# openssl 🔐 ### Install Install the OpenSSL on Debian based systems ```sh sudo apt-get install openssl ``` ### Commands Create a private key ```sh openssl genrsa -out server.key 4096 ``` Generate a new private key and certificate signing request ```sh openssl req -out server.csr -new -newkey rsa:4096 -nodes -keyout server.key ``` Generate a self-signed certificate ```sh openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:4096 -keyout server.key -out server.crt ``` Generate a certificate signing request (CSR) for an existing private key ```sh openssl req -out server.csr -key server.key -new ``` Generate a certificate signing request based on an existing certificate ```sh openssl x509 -x509toreq -in server.crt -out server.csr -signkey server.key ``` Remove a passphrase from a private key ```sh openssl rsa -in server.pem -out newserver.pem ``` Parse a list of revoked serial numbers ```sh openssl crl -inform DER -text -noout -in list.crl ``` Check a certificate signing request (CSR) ```sh openssl req -text -noout -verify -in server.csr ``` Check a private key ```sh openssl rsa -in server.key -check ``` Check a public key ```sh openssl rsa -inform PEM -pubin -in pub.key -text -noout openssl pkey -inform PEM -pubin -in pub.key -text -noout ``` Check a certificate ```sh openssl x509 -in server.crt -text -noout openssl x509 -in server.cer -text -noout ``` Check a PKCS#12 file (.pfx or .p12) ```sh openssl pkcs12 -info -in server.p12 ``` Verify a request certificate (`.csr`) ```sh openssl req -verify -inform PEM -noout -in intCA.csr.pem openssl req -verify -inform PEM -noout -in server.csr.pem ``` Verify a signed certificate (`.crt`) ```sh openssl req -verify -inform PEM -noout -in server.crt.pem ``` Verify a signed certificate against the CAs ```sh openssl verify -verbose -no-CApath -CAfile rootCA.crt.pem server.crt.pem openssl verify -verbose -no-CApath -CAfile intCA.crt.pem server.crt.pem ``` Verify a private key matches an certificate ```sh openssl x509 -noout -modulus -in server.crt | openssl md5 openssl rsa -noout -modulus -in server.key | openssl md5 openssl req -noout -modulus -in server.csr | openssl md5 ``` Verify a certificate against the CA chain ```sh openssl verify -show_chain -untrusted intermediate-cert.pem leaf-cert.pem ``` Display all certificates including all parent CAs (offline, fullchain file) ```sh openssl crl2pkcs7 -nocrl -certfile chain.pem | openssl pkcs7 -print_certs -noout ``` Display all certificates including intermediates (online) ```sh openssl s_client -connect www.paypal.com:443 ``` Convert a DER file (.crt .cer .der) to PEM ```sh openssl x509 -inform der -in server.cer -out server.pem ``` Convert a PEM file to DER ```sh openssl x509 -outform der -in server.pem -out server.der ``` Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM ```sh openssl pkcs12 -in server.pfx -out server.pem -nodes ``` Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12) ```sh openssl pkcs12 -export -out server.pfx -inkey server.key -in server.crt -certfile CACert.crt ``` Generate a Diffie Hellman key ```sh openssl dhparam -out dhparam.pem 2048 ``` Encrypt files with rsautl ```sh openssl rsautl -encrypt -in plaintext.txt -out encrypted.txt -pubin -inkey pubkey.pem ``` Decrypt files with rsautl ```sh openssl rsautl -decrypt -in encrypted.txt -out plaintext.txt -inkey privkey.pem ``` View when the CRL will next be updated ```sh openssl crl -in intCA.crl.pem -nextupdate -noout ``` Expert OpenSSL Stuff ================== Insert selected attributes into a specific section of `openssl.cnf` (only with 'openssl ca', or 'openssl x509 -req'; sorry, nothing for 'openssl req') ```sh openssl ... -extfile <(printf "subjectAltName=DNS:example.com,DNS:www.example.com") ... ``` as in: ```sh openssl genrsa -out ca.key 2048 openssl req -new -x509 -days 365 -key ca.key -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=Acme Root CA" -out ca.crt openssl req -newkey rsa:2048 -nodes -keyout server.key -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=*.example.com" -out server.csr openssl x509 -req -extfile <(printf "subjectAltName=DNS:example.com,DNS:www.example.com") -days 365 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt ``` Be not influenced by default settings provided by `/usr/lib/ssl/openssl.cnf` ```sh env OPENSSL_CONF=/dev/null openssl -config your-config ... ``` Strip "/-BEGIN CERTIFICATE-/" (caused by `-text`) from PEM file using `sed` before using as pure PEM ```sh openssl s_client -connect ${CERT} 2>/dev/null |\ sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' |\ openssl x509 -noout -subject -dates