Let’s jump into the world of OpenSSL, your trusted ally for securing online data! Whether you’re a beginner or have some experience under your belt, this article is your straightforward guide to the most common OpenSSL commands
I’ll cover CSR and key generation, certificate management, converting certificate formats, and more. Stay with us, and soon, you’ll be using OpenSSL like a pro!
General OpenSSL Commands
Kick off your OpenSSL journey by ensuring it’s installed on your system and understanding its version. These basic commands are your first steps toward mastering OpenSSL.
Check if OpenSSL Is Installed on Linux
For GNU/Linux distributions that use rpm packages:
rpm -qa | grep -i openssl
For GNU/Linux distributions that use deb packages:
dpkg -l | grep -i openssl
For Arch Linux use:
pacman -Q openssl
Check the OpenSSL Version
openssl version –a
Managing CSR
Creating and managing Certificate Signing Requests (CSRs) is crucial in the SSL process. Learn how to generate CSRs, handle prompt-less CSR generation, verify their details, and more.
Generate a CSR for an Existing Private Key
openssl req -new -key yourKey.key -out yourCSR.csr
After executing the command, a sequence of questions will be presented to you. The responses you provide will be incorporated into the CSR.
Disable Question Prompts When Generating a CSR
Generate a CSR without being prompted for information by using this command with specific details.
openssl req -new -key yourKey.key -out yourCSR.csr \
-subj "/C=US/ST=Utah/L=Lehi/O=Your Company, Inc./OU=IT/CN=yourdomain.com"
Check the CSR Info
Verify that the CSR contains the correct information with this OpenSSL command before sending it to a Certificate Authority.
openssl req -text -in yourCSR.csr -noout –verify
Generate a CSR Based on an Existing Certificate
openssl x509 -x509toreq -in yourCertificate.crt -out yourCSR.csr -signkey yourPrivateKey.key
Send the CSR to the CA
Use this command to display and copy your CSR to submit to a Certificate Authority.
cat yourCSR.csr
Managing Private and Public Keys
Discover the ins and outs of handling private keys in OpenSSL. This section covers all key-related essentials, from generating to decoding and managing passphrases.
Generate the Private Key with OpenSSL
Create a new private key using the RSA algorithm and specify the key size with this command.
openssl genrsa -out yourPrivateKey.key 2048
To generate your private key, specify the key algorithm, the key size, and an optional passphrase. The standard key algorithm is RSA, but you can also select ECDSA for specific situations.
When using the RSA key algorithm, you should choose 2048 bits for your key size and 256 bits when using the ECDSA algorithm. Any key size lower than 2048 is not secure, while a higher value may slow down the performance.
Finally, you should decide whether you need a passphrase for your private key. Please note that certain servers will not accept private keys with passphrases.
Once you’re ready to generate your private key (with the RSA algorithm), run the commands below:
View the Private Key Information
cat yourPrivateKey.key
Decode the Private Key
Decode and display your private key in text format with this command.
openssl rsa -text -in yourPrivateKey.key -noout
Extract the Public Key from the Private Key
openssl rsa -in yourPrivateKey.key -pubout -out yourPublicKey.key
Create Your Private Key and CSR at Once
openssl req -out yourCSR.csr -new -newkey rsa:2048 -nodes -keyout yourPrivateKey.key
This command generates the private key without a passphrase (-keyout yourPrivateKey.key) and the CSR code (-out yourCSR.csr).
Remove a Passphrase from a Private Key
openssl rsa -in yourPrivateKey.pem -out yourNewPrivateKey.pem
Check a Private Key
Verify the integrity and correctness of a private key with this command.
openssl rsa -in yourPrivateKey.key -check
Verifying Consistency Between Certificates, Private Keys, and CSRs with OpenSSL
Verifying that a certificate matches a private key or CSR:
openssl x509 -noout -modulus -in certificate.crt | openssl md5
Ensure that a private key corresponds correctly to a specific SSL certificate or CSR:
openssl rsa -noout -modulus -in privateKey.key | openssl md5
Confirm that the CSR matches the private key and is suitable for a specific certificate:
openssl req -noout -modulus -in CSR.csr | openssl md5
Managing Certificates
Understand how to use OpenSSL commands to inspect, generate, and verify SSL/TLS certificates, including checking SSL connections to ensure a secure communication channel.
Check a Certificate in OpenSSL
Inspect the details of an SSL certificate using this command.
openssl x509 -text -in yourCertificate.crt –noout
Generate a Self-Signed Certificate
req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout yourPrivateKey.key -out yourdomain.crt
Check an SSL Connection
Use this command to test and diagnose SSL connections to a server.
openssl s_client -connect www.yoursite.com:443
Converting SSL Files
Explore the flexibility of OpenSSL in converting SSL file formats. This section guides you through the OpenSSL commands for converting between different file types like DER, PEM, and PKCS#12.
DER to PEM
openssl x509 -inform der -in yourCertificate.cer -out yourCertificate.pem
PEM to DER
openssl x509 -outform der -in yourCertificate.pem -out yourCertificate.der
PKCS#12 to PEM
openssl pkcs12 -in yourKeyStore.pfx -out yourKeyStore.pem -nodes
PEM to PKCS#12
openssl pkcs12 -export -out yourCertificate.pfx -inkey yourPrivateKey.key -in yourCertificate.crt -certfile yourCACert.crt
Bottom Line
Mastering the most common OpenSSL commands is fundamental to enhancing your digital security skills.
From generating CSRs and managing keys to converting certificates, the commands we’ve covered will equip you with the knowledge necessary to confidently navigate OpenSSL’s complexities.
Save 10% on SSL Certificates when ordering today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10