.pem -noout -subject -nameopt oneline,-esc_msb |
Display the certificate MD5 fingerprint:
1 | openssl x509 -in cert.pem -noout -fingerprint |
Display the certificate SHA1 fingerprint:
1 | openssl x509 -sha1 -in cert.pem -noout -fingerprint |
Convert a certificate from PEM to DER format:
1 | openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER |
Convert a certificate to a certificate request:
1 | openssl x509 -x509toreq -in cert.pem -out req.pem -signkey key.pem |
Convert a certificate request into a self signed certificate using extensions for a CA:
1 | openssl x509 -req -in careq.pem -extfile openssl.cnf -extensions v3_ca \ |
Sign a certificate request using the CA certificate above and add user certificate extensions:
1 | openssl x509 -req -in req.pem -extfile openssl.cnf -extensions v3_usr -CA cacert.pem -CAkey key.pem -CAcreateserial |
Set a certificate to be trusted for SSL client use and change set its alias to “Steve’s Class 1 CA”
1 | openssl x509 -in cert.pem -addtrust clientAuth -setalias "Steve's Class 1 CA" -out trust.pem |