Setting up an OpenSSL CA
$ mkdir ~/certs
$ cd ~/certs
$ openssl genrsa -des3 -out myCA.key 2048 #Generate the private key to become a local CA
$ openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -out myCA.pem #Generate a root certificateGenerating a private key
Generate a new RSA private key and save it in ‘private.key’. Remember to keep your private keys secure!
$ openssl genpkey -algorithm RSA -out private.key
Generating a Certificate Signing Request (CSR)
Create a CSR using the private key to request a digital certificate from a Certificate Authority (CA).
$ openssl req -new -key private.key -out csr.csr
Generating a Self-Signed Certificate
Create a self-signed certificate valid for 365 days. Useful for testing but not recommended for production.
$ openssl req -new -x509 -key private.key -out certificate.crt -days 365
Encrypting Files
Encrypt ‘sensitive.txt’ using AES256 encryption and store the result in ‘sensitive.enc’.
$ openssl enc -aes256 -in sensitive.txt -out sensitive.enc
Decrypting Files
Decrypt ‘sensitive.enc’ using AES256 encryption and retrieve the original content.
$ openssl enc -aes256 -d -in sensitive.enc -out sensitive.txt
Verifying a Certificate
Display detailed certificate information, including issuer, subject, validity, and public key details.
$ openssl x509 -in certificate.crt -noout -text
Converting Certificate Formats
Convert a certificate from one format (e.g., .crt) to another (e.g., .pem).
$ openssl x509 -in certificate.crt -out certificate.pem
Creating a Certificate Chain
Create a certificate chain (‘chain.crt’) by concatenating ‘intermediate.crt’ and ‘root.crt’.
$ cat intermediate.crt root.crt > chain.crt
Signing a CSR with a CA
Sign the CSR using the CA certificate and private key to create a valid certificate.
$ openssl x509 -req -in csr.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out certificate.crt -days 365
Generating a Random Number
Generate a random 128-bit hexadecimal number, useful for encryption keys or nonces.
$ openssl rand -hex 16
Checking CSR Details
Review the contents of a Certificate Signing Request (CSR), including provided information.
$ openssl req -in csr.csr -noout -text
Viewing Certificate Expiry
See the certificate’s expiration date for timely renewal.
$ openssl x509 -enddate -noout -in certificate.crt
Checking Certificate Revocation
Inspect the Certificate Revocation List (CRL) for revoked certificates.
$ openssl crl -in certificate.crl -noout -text
Converting PFX to PEM
Extract the certificate from a PFX file to PEM format.
$ openssl pkcs12 -in certificate.pfx -clcerts -nokeys -out certificate.pem
Creating a Password-Protected Private Key
Generate an AES256 encrypted RSA private key with a passphrase.
$ openssl genpkey -algorithm RSA -aes256 -out private.key
Testing Protocol Support
Check if ‘example[dot]com’ supports tls12
$ openssl s_client -connect example[dot]com:443 -tls1_2
Extracting Public Key from Private Key
Retrieve the public key from the private key for sharing.
$ openssl rsa -in private.key -pubout -out public.key
Encrypting and Decrypting Files with a Passphrase
Encrypting File:
$ openssl enc -aes256 -salt -in sensitive.txt -out sensitive.encDecrypting File:
$ openssl enc -aes256 -d -in sensitive.enc -out sensitive_decrypted.txt
Extracting Remote Certificates
echo | openssl s_client -connect technix.in:443 2>&1 | sed --quiet '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > technix.crtBy default, s_client will print only the leaf certificate; if you want to print the entire chain, give it the -showcerts switch.
$ echo | openssl s_client -showcerts -connect technix.in:443 2>&1 | sed --quiet '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > technix.chainAnother useful trick is to pipe the output of s_client directly to the x509 tool. The following command shows detailed server information, along with its SHA256 fingerprint:
$ echo | openssl s_client -connect technix:443 2>&1 | openssl x509 -noout -text -fingerprint -sha256Sometimes you will need to take the certificate fingerprint and use it with other tools. Unfortunately, OpenSSL outputs certificates in a format that shows individual bytes and separates them using colons. This handy command line normalizes certificate fingerprints by removing the colons and converting the hexadecimal characters to lowercase:
$ echo | openssl s_client -connect technix:443 2>&1 | openssl x509 -noout -fingerprint -sha256 | sed 's/://g' | tr '[:upper:]' '[:lower:]' | sed 's/sha256 fingerprint=//g'
Testing Session Resumption
echo | openssl s_client -connect technix:443 -reconnect