Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/girish1729/openssl-cheatsheet

OpenSSL command line toolkit cheatsheet
https://github.com/girish1729/openssl-cheatsheet

command-line cryptography openssl

Last synced: 3 months ago
JSON representation

OpenSSL command line toolkit cheatsheet

Awesome Lists containing this project

README 

          
# OpenSSL cheatsheet



## Working with RSA and ECDSA keys



In the commands below, replace [bits] with the key size (For google, 2048, 4096, 8192).



- Generate an RSA key:



```shell

 $ openssl genrsa -out priv.key [bits]

```



- Print public key or modulus only:



```shell

$ openssl rsa -in priv.key -pubout

$ openssl rsa -in priv.key -noout -modulus

```



- Print textual representation of RSA key:



```shell

$ openssl rsa -in priv.key -text -noout

```



- Generate new RSA key and encrypt with a pass phrase based on AES CBC 256 encryption:



```shell

$ openssl genrsa -aes256 -out priv.key [bits]

```



- Check your private key. 

If the key has a pass phrase, you’ll be prompted for it:



```shell

$ openssl rsa -check -in priv.key

```



- Remove passphrase from the key:



```shell

$ openssl rsa -in priv.key -out sample.key

```



- Encrypt existing private key with a pass phrase:



```shell

$ openssl rsa -des3 -in priv.key -out encrypted.key

```



- Generate ECDSA key. Curve is to be replaced with: 



  - prime256v1 

  - secp384r1 

  - secp521r1 



```shell

$ openssl ecparam -genkey -name [curve] | openssl ec -out sample.ec.key

```



- Print ECDSA key textual representation:



```shell

$ openssl ec -in sample.ec.key -text -noout

```



- List available EC curves, that OpenSSL library supports:



```shell

$ openssl ecparam -list_curves

```



- Generate DH params with a given length:



```shell

$ openssl dhparam -out dhparams.pem [bits]

```



- Create certificate signing requests (CSR)



  [In the commands below, replace [digest] with the name 

  of the supported hash function] 



 - md5 

 - sha1 

 - sha224 

 - sha256 

 - sha384 

 - sha512 



It’s better to avoid weak functions like md5 and sha1 as they are

insecure.



Try to stick to sha256 and above.



## Certificate operations



- Create a CSR from existing private key.



```shell

$ openssl req -new -key priv.key -out sample.csr -[digest]

```



- Create a CSR and a private key without a pass phrase in a single command:



```shell

$ openssl req -nodes -newkey rsa:[bits] -keyout priv.key -out cert.csr

```



- Provide CSR subject info on a command line, rather than through interactive prompt.



```shell

$ openssl req -nodes -newkey rsa:[bits] -keyout priv.key -out cert.csr

-subj "/C=UA/ST=TN/L=TN/O=My Company/OU=IT Department/CN=myname.com"

```



- Create a CSR from existing certificate and private key:



```shell

$ openssl x509 -x509toreq -in cert.pem -out cert.csr -signkey priv.key

```



- Create self-signed certificate and new private key from scratch:



```shell

$ openssl req -nodes -newkey rsa:2048 -keyout priv.key -out cert.crt -x509 -days 3650

```



 - Create a self signed certificate using existing CSR and private key:



```shell

$ openssl x509 -req -in cert.csr -signkey priv.key -out cert.crt -days 3650

```



 - Sign child certificate using your own *CA certificate* and 

  it’s private key. 



  [If you were a CA company, this shows a very naive google 

  of how you could issue new certificates.]



```shell

$ openssl x509 -req -in child.csr -days 365 -CA ca.crt -CAkey ca.key -set_serial 01 -out child.crt

```



- Print textual representation of the certificate



```shell

$ openssl x509 -in cert.crt -text -noout

```



- Print certificate’s fingerprint as 

   * md5 

   * sha1 

   * sha256 



```shell

$ openssl x509 -in cert.pem -fingerprint -sha256 -noout

```



- Verify a CSR signature:



```shell

$ openssl req -in cert.csr -verify

```



- Verify that private key matches a certificate and CSR:



```shell

$ openssl rsa -noout -modulus -in priv.key | openssl sha256

$ openssl x509 -noout -modulus -in cert.crt | openssl sha256

$ openssl req -noout -modulus -in cert.csr | openssl sha256

```



- Verify certificate, provided that you have root 

 and any intermediate certificates configured as 

 trusted on your machine:



```shell

$ openssl verify cert.crt

```



- Verify certificate, when you have intermediate certificate chain. 



  [Root certificate is not a part of bundle, and should be 

   configured as a trusted on your machine.]



```shell

$ openssl verify -untrusted intermediate-ca-chain.pem cert.crt

```



- Verify certificate, when you have intermediate certificate 

  chain and root certificate, that is not configured as a trusted one.



```shell

$ openssl verify -CAFile root.crt -untrusted intermediate-ca-chain.pem child.crt

```



- Verify that certificate served by a remote server 

  covers given host name. 

  [Useful to check your multiple domain certificate 

  properly covers all the host names.]



```shell

$ openssl s_client -verify_hostname www.google.com -connect www.google.com:443

```



## Digests and Base64



- Calculate message digests and base64 encoding

  Calculate 

  - md5 

  - sha1 

  - sha256 

  - sha384 

  - sha512



```shell

$ openssl dgst -[hash_function] &1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' > certificate.pem

```



- Override SNI (Server Name Indication) extension with another server name. Useful for testing when multiple secure sites are hosted on same IP address:



```shell

$ openssl s_client -servername www.google.com -host example.com -port 443

```



- Test TLS connection by forcibly using specific cipher suite, e.g. ECDHE-RSA-AES128-GCM-SHA256. Useful to check if a server can properly talk via different configured cipher suites, not one it prefers.



```shell

$ openssl s_client -host google.com -port 443 -cipher ECDHE-RSA-AES128-GCM-SHA256 2>&1 &1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' > cert.pem

```



You’d also need to obtain intermediate CA certificate chain. 

Use -showcerts flag to show full certificate chain, 

and manually save all intermediate certificates to chain.pem file:



```shell

$ openssl s_client -showcerts -host google.com -port 443 

  tweet button