OpenSSL
Expert assistance with OpenSSL cryptographic operations and PKI management.
Key Generation
RSA Keys
bash
# Generate RSA private key (2048-bit) openssl genrsa -out private.key 2048 # Generate RSA private key (4096-bit, more secure) openssl genrsa -out private.key 4096 # Generate encrypted RSA private key openssl genrsa -aes256 -out private.key 4096 # Extract public key from private key openssl rsa -in private.key -pubout -out public.key # Remove passphrase from encrypted key openssl rsa -in encrypted.key -out decrypted.key
EC (Elliptic Curve) Keys
bash
# List available curves openssl ecparam -list_curves # Generate EC private key (P-256) openssl ecparam -name prime256v1 -genkey -noout -out ec-private.key # Generate EC private key (P-384, more secure) openssl ecparam -name secp384r1 -genkey -noout -out ec-private.key # Extract public key openssl ec -in ec-private.key -pubout -out ec-public.key
Certificate Signing Requests (CSR)
Create CSR
bash
# Create CSR from existing private key openssl req -new -key private.key -out request.csr # Create CSR with inline subject openssl req -new -key private.key -out request.csr \ -subj "/C=US/ST=State/L=City/O=Organization/CN=example.com" # Generate private key and CSR in one command openssl req -newkey rsa:2048 -nodes -keyout private.key -out request.csr # Create CSR with SAN (Subject Alternative Names) openssl req -new -key private.key -out request.csr -config san.cnf
SAN Configuration File (san.cnf)
ini
[req] distinguished_name = req_distinguished_name req_extensions = v3_req [req_distinguished_name] CN = example.com [v3_req] subjectAltName = @alt_names [alt_names] DNS.1 = example.com DNS.2 = www.example.com DNS.3 = api.example.com IP.1 = 192.168.1.1
View CSR
bash
# Display CSR details openssl req -in request.csr -noout -text # Verify CSR signature openssl req -in request.csr -noout -verify
Self-Signed Certificates
Create Self-Signed Certificate
bash
# Generate self-signed certificate (1 year validity) openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 # Generate self-signed certificate without passphrase openssl req -x509 -newkey rsa:4096 -nodes -keyout key.pem -out cert.pem -days 365 # From existing key openssl req -x509 -key private.key -out cert.pem -days 365 # With specific subject openssl req -x509 -newkey rsa:4096 -nodes -keyout key.pem -out cert.pem -days 365 \ -subj "/C=US/ST=State/L=City/O=Org/CN=example.com"
Certificate Authority (CA) Operations
Create Root CA
bash
# Generate CA private key openssl genrsa -aes256 -out ca-key.pem 4096 # Create CA certificate openssl req -x509 -new -nodes -key ca-key.pem -sha256 -days 3650 \ -out ca-cert.pem -subj "/C=US/O=MyOrg/CN=MyOrg Root CA"
Sign Certificate with CA
bash
# Sign CSR with CA openssl x509 -req -in request.csr -CA ca-cert.pem -CAkey ca-key.pem \ -CAcreateserial -out cert.pem -days 365 -sha256 # Sign with extensions (SAN) openssl x509 -req -in request.csr -CA ca-cert.pem -CAkey ca-key.pem \ -CAcreateserial -out cert.pem -days 365 -sha256 -extensions v3_req -extfile san.cnf
Create Intermediate CA
bash
# Generate intermediate CA key openssl genrsa -aes256 -out intermediate-key.pem 4096 # Create intermediate CSR openssl req -new -key intermediate-key.pem -out intermediate.csr # Sign intermediate certificate with root CA openssl x509 -req -in intermediate.csr -CA ca-cert.pem -CAkey ca-key.pem \ -CAcreateserial -out intermediate-cert.pem -days 1825 -sha256 # Create certificate chain cat intermediate-cert.pem ca-cert.pem > chain.pem
Certificate Inspection & Verification
View Certificate Details
bash
# Display certificate details openssl x509 -in cert.pem -noout -text # Show specific fields openssl x509 -in cert.pem -noout -subject openssl x509 -in cert.pem -noout -issuer openssl x509 -in cert.pem -noout -dates openssl x509 -in cert.pem -noout -serial openssl x509 -in cert.pem -noout -fingerprint # Check expiration openssl x509 -in cert.pem -noout -enddate # Show in human-readable format openssl x509 -in cert.pem -text -noout
Verify Certificates
bash
# Verify certificate against CA openssl verify -CAfile ca-cert.pem cert.pem # Verify certificate chain openssl verify -CAfile ca-cert.pem -untrusted intermediate-cert.pem cert.pem # Check if certificate and key match openssl x509 -noout -modulus -in cert.pem | openssl md5 openssl rsa -noout -modulus -in private.key | openssl md5
Test SSL/TLS Connection
