In this article, I have compiled several frequently used OpenSSL commands. I hope this can help someone save time and avoid repeatedly asking DevOps or admins for reminders. If you don’t want to dive deep into command descriptions, you can check all the commands in the following gist:
https://gist.github.com/stjam/db9c7279f42d1fc1a18645feef9224b6.
Enjoy!
How to get hash of the file:
sha1 -out ~/tmp/file_hash.txt ~/tmp/file_to_be_hashed.txt
This command uses the following options:
sha1: This command computes the SHA-1 hash of the input file.
-out ~/tmp/file_hash.txt: This option specifies the output filename for the generated hash value, which will be stored in the ~/tmp/file_hash.txt file.
~/tmp/file_to_be_hashed.txt: This option specifies the input filename for the file that should be hashed, which is ~/tmp/file_to_be_hashed.txt in this case.
How to create certificates (CA certificate, and CA key):
openssl req -new -x509 -newkey rsa:2048 -keyout ./cakey.pem -out ./cacert.pem -days 3650
After executing this command, you should follow the instructions and provide the country name, organization unit, etc. To simplify this process, you can pre-fill this data in the following way:
openssl req -new -x509 -newkey rsa:2048 -keyout ./cakey.pem -out ./cacert.pem -days 3650 -subj "/C=RU/L=Saint Petersburg/O=Bank/OU=IT Dept/CN=CommonName"
After executing the command, you only need to provide the passphrase.
This command uses the following options:
req: This command is used to generate or modify certificate signing requests (CSRs).
-new: This option is used to create a new CSR.
-x509: This option specifies that the output should be an X.509 certificate instead of a CSR.
-newkey rsa:2048: This option generates a new RSA key of 2048 bits for the CSR.
-keyout ./cakey.pem: This option specifies the output filename for the private key that will be generated. In this case, the private key will be stored in the ./cakey.pem file.
-out ./cacert.pem: This option specifies the output filename for the generated certificate. In this case, the certificate will be stored in the ./cacert.pem file.
-days 3650: This option specifies the number of days that the generated certificate should be valid for. In this case, the certificate will be valid for 10 years (3650 days).
-subj "/C=EN/L=Saint Petersburg/O=MyHugeBank/OU=IT Department/CN=MyCommonName": specifies the subject of the certificate, including the country code (C), locality (L), organization (O), organizational unit (OU), and common name (CN) fields. In this example, the subject is set to "/C=EN/L=Saint Petersburg/O=Bank/OU=IT Department/CN=CommonName".
Note: The algorithm parameters, such as the key generation algorithm, key size, validity period, and common name, should be selected according to your organization’s security requirements.
How to create certificate signing request(CSR)
openssl req -new -newkey rsa:2048 -keyout ./key.pem -out ./certificate.csr -subj "/C=RU/L=Saint Petersburg/O=Bank/OU=IT Dept/CN=CommonName"
Although I have previously described all the options available for this command, it is worth noting the specifics of the -out option. With the -out option, you should specify the name and file path for the new certificate request to be written to.
How to self-sign a certificate:
In the enterprise world, organizations often have their own certificate authority centers that sign certificates, and you just need to submit your CSR file to your organization’s certificate authority center. Here’s an example of how to obtain a self-signed certificate:
openssl x509 -req -in ./certificate.csr -CA ./cacert.pem -CAkey ./cakey.pem -CAcreateserial -out ./signed_cert.pem -days 365
This command uses the following options:
x509: This option tells OpenSSL that we want to work with X.509 certificates.
-req: This option specifies that we are working with a certificate signing request.
-in ./certificate.csr: This option specifies the name of the file containing the certificate signing request that we want to sign.
-CA ./cacert.pem: This option specifies the name of the self-signed CA certificate file that we generated earlier.
-CAkey ./cakey.pem: This option specifies the name of the private key file that corresponds to the self-signed CA certificate.
-CAcreateserial: This option tells OpenSSL to create a new serial number for the signed certificate.
