This is an old revision of the document!
OpenSSL Usage Notes
The openssl program is basically a dumping ground for all sorts of SSL related functions. What it does varies wildly based on the parameters passed in. Here is a usage summary of some of the more useful functions.
Notes
- SSL is based on RSA asymmetrical encryption (aka public key encryption)
- Two files are created; a certificate (the “cert”) and a key
- The cert is public. It contains information about the cert user (i.e. the “subject”) and the organization that “signed” the cert (i.e. the “issuer”). It also contains an encrypted hash “signature” of the cert contents.
- “Signing” a cert means that a secure hash of the cert is calculated and the secure hash is encrypted with the signing authority's (the “issuer”) secret key. This encrypted hash is then appended to the certificate.
- Check the integrity of the cert by calculating the secure hash of the cert and comparing it with the decrypted signature.
- Decrypt the signature by using the public key of the issuer.
- Cert trust is based on whether or not you trust the issuer and his ability to vouch for the “subject”
Definitions
| cert | Public X.509 format certificate. Contains subject's public key. |
| DER | Binary format used for keys |
| issuer | Entity that signs a cert |
| key | Subject's secret key |
| PEM | Straight ASCII (BASE64) format of a binary cert or key |
| sign | Calculate a secure hash and encrypt hash with issuer's private key |
| subject | The entity (person or organization) described in the cert |
Important OpenSSL Commands and Options
openssl command [ command_opts ] [ command_args ]
| Standard Commands | |
|---|---|
| ca | Certificate Authority (CA) Management. |
| req | X.509 Certificate Signing Request (CSR) Management. |
| x509 | X.509 Certificate Data Management. |
| Digest Commands | |
| md5 | MD5 Digest |
| sha1 | SHA-1 Digest |
| sha256 | SHA-256 Digest |
| Common Options | |
|---|---|
| -config filename | Configuration file to use. |
| -nodes | Not the English word “nodes”, but rather is “no DES”. When given as an argument, it means OpenSSL will not encrypt the private key in a PKCS#12 file. To encrypt the private key, you can omit -nodes and your key will be encrypted with 3DES-CBC. To encrypt the key, OpenSSL prompts you for a password and it uses that password to generate an encryption key. |
| -key file | Use the private key contained in file |
| -keyform arg | Key file format |
| CA Options | |
| -in filename | Input filename containing a single certificate request to be signed by the CA. |
| -ss_cert filename | A single self-signed certificate to be signed by the CA. |
| -out filename | File to output certificates to. |
| -cert | The CA certificate file. |
| -selfsign | Issued certificates are to be signed with the key the certificate requests were signed with (given with -keyfile). |
| -days arg | The number of days to certify the certificate for. |
| REQ Options | |
| -inform arg | Input format - DER or PEM |
| -outform arg | Output format - DER or PEM |
| -in arg | Input file |
| -out arg | Output file |
| -pubkey | Output public key |
| -keyout arg | File to send the key to |
| -new | New request |
| -x509 | Output a x509 structure instead of a cert request |
| -days | Number of days a certificate generated by -x509 is valid for |
| -newkey rsa:bits | Generate a new RSA key of 'bits' in size |
| -text | Text form of request |
| -noout | Do not output REQ |
Build a "root" (i.e. self-signed) Certificate of Authority
openssl ca -new -x509 -extensions v3_ca -keyout CA-key.pem -out CA-cert.pem -days 3650 -config openssl.cnf -nodes
Build a Certificate Signing Request (CSR)
Here is a basic version of CSR generation
openssl req -days 3650 -nodes -new -x509 -keyout ca.key -out ca.crt -config openssl.config
Cheap SSL Security has a guide to CSR generation for Apache. They recommend:
openssl -new -newkeys rsa:2048 -nodes -keyout baggerman.org.key -out baggerman.org.crt
This doesn't seem to support Subject Alternative Names, though. Here is a pretty good CSR builder that knows about SANs.
Sign a Certificate Signing Request (CSR)
openssl ca -days 3650 -out key.crt -in key.csr -config openssl.cnf
View a Certificate
openssl x509 -in certificate.crt -text -noout
Self-sign a Certificate
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout mysitename.key -out mysitename.crt