OpenSSL is an open-source implementation of the SSL protocol. The OpenSSL commands are supported on almost all platforms including Windows, Mac OSx, and Linux operating systems. The OpenSSL can be used for generating CSR for the certificate installation process in servers. So, today we are going to list some of the most popular and widely used OpenSSL commands. These examples will probably include those ones which you are looking for. So, have a look at these best OpenSSL Commands Examples.
Common OpenSSL Commands
There are some random Open SSL commands which allows completing various tasks such as generating CSR and private keys. Let’s have a look at them.
Generate new private key and CSR (Certificate Signing Request)
openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
Generate self-signed certificate
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
This will generate a self-signed SSL certificate valid for 1 year. The 2048-bit RSA alongside the sha256 will provide the maximum possible security to the certificate.
Generate a CSR for an existing private key in the server
openssl req -out CSR.csr -key privateKey.key -new
Generate a CSR for an existing certificate
openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key
Generate an RSA key
Generate a DSA key
openssl dsaparam -noout -out dsakey.pem -genkey 1024
Remove a passphrase from private key
openssl rsa -in privateKey.pem -out newPrivateKey.pem
Connect to a web server using SNI
openssl s_client -connect www.massivehost.com:443 -servername www.myhost.com
openssl enc -base64 -in filename.txt
Encrypt a file
openssl enc -aes-256-cbc -salt -in filename.txt -out filename.enc
Decrypt a file
openssl enc -d -aes-256-cbc -in filename.enc
Check Using OpenSSL
Instead of performing the operations such as generating and removing keys and certificates, you could easily check the information using the OpenSSL commands. Here are few examples.
Check a CSR (Certificate Signing Request)
openssl req -text -noout -verify -in CSR.csr
Check a private key
openssl rsa -in privateKey.key -check
Check a certificate
openssl x509 -in certificate.crt -text -noout
Check a PKCS#12 file with extension .pfx or .p12
openssl pkcs12 -info -in keyStore.p12
Test SSL certificate of particular URL
openssl s_client -connect yoururl.com:443 –showcerts
Check the Certificate Signer Authority
openssl x509 -in certfile.pem -noout -issuer -issuer_hash
Check PEM File Certificate Expiration Date
openssl x509 -noout -in certificate.pem -dates
Check OpenSSL version
Check Certificate Expiration Date of SSL URL
openssl s_client -connect secureurl.com:443 2>/dev/null | openssl x509 -noout –enddate
Check if particular cipher is accepted on URL
openssl s_client -cipher 'ECDHE-ECDSA-AES256-SHA' -connect secureurl:443
Debugg Using OpenSSL
Often times, you may face errors such as the private key doesn’t match the certificate. In such situations, the following commands will be helpful.
Check MD5 hash of the public key to check it matches with a CSR or private key.
openssl x509 -noout -modulus -in certificate.crt | openssl md5 openssl rsa -noout -modulus -in privateKey.key | openssl md5 openssl req -noout -modulus -in CSR.csr | openssl md5
Check an SSL connection.
openssl s_client -connect www.paypal.com:443
Benchmark using OpenSSL
The OpenSSL commands are also available for benchmarking needs. You could benchmark your server performance and connection stability using the commands.
Benchmark my system’s performance
Benchmark remote connections
openssl s_time -connect remote.host:443
Convert Operations using OpenSSL
To convert the SSL certificates or keys from one format to another, you could utilize the following commands. You can change the format from one to another to make the certificates compatible with the server.
Convert a PEM file to DER
openssl x509 -outform der -in certificate.pem -out certificate.der
Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM
openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes
You can add -nocerts to only output the private key or add -nokeys to only output the certificates.
Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
Convert a DER file (.crt .cer .der) to PEM
openssl x509 -inform der -in certificate.cer -out certificate.pem
The list of all available OpenSSL commands
If you don’t know, the command line itself can tell you the complete available OpenSSL commands. To do this, the best option is inputting an invalid command to the command line. For example, you could use this command.
$ openssl help
It will display the list of available commands like this
$ openssl help openssl:Error: 'help' is an invalid command. Standard commands asn1parse ca ciphers cms crl crl2pkcs7 dgst dh dhparam dsa dsaparam ec ecparam enc engine errstr gendh gendsa genpkey genrsa nseq ocsp passwd pkcs12 pkcs7 pkcs8 pkey pkeyparam pkeyutl prime rand req rsa rsautl s_client s_server s_time sess_id smime speed spkac ts verify version x509 Message Digest commands (see the `dgst' command for more details) md2 md4 md5 rmd160 sha sha1 Cipher commands (see the `enc' command for more details) aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb aes-256-cbc aes-256-ecb base64 bf bf-cbc bf-cfb bf-ecb bf-ofb camellia-128-cbc camellia-128-ecb camellia-192-cbc camellia-192-ecb camellia-256-cbc camellia-256-ecb cast cast-cbc cast5-cbc cast5-cfb cast5-ecb cast5-ofb des des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb des-ofb des3 desx idea idea-cbc idea-cfb idea-ecb idea-ofb rc2 rc2-40-cbc rc2-64-cbc rc2-cbc rc2-cfb rc2-ecb rc2-ofb rc4 rc4-40 seed seed-cbc seed-cfb seed-ecb seed-ofb zlib
There you can find out all the possible commands recognized by your command line. In addition, you could also find out a list of the sub commands by using an incorrect subcommand like this.
$ openssl dgst -h unknown option '-h' options are -c to output the digest with separating colons -r to output the digest in coreutils format -d to output debug info -hex output as hex dump -binary output in binary form -sign file sign digest using private key in file -verify file verify a signature using public key in file -prverify file verify a signature using private key in file -keyform arg key file format (PEM or ENGINE) -out filename output to filename rather than stdout -signature file signature to verify -sigopt nm:v signature parameter -hmac key create hashed MAC with key -mac algorithm create MAC (not neccessarily HMAC) -macopt nm:v MAC algorithm parameters or key -engine e use engine e, possibly a hardware device. -md4 to use the md4 message digest algorithm -md5 to use the md5 message digest algorithm -ripemd160 to use the ripemd160 message digest algorithm -sha to use the sha message digest algorithm -sha1 to use the sha1 message digest algorithm -sha224 to use the sha224 message digest algorithm -sha256 to use the sha256 message digest algorithm -sha384 to use the sha384 message digest algorithm -sha512 to use the sha512 message digest algorithm -whirlpool to use the whirlpool message digest algorithm
Now you know a bunch of useful commands for the OpenSSL. Go and try them yourself.