You are here: GSI Wiki>Linux Web>OpenSSL (2018-11-01, StefanHaller)EditAttach

OpenSSL

OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) network protocols and related cryptography standards required by them.

The openssl program is a command line tool for using the various cryptography functions of OpenSSL's crypto library from the shell. For instance, it can be used for
  • Creation and management of private keys, public keys and parameters
  • Public key cryptographic operations
  • Creation of X.509 certificates, CSRs and CRLs
  • Handling of S/MIME signed or encrypted mail

General OpenSSL Commands

  • Generate RSA-Key
    openssl genrsa -aes256 -out key.pem 2048
  • Show RSA-Key
    openssl rsa -in key.pem -text
  • Remove a passphrase from a private key
    openssl rsa -in key.pem -out key_without_passphrase.pem 
  • Convert DER to PEM
     openssl x509 -in certificate.crt -inform DER -out certificate.crt -outform PEM 
  • Generate a random number
     openssl rand -out /etc/ssl/private/.rand 1000000 

Check Information with OpenSSL

Check the information within a Certificate, CSR or Private Key.
  • Check a Certificate Signing Request (CSR) - (.csr or .pem)
     openssl req -text -noout -verify -in CSR.csr  
  • Check a private key
     openssl rsa -in privateKey.key -check 
  • Check a certificate
     openssl x509 -in certificate.crt -text -noout  
  • Verify a certificate chain (with the certificate and a CA file)
     openssl verify -verbose -CAfile cacert.pem newcert.pem  
  • Check a PKCS#12 file (.pfx or .p12)
     openssl pkcs12 -info -in keyStore.p12 

Create Certificate Signing Request for a Server at GSI (PKCS#10)

To Create a CSR you can use the follwing command:
  • Generate a CSR and a RSA-Key
    openssl req ­-newkey rsa:2048 ­-keyout key.pem ­-out request.pem –subj '/C=DE/ST=Hessen/L=Darmstadt/O=GSI Helmholtzzentrum fuer Schwerionenforschung GmbH/OU=<Abteilung(optional)>/CN=<FQDN>/emailAddress=<E­Mail­Address of Server­Administrator>'
Alternatively you can generate RSA-Key and CSR seperately:
  • Generate a new RSA-Key
    openssl genrsa ­aes256 ­out key.pem 2048
  • Generate a certificate signing request (CSR) for a server at GSI for an existing private key
    openssl req ­-batch ­-sha256 ­-new ­-key key.pem -­out request.pem –subj '/C=DE/ST=Hessen/L=Darmstadt/O=GSI Helmholtzzentrum fuer Schwerionenforschung GmbH/OU=<Abteilung(optional)>/CN=<FQDN>/emailAddress=<E­Mail­Address of Server­Administrator>' 

Create and work with PKCS#12 files (.pfx or .p12)

  • Convert a PEM certificate file and a private key to PKCS#12
     openssl pkcs12 -export -inkey privateKey.key -in certificate.crt -certfile CACert.crt -out certificate.p12 

Links

-- IlonaNeis - 2018-02-07
Topic revision: r4 - 2018-11-01, StefanHaller