OpenSSL Cheatsheet: A Quick Reference Guide for Secure Communication
In today’s digital age, secure communication is of utmost importance. OpenSSL is a popular open-source toolkit used for implementing secure communication protocols. While OpenSSL is a powerful tool, it can also be overwhelming for beginners or those who don’t use it frequently.
That’s where this OpenSSL cheat sheet comes in handy! Whether you’re a developer, system administrator, or security professional, this cheat sheet provides a quick reference guide for using OpenSSL.
The cheat sheet includes commands for generating and managing cryptographic keys, creating and verifying digital signatures, and encrypting and decrypting data. It also includes commands for managing SSL/TLS certificates, testing SSL/TLS connections, and troubleshooting SSL/TLS issues.
With this cheat sheet, you can easily navigate the OpenSSL toolkit and perform various security-related tasks with ease. It is a must-have reference guide for anyone working with OpenSSL.
So, if you want to make secure communication a priority, check out this OpenSSL cheat sheet and start using it today!
Following commands are verified on mentioned platforms
- macOs ventura 13.2.1 & LibreSSL 3.3.6
- Ubuntu 22.04.2 LTS & OpenSSL 3.0.2
- Amazon Linux 2(Linux 5.10.167–147.601.amzn2.x86_64) & OpenSSL 1.0.2k-fips
Generating Self Signed Certificate
- Generate a self-signed certificate:
openssl req -x509 -newkey rsa:4096 -keyout private_key.pem -out certificate.pem -days 365- Generate a self-signed certificate with a password-protected private key:
openssl req -x509 -newkey rsa:2048 -keyout private_key.pem -out certificate.pem -days 365 -passout pass:mysecretpasswordNote: Replace mysecretpassword with your desired password.
- Generate a self-signed certificate with a custom subject:
openssl req -x509 -newkey rsa:2048 -keyout private_key.pem -out certificate.pem -days 365 -subj "/C=IN/ST=Delhi/L=Delhi/O=IOPSHub/CN=iopshub.com"- Generate a self-signed certificate with SAN extensions:
openssl req -x509 -newkey rsa:2048 -keyout private_key.pem -out certificate.pem -days 365 -subj "/CN=iopshub.com" -reqexts SAN -config <(printf "[req]\ndistinguished_name=dn\n[SAN]\nsubjectAltName=DNS:iopshub.com,DNS:www.iopshub.com\n[dn]\nCN=iopshub.com")- Create a self-signed ECDSA certificate:
openssl req -x509 -newkey ec:<(openssl ecparam -name secp256k1) -keyout private_key.pem -out certificate.pem -days 365Generating Private Key
- Generate a new private key:
openssl genpkey -algorithm RSA -out private_key.pem -aes256- Generate a new ECDSA private key:
openssl ecparam -genkey -name secp256k1 -out private_key.pemNote: Replace secp256k1 with the desired curve name.
Generating Public Key
- Extract the public key from an ECDSA private key:
openssl ec -in private_key.pem -pubout -out public_key.pem- Extract public key from a certificate:
openssl x509 -in certificate.pem -pubkey -noout > public_key.pemGenerating Certificate Signing Request(CSR)
- Generate a new CSR :
openssl req -new -key private_key.pem -out csr.pem- Generate a CSR and private key with SAN extensions:
openssl req -newkey rsa:2048 -nodes -keyout private_key.pem -out csr.pem -subj "/CN=iopshub.com" -reqexts SAN -config <(printf "[req]\ndistinguished_name=dn\n[SAN]\nsubjectAltName=DNS:iopshub.com,DNS:www.iopshub.com\n[dn]\nCN=iopshub.com")- Generate a CSR with SAN (Subject Alternative Name) extensions:
openssl req -new -key private_key.pem -out csr.pem -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:iopshub.com,DNS:www.iopshub.com"))- Generate a CSR and private key in one command:
openssl req -newkey rsa:2048 -nodes -keyout private_key.pem -out csr.pem- Generate a CSR for an existing private key:
openssl req -new -key private_key.pem -out csr.pemCreating Certificate Authority
- Create a Certificate Authority (CA):
openssl genpkey -algorithm RSA -out ca_key.pem
openssl req -new -x509 -key ca_key.pem -out ca_cert.pem -days 365Signing a Certificate using CA:
- Sign a certificate using a CA:
openssl x509 -req -in csr.pem -CA ca_cert.pem -CAkey ca_key.pem -CAcreateserial -out certificate.pem -days 365Certificate Revocation List
- Generate a certificate revocation list (CRL):
openssl ca -gencrl -out crl.pem -config /etc/ssl/openssl.cnfGenerating Diffie-Hellman (DH) Key
- Generate a Diffie-Hellman (DH) key exchange parameters:
openssl dhparam -out dhparam.pem 2048Note: Replace 2048 with the desired key size.
- Generate an Elliptic Curve Diffie-Hellman (ECDH) key exchange parameters:
openssl ecparam -name secp256k1 -genkey -noout -out ecdh.pemNote: Replace secp256k1 with the desired curve name.
Verifying Certificate
- Verify a certificate chain:
openssl verify -CAfile ca_chain.pem certificate.pem- Verify a certificate chain with a CRL:
openssl verify -crl_check -CAfile ca_chain.pem -CRLfile crl.pem certificate.pemNote: Replace ca_chain.pem with the chain of CA certificates.
