OpenSSL is an open source toolkit used to implement the Secure Socket Layer (SSL) and Transport Layer Security (TLS) protocols. The toolkit is loaded with tons of functionalities that can be performed using various options. As a Linux administrator, you must know openssl commands to secure your network, which includes testing POP, IMAP servers, https certificates, generating self signed keys, benchmarking speeds etc…
Well, the end user can also make use of openssl commands to generate CSR (Certificate Signing Requests), convert PEM to PKCS12, PKC12 to PEM, verify certificates, extract distinguished name etc…
Ok! Here we go,
1. How to install OpenSSL Toolkit?
Nothing tough doing this. If you have configured YUM on your machine, then run the below command.
$yum install openssl
$yum install openssl-devel
If you are running Ubuntu, then the command will be like this.
$apt-get install openssl
$apt-get install openssl-devel
Install OpenSSL from source
You can also download OpenSSL source and compile as explained here.
2. How to check the version of OpenSSL?
$openssl version OpenSSL 1.0.0-fips 29 Mar 2010
You can also retrieve detailed information using ‘-a’ option,
$openssl version -a
OpenSSL 1.0.0-fips 29 Mar 2010
built on: Mon Mar 4 22:19:53 UTC 2013
platform: linux-x86_64
options: bn(64,64) md2(int) rc4(8x,int) des(idx,cisc,16,int) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector –param=ssp-buffer-size=4 -m64 -mtune=generic -Wa,–noexecstack -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DWHIRLPOOL_ASM
OPENSSLDIR: “/etc/pki/tls”
engines: aesni dynamic
Is your production server running OpenSSL version 1.0.1e-fips? then here’s a serious OpenSSL vulnerability reported on march 2015 and a quick fix also has been suggested by our team of security experts.
3. How to list the help options of openssl?
Identifying the list of options available in openssl is not that user friendly. For instance using ‘-h’ or ‘-help’ or ‘help’ options will say “Invalid option”, but that’s how you can get the list of options supported by openssl. Provide an invalid option to openssl and it will list what are the valid options.
openssl -h openssl:Error: '-h' is an invalid command.
Standard commands
asn1parse ca ciphers cms
crl crl2pkcs7 dgst dh
dhparam dsa dsaparam enc
engine errstr gendh gendsa
genpkey genrsa nseq ocsp
passwd pkcs12 pkcs7 pkcs8
pkey pkeyparam pkeyutl prime
rand req rsa rsautl
s_client s_server s_time sess_id
smime speed spkac ts
verify version x509
Message Digest commands (see the `dgst’ command for more details)
md2 md4 md5 rmd160
sha sha1
Cipher commands (see the `enc’ command for more details)
aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb
aes-256-cbc aes-256-ecb base64 bf
bf-cbc bf-cfb bf-ecb bf-ofb
camellia-128-cbc camellia-128-ecb camellia-192-cbc camellia-192-ecb
camellia-256-cbc camellia-256-ecb cast cast-cbc
cast5-cbc cast5-cfb cast5-ecb cast5-ofb
des des-cbc des-cfb des-ecb
des-ede des-ede-cbc des-ede-cfb des-ede-ofb
des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb
des-ofb des3 desx rc2
rc2-40-cbc rc2-64-cbc rc2-cbc rc2-cfb
rc2-ecb rc2-ofb rc4 rc4-40
seed seed-cbc seed-cfb seed-ecb
Now, the same tip can be used for getting help for subcommands as well.
$openssl crl -h unknown option -h usage: crl args
-inform arg – input format – default PEM (DER or PEM)
-outform arg – output format – default PEM
-text – print out a text format version
-in arg – input file – default stdin
-out arg – output file – default stdout
-hash – print hash value
-fingerprint – print the crl fingerprint
-issuer – print issuer DN
-lastupdate – lastUpdate field
-nextupdate – nextUpdate field
-crlnumber – print CRL number
-noout – no CRL output
-CAfile name – verify CRL using certificates in file “name”
-CApath dir – verify CRL using certificates in “dir”
-nameopt arg – various certificate name options
4. How to list the supported ciphers in openssl?
$openssl ciphers -v DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1 DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1 DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(256) Mac=SHA1 AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 CAMELLIA256-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA1 PSK-AES256-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=AES(256) Mac=SHA1 EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1 DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 PSK-3DES-EDE-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=3DES(168) Mac=SHA1 KRB5-DES-CBC3-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=3DES(168) Mac=SHA1 KRB5-DES-CBC3-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=3DES(168) Mac=MD5 DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1 DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1 DHE-RSA-SEED-SHA SSLv3 Kx=DH Au=RSA Enc=SEED(128) Mac=SHA1 DHE-DSS-SEED-SHA SSLv3 Kx=DH Au=DSS Enc=SEED(128) Mac=SHA1 DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA1 DHE-DSS-CAMELLIA128-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(128) Mac=SHA1 AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 SEED-SHA SSLv3 Kx=RSA Au=RSA Enc=SEED(128) Mac=SHA1 CAMELLIA128-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(128) Mac=SHA1 PSK-AES128-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=AES(128) Mac=SHA1 RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 PSK-RC4-SHA SSLv3 Kx=PSK Au=PSK Enc=RC4(128) Mac=SHA1 KRB5-RC4-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=SHA1 KRB5-RC4-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=MD5 EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1 DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 KRB5-DES-CBC-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=DES(56) Mac=SHA1 KRB5-DES-CBC-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=DES(56) Mac=MD5 EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-KRB5-RC2-CBC-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=RC2(40) Mac=SHA1 export EXP-KRB5-DES-CBC-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=DES(40) Mac=SHA1 export EXP-KRB5-RC2-CBC-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=RC2(40) Mac=MD5 export EXP-KRB5-DES-CBC-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=DES(40) Mac=MD5 export EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export EXP-KRB5-RC4-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(40) Mac=SHA1 export EXP-KRB5-RC4-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(40) Mac=MD5 export
5. How to generate Certificate Signing Request (CSR)?
Submitting a Certificate Signing Request involves certain formalities and that entire process varies from Certificate Authority (CA) to CA. But the request can be generated from the client side, if the Certificate Authorities doesn’t provide any certificate generation interface.
When you have openssl, what else you do need?
$openssl req -new -newkey rsa:1024 -nodes -keyout key.pem -out req.pem
Here,
req: option used to generate a request.
-new: generate a new request
-newkey: generate a new