Most Common OpenSSL Commands

Imagine that you need to send a message to your friend. But you don’t know where he is or what his contact detail is. You just know another man who has your friend’s contacts that can send your message to him.

The Internet was designed in a way as we describe above. The data passes through multiple nodes in the network to reach its destination.  By default data will be a text plain and insecure. Any nodes in which you pass the message to get the package can read these messages.

SSL and TLS are the protocols to reduce this risk. So only the message owner can read the message and also make sure that the message sender is the true person that should be.

OpenSSL is a powerful toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.  Also, it’s free software that implements  SSL and TLS  protocols and enables a server to send data across the internet with encrypted mode. To understand OpenSSL, you also need to understand its purpose.

The OpenSSL contains tools essential for the following tasks;

  • Generating private keys (RSA)
  • Generating Certificate Signing Request (CSRs)
  • Performing encryption/decryption
  • Manage and control encrypted file

Let's have a look at some of  OpenSSL  Operations and  Features.

Generating  RSA , CSRs, CRT

  • Create a new private key and Certificate Signing Request (CSRs)

#openssl req -out Casesup.csr -new -newkey rsa:2048 -nodes -keyout Casesup.key
  • Generate a self-signed certificate (CRT)

#openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout Casesup.key -out Casesup.crt
  • Create a Certificate  Sigining  Request  with  existing  PEM file

#openssl req -out casesup.csr -key casesup.key -new
  • Generate  a  Certificate  Signing  Request  with  an existing  Certificate (CSRs)

#openssl x509 -x509toreq -in casesup.crt -out casesup.csr -signkey casesup.key

Check RSA , CSRs, CRT

  • Check  A CSR file

#openssl req -text -noout -verify -in casesup.csr
  • Check Private key

#openssl rsa -in casesup.key -check
  • Check  Certificate file

#openssl x509 -in casesup.crt -text -noout
  • Check PKCS#12 file (.pfx and .p12)

#openssl pkcs12 -info -in casesup.p12

Debugging  Tools OpenSSL

  • Use MD5 to check  if  certificate, pem and csr are  matched

#openssl x509 -noout -modulus -in casesup.crt | openssl md5
openssl rsa -noout -modulus -in casesup.key | openssl md5
openssl req -noout -modulus -in casesup.csr | openssl md5
  • Check SSL  connection  certificate  information

#openssl s_client -connect

Converting Use  OpenSSL

  • Convert DER  format  (.cer .crt .der) to PEM

#openssl x509 -inform der -in casesup.cer -out casesup.pem
  • Convert  PEM to  DER

#openssl x509 -outform der -in casesup.pem -out casesup.der
  • Convert  PKCS#12(.pfx or  .p12) to PEM

#openssl pkcs12 -in casesup.pfx -out casesup.pem -nodes

Also you  have  two  options  to export  only private Key and also  only  certificate

  • Convert  PKCS#12(.pfx or  .p12) to PEM (only  export PEM)

#openssl pkcs12 -in casesup.pfx -out casesup.pem -nodes -nocerts
  • Convert  PKCS#12(.pfx or  .p12) to CRT (only  export Certificate)

#openssl pkcs12 -in casesup.pfx -out casesup.crt -nodes -nokeys
  • Convert  PEM and  CRT to  PKCS#12(.pfx, .p12)

#openssl pkcs12 -export -out casesup.pfx -inkey casesup.key -in casesup.crt -certfile CAcasesup.crt


Tagged In:

I'm a IT Infrastructure and Operations Architect with extensive experience and administration skills and works for Turk Telekom. I provide hardware and software support for the IT Infrastructure and Operations tasks.

205 Total Posts
Follow Me