- Check the integrity of a downloaded file using a hash:
openssl dgst -sha256 -verify public_key.pem -signature file.txt.sha256 file.txtNote: Replace public_key.pem with the public key of the signer. The signature file should be in binary format.
Converting various Certificate File in different Format
- Convert a PEM-encoded certificate to CRT format:
openssl x509 -in certificate.pem -out certificate.crt -outform PEM- Convert a private key to a different format:
openssl pkcs8 -in private_key.pem -topk8 -outform DER -out private_key.der -nocrypt
openssl pkcs8 -in private_key.pem -topk8 -outform PEM -out private_key_pkcs8.pem -nocrypt
openssl pkcs12 -export -in certificate.pem -inkey private_key.pem -out certificate.p12Note: Replace intermediate_cert.pem with any intermediate certificate if applicable.
- Convert a certificate chain to PKCS#7 format:
openssl crl2pkcs7 -nocrl -certfile certificate.pem -certfile intermediate_cert.pem -out certificate.p7bNote: Replace intermediate_cert.pem with any intermediate certificate if applicable.
- Convert a DER-encoded certificate to PEM format:
openssl x509 -inform der -in certificate.der -out certificate.pem- Convert a PEM-encoded certificate to DER format:
openssl x509 -outform der -in certificate.pem -out certificate.der- Convert a PKCS#8 private key to PKCS#1 format:
openssl rsa -in private_key_pkcs8.pem -out private_key_pkcs1.pem- Convert a PKCS#12 file (containing a certificate and private key) to separate PEM files:
openssl pkcs12 -in certificate.p12 -nocerts -nodes -out private_key.pem
openssl pkcs12 -in certificate.p12 -clcerts -nokeys -out certificate.pemNote: Replace certificate.p12 with the name of the PKCS#12 file.
- Convert a PEM-encoded private key to PKCS#8 format:
openssl pkcs8 -topk8 -inform PEM -outform DER -in private_key.pem -out private_key_pkcs8.der -nocryptView Certificate Information
- Extract information from a certificate:
openssl x509 -in certificate.pem -text -noout- View the contents of a PKCS#7 file:
openssl pkcs7 -in certificate.p7b -inform DER -print_certsNote: Use -inform PEM if the file is in PEM format.
- Check the expiration date of a certificate:
openssl x509 -in certificate.pem -enddate -nooutNote: Replace private_key_pkcs8.pem with the PKCS#8 private key file.
- Verify the signature of a file:
openssl dgst -sha256 -verify public_key.pem -signature file.sha256 file.txtNote: Replace public_key.pem with the public key file and file.sha256 with the signature file. Use below command to sign a file used in above verification.
openssl dgst -sha256 -sign private_key.pem -out file.sha256 file.txt- Sign a file with an ECDSA private key:
openssl dgst -sha256 -sign private_key.pem -out file.sha256 file.txt- List available ciphers:
openssl list-cipher-algorithms- Test a specific cipher:
openssl speed -elapsed -evp aes-256-cbcNote: Replace aes-256-cbc with the desired cipher.
- Test multiple ciphers:
openssl speed -elapsed -evp aes-256-cbc aes-256-gcm chacha20-poly1305Generating Hash
- Generate a hash of a file:
openssl dgst -sha256 file.txtNote: Replace sha256 with the desired hash algorithm.
- Generate a SHA-256 hash of a string:
echo -n "mystring" | openssl dgst -sha256Generating Random Password
- Generate a random password:
openssl rand -base64 12Note: Replace 12 with the desired password length.
- Generate a random AES-256 key:
openssl rand -hex 32Encryption and Decryption
- Encrypt a file using AES-256 CBC:
openssl enc -aes-256-cbc -salt -in file.txt -out file.enc- Decrypt a file encrypted with AES-256 CBC:
openssl enc -aes-256-cbc -d -in file.enc -out file.txt- Encrypt a file using AES-256 GCM:
openssl enc -aes-256-gcm -salt -in file.txt -out file.enc- Decrypt a file encrypted with AES-256 GCM:
openssl enc -aes-256-gcm -d -in file.enc -out file.txt- Encrypt and decrypt files:
openssl enc -aes-256-cbc -salt -in file.txt -out file.txt.enc
openssl enc -d -aes-256-cbc -in file.txt.enc -out file.txt- Encrypt and decrypt a file using a symmetric cipher:
openssl enc -aes-256-cbc -salt -in file.txt -out file.txt.enc -pass pass:mysecretpassword
openssl enc -d -aes-256-cbc -in file.txt.enc -out file.txt -pass pass:mysecretpasswordNote: Replace mysecretpassword with your desired password.
In conclusion, this OpenSSL cheat sheet is a valuable resource for anyone looking to implement secure communication protocols. However, OpenSSL is just one aspect of the complex world of DevSecOps.
If you want to dive deeper into the world of DevSecOps, consider exploring the resources available on the IOPSHub website. IOPSHub offers a range of DevSecOps advisory and implementation services, including security assessments, compliance reviews, and automation solutions.
Their team of experts can help you identify security vulnerabilities and implement solutions that align with your business objectives. With IOPSHub, you can ensure that your organization is secure and compliant, while also driving innovation and growth.
So, if you’re serious about DevSecOps and want to take your security to the next level, check out IOPSHub today. Their extensive services and expertise can help you stay ahead of the curve in the ever-changing world of cybersecurity.