OpenSSL

OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) network protocols and related cryptography standards required by them.

The openssl program is a command line tool for using the various cryptography functions of OpenSSL's crypto library from the shell. For instance, it can be used for
  • Creation and management of private keys, public keys and parameters
  • Public key cryptographic operations
  • Creation of X.509 certificates, CSRs and CRLs
  • Handling of S/MIME signed or encrypted mail

General OpenSSL Commands

  • Generate RSA-Key 
    openssl genrsa -aes256 -out key.pem 2048
  • Show RSA-Key 
    openssl rsa -in key.pem -text
  • Store a key encrypted with a passphrase (for example with aes256) 
    openssl rsa -aes256 -in key.pem -out key_encrypted.pem
  • Remove a passphrase from a private key 
    openssl rsa -in key.pem -out key_without_passphrase.pem
  • Convert DER to PEM 
     openssl x509 -in certificate.crt -inform DER -out certificate.crt -outform PEM
  • Generate a random number 
     openssl rand -out /etc/ssl/private/.rand 1000000

Check Information with OpenSSL

Check the information within a Certificate, CSR or Private Key.
  • Check a Certificate Signing Request (CSR) - (.csr or .pem) 
     openssl req -text -noout -verify -in CSR.csr
  • Check a private key 
     openssl rsa -in privateKey.key -check
  • Check a certificate 
     openssl x509 -in certificate.crt -text -noout
  • Verify a certificate chain (with the certificate and a CA file) 
     openssl verify -verbose -CAfile cacert.pem newcert.pem
  • Check a PKCS file (.pfx or .p12) 
     openssl pkcs12 -info -in keyStore.p12

Create Certificate Signing Request for a Server at GSI (PKCS)

To Create a CSR you can use the follwing command:
  • Generate a CSR and a RSA-Key 
    openssl req -newkey rsa:2048 -keyout key.pem -out request.pem -subj '/C=DE/ST=Hessen/L=Germany/O=GSI Helmholtzzentrum fuer Schwerionenforschung GmbH/OU=>Abteilung(optional)>/CN=<FQDN>/emailAddress=<EMailAdress of ServerAdministrator>'
Alternatively you can generate RSA-Key and CSR seperately:
  • Generate a new RSA-Key 
    openssl genrsa ­aes256 ­out key.pem 2048
  • Generate a certificate signing request (CSR) for a server at GSI for an existing private key 
    openssl req -batch -sha256 -new -key key.pem -out request.pem -subj '/C=DE/ST=Hessen/L=Germany/O=GSI Helmholtzzentrum fuer Schwerionenforschung GmbH/OU=>Abteilung(optional)>/CN=<FQDN>/emailAddress=<EMailAdress of ServerAdministrator>'
  • Generate a certificate signing request (CSR) for a server at GSI for an existing private key and an Alternate Name (DNS) 
    openssl req -batch -sha256 -new -key key.pem -out request.pem -subj '/C=DE/ST=Hessen/L=Germany/O=GSI Helmholtzzentrum fuer Schwerionenforschung GmbH/OU=>Abteilung(optional)>/CN=<FQDN>/emailAddress=<EMailAdress of ServerAdministrator>'  -addext "subjectAltName = DNS:<AlternativeName>.gsi.de"

Create and work with PKCS files (.pfx or .p12)

  • Convert a PEM certificate file and a private key to PKCS 
     openssl pkcs12 -export -inkey privateKey.key -in certificate.crt -certfile CACert.crt -out certificate.p12

-- IlonaNeis - 2018-02-07

This topic: Linux > WebHome > OpenSSL
Topic revision: 2023-03-21, ChristianWolbert
This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding GSI Wiki? Send feedback | Legal notice | Privacy Policy (german)