bash
# Connect to server and show certificate openssl s_client -connect example.com:443 -showcerts # Test specific protocol openssl s_client -connect example.com:443 -tls1_2 openssl s_client -connect example.com:443 -tls1_3 # Test with SNI openssl s_client -connect example.com:443 -servername example.com # Check certificate expiration remotely echo | openssl s_client -connect example.com:443 2>/dev/null | \ openssl x509 -noout -dates
Format Conversion
PEM ↔ DER
bash
# PEM to DER openssl x509 -in cert.pem -outform DER -out cert.der # DER to PEM openssl x509 -in cert.der -inform DER -out cert.pem -outform PEM
PKCS#12 (PFX)
bash
# Create PKCS#12 bundle (certificate + private key) openssl pkcs12 -export -out cert.pfx -inkey private.key -in cert.pem # Include certificate chain openssl pkcs12 -export -out cert.pfx -inkey private.key -in cert.pem -certfile chain.pem # Extract from PKCS#12 openssl pkcs12 -in cert.pfx -out cert-and-key.pem -nodes # Extract only certificate openssl pkcs12 -in cert.pfx -clcerts -nokeys -out cert.pem # Extract only private key openssl pkcs12 -in cert.pfx -nocerts -nodes -out private.key
PKCS#7
bash
# Convert PEM to PKCS#7 openssl crl2pkcs7 -nocrl -certfile cert.pem -out cert.p7b # Convert PKCS#7 to PEM openssl pkcs7 -print_certs -in cert.p7b -out cert.pem
Encryption & Decryption
Symmetric Encryption
bash
# Encrypt file with AES-256 openssl enc -aes-256-cbc -salt -in file.txt -out file.enc # Decrypt file openssl enc -aes-256-cbc -d -in file.enc -out file.txt # Encrypt with password from file openssl enc -aes-256-cbc -salt -in file.txt -out file.enc -pass file:password.txt # Base64 encode encrypted output openssl enc -aes-256-cbc -salt -in file.txt -out file.enc -a
Asymmetric Encryption
bash
# Encrypt with public key openssl rsautl -encrypt -pubin -inkey public.key -in file.txt -out file.enc # Decrypt with private key openssl rsautl -decrypt -inkey private.key -in file.enc -out file.txt
Hashing & Digests
bash
# Generate hash openssl dgst -sha256 file.txt openssl dgst -sha512 file.txt openssl dgst -md5 file.txt # Create signature openssl dgst -sha256 -sign private.key -out signature.bin file.txt # Verify signature openssl dgst -sha256 -verify public.key -signature signature.bin file.txt # HMAC openssl dgst -sha256 -hmac "secret-key" file.txt
Certificate Revocation
Create Certificate Revocation List (CRL)
bash
# Create CRL configuration (crl.cnf) # [ca section with database and crl settings needed] # Generate CRL openssl ca -gencrl -config crl.cnf -out crl.pem # View CRL openssl crl -in crl.pem -text -noout # Verify certificate against CRL openssl verify -crl_check -CRLfile crl.pem -CAfile ca-cert.pem cert.pem
OCSP (Online Certificate Status Protocol)
bash
# Start OCSP responder openssl ocsp -port 8080 -index index.txt -CA ca-cert.pem -rkey ca-key.pem -rsigner ca-cert.pem # Query OCSP responder openssl ocsp -issuer ca-cert.pem -cert cert.pem -url http://ocsp.example.com:8080
Common PKI Workflows
Complete Certificate Workflow
bash
# 1. Generate private key openssl genrsa -out server.key 4096 # 2. Create CSR openssl req -new -key server.key -out server.csr \ -subj "/C=US/ST=CA/L=SF/O=MyOrg/CN=example.com" # 3. Sign with CA openssl x509 -req -in server.csr -CA ca-cert.pem -CAkey ca-key.pem \ -CAcreateserial -out server.crt -days 365 -sha256 # 4. Verify openssl verify -CAfile ca-cert.pem server.crt # 5. Test locally openssl s_server -cert server.crt -key server.key -accept 8443
Best Practices
- •Key Size: Use at least 2048-bit RSA or 256-bit EC keys
- •Hash Algorithm: Use SHA-256 or stronger (avoid MD5, SHA-1)
- •Validity Period: Certificates should be valid for ≤ 398 days (current CA/Browser Forum baseline)
- •Private Key Protection: Always encrypt private keys with strong passphrases
- •SAN: Always include Subject Alternative Names, even for single domain
- •Key Backup: Securely backup private keys and CA certificates
- •Certificate Chain: Always provide complete certificate chain
- •Regular Rotation: Rotate certificates before expiration
Security Notes
- •Never share private keys - They should remain on the server
- •Use strong passphrases for encrypted keys (16+ characters)
- •Protect CA keys with HSM or secure key storage
- •Monitor expiration - Set up alerts 30 days before expiry
- •Revoke compromised certificates immediately
- •Use Certificate Transparency for public certificates