-out ./signed_cert.pem: This option specifies the name of the file that will contain the signed certificate.
-days 365: This option specifies the number of days that the signed certificate will be valid for.
How to check if a certificate has expired or not:
openssl x509 -in ./signed_cert.pem -checkend 186400
If the certificate is not expired, you will see the following output:
Also you can see detailed info about certificate with the following command:
openssl x509 -in ./certificate.pem -text -noout
This command uses the following options:
x509: This option tells OpenSSL that we want to work with X.509 certificates.
-in ./certificate.pem: This option specifies the name of the certificate file that we want to view.
-text: This option tells OpenSSL to display the certificate in text format.
-noout: This option tells OpenSSL not to output the certificate itself, but only the text output.
An example of how to configure openssl.cnf file
The commands I previously showed can be optimized by using the openssl.cnf file. To configure OpenSSL to not specify, for example, the CA certificate and key in the OpenSSL configuration file, you can use the following configuration settings in your openssl.cnf file:
[ CA_default ]
# ...
copy_extensions = none
default_ca = my_ca
[ my_ca ]
# ...
certificate = ./cacert.pem
private_key = ./cakey.pem
In this configuration, we set the default_ca option to my_ca, which defines our custom CA settings. We also set the copy_extensions option to none, which disables copying extensions from certificate requests to signed certificates.
Then, we define our custom CA settings under the my_ca section. In this example, we specify the location of our CA certificate and key using the certificate and private_key options, respectively.
With this configuration in place, you can use the following commands to generate a self-signed certificate:
openssl req -new -newkey rsa:2048 -keyout ./key.pem -out ./req.pem -subj "/C=US/O=Example/CN=example.com"
openssl x509 -req -in ./req.pem -out ./certificate.pem -days 365 -extfile ./openssl.cnf -extensions v3_ca
Here are some of the common parameters you can use in an OpenSSL configuration file:
default_bits: the size of the default RSA key in bits (e.g., 2048)
default_md: the default message digest algorithm (e.g., sha256)
distinguished_name: the default DN for certificate requests (e.g., CN=mydomain.com,O=My Organization)
req_extensions: the default extensions to be added to certificate requests
x509_extensions: the default extensions to be added to certificates
ca: the path to the default CA certificate file (e.g., ca.pem)
ca_key: the path to the default CA key file (e.g., ca.key)
crl_dir: the path to the directory where CRLs are stored (e.g., ./crl)
crl_number: the starting number for CRLs (e.g., 1000)
default_crl_days: the default CRL validity period in days (e.g., 30)
default_days: the default certificate validity period in days (e.g., 365)
These are just some of the parameters you can use. You can refer to the OpenSSL documentation for a complete list of parameters and their descriptions.
By using a configuration file, you can specify default values for various options such as the CA certificate and key, the certificate subject, and the CRL validity period. This can save you time and reduce errors when generating, signing, and managing certificates.
Note that the specific options and values used in the configuration file will depend on your needs and environment, so you should customize them accordingly. You can refer to the OpenSSL documentation or other resources for more information on how to configure OpenSSL using a configuration file.
Conclusion
In conclusion, I have attached a list of resources that you may find helpful:
OpenSSL documentation: https://www.openssl.org/docs/
“Bulletproof SSL and TLS” by Ivan Ristic: https://www.feistyduck.com/books/bulletproof-ssl-and-tls/
“Network Security with OpenSSL” by John Viega, Matt Messier, and Pravir Chandra: https://www.amazon.com/Network-Security-OpenSSL-John-Viega/dp/059600270X
“SSL and TLS: Theory and Practice” by Rolf Oppliger: https://www.amazon.com/SSL-TLS-Practice-Rolf-Oppliger/dp/1596930478
“PKI: Implementing and Managing E-Security” by Abdulla Al-Qawasmeh: https://www.amazon.com/PKI-Implementing-Managing-E-Security-Qawasmeh/dp/0849338044
These resources cover a range of topics related to OpenSSL and certificates, including basic and advanced concepts, practical implementations, and security considerations.