OpenSSL

OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) network protocols and related cryptography standards required by them.

The openssl program is a command line tool for using the various cryptography functions of OpenSSL's crypto library from the shell. For instance, it can be used for
  • Creation and management of private keys, public keys and parameters
  • Public key cryptographic operations
  • Creation of X.509 certificates, CSRs and CRLs
  • Handling of S/MIME signed or encrypted mail

General OpenSSL Commands

  • Generate RSA-Key
    openssl genrsa -aes256 -out key.pem 2048
  • Show RSA-Key
    openssl rsa -in key.pem -text
  • Store a key encrypted with a passphrase (for example with aes256)
    openssl rsa -aes256 -in key.pem -out key_encrypted.pem 
  • Remove a passphrase from a private key
    openssl rsa -in key.pem -out key_without_passphrase.pem 
  • Convert DER to PEM
     openssl x509 -in certificate.crt -inform DER -out certificate.crt -outform PEM 
  • Generate a random number
     openssl rand -out /etc/ssl/private/.rand 1000000 

Check Information with OpenSSL

Check the information within a Certificate, CSR or Private Key.
  • Check a Certificate Signing Request (CSR) - (.csr or .pem)
     openssl req -text -noout -verify -in CSR.csr  
  • Check a private key
     openssl rsa -in privateKey.key -check 
  • Check a certificate
     openssl x509 -in certificate.crt -text -noout  
  • Verify a certificate chain (with the certificate and a CA file)
     openssl verify -verbose -CAfile cacert.pem newcert.pem  
  • Check a PKCS file (.pfx or .p12)
     openssl pkcs12 -info -in keyStore.p12 

Create Certificate Signing Request for a Server at GSI (PKCS)

To Create a CSR you can use the follwing command:
  • Generate a CSR and a RSA-Key
    openssl req -newkey rsa:2048 -keyout key.pem -out request.pem -subj '/C=DE/ST=Hessen/L=Germany/O=GSI Helmholtzzentrum fuer Schwerionenforschung GmbH/OU=>Abteilung(optional)>/CN=<FQDN>/emailAddress=<EMailAdress of ServerAdministrator>'
Alternatively you can generate RSA-Key and CSR seperately:
  • Generate a new RSA-Key
    openssl genrsa ­aes256 ­out key.pem 2048
  • Generate a certificate signing request (CSR) for a server at GSI for an existing private key
    openssl req -batch -sha256 -new -key key.pem -out request.pem -subj '/C=DE/ST=Hessen/L=Germany/O=GSI Helmholtzzentrum fuer Schwerionenforschung GmbH/OU=>Abteilung(optional)>/CN=<FQDN>/emailAddress=<EMailAdress of ServerAdministrator>'
  • Generate a certificate signing request (CSR) for a server at GSI for an existing private key and an Alternate Name (DNS)
    openssl req -batch -sha256 -new -key key.pem -out request.pem -subj '/C=DE/ST=Hessen/L=Germany/O=GSI Helmholtzzentrum fuer Schwerionenforschung GmbH/OU=>Abteilung(optional)>/CN=<FQDN>/emailAddress=<EMailAdress of ServerAdministrator>'  -addext "subjectAltName = DNS:<AlternativeName>.gsi.de"

Create and work with PKCS files (.pfx or .p12)

  • Convert a PEM certificate file and a private key to PKCS
     openssl pkcs12 -export -inkey privateKey.key -in certificate.crt -certfile CACert.crt -out certificate.p12 

-- IlonaNeis - 2018-02-07
Topic revision: r7 - 2023-03-21, ChristianWolbert - This page was cached on 2024-12-20 - 13:29.

<!-- With LdapContrib WikiUsers becomes irrelevant -->
%IF{"'%WIKINAME%'!='WikiGuest'" then="$n   * [[$percentUSERSWEB$percent.$percentWIKIUSERSTOPIC$percent][ $percentICON{\"person\"}$percent $percentMAKETEXT{\"Users\"}$percent]]"}% \

This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding GSI Wiki? Send feedback | Legal notice | Privacy Policy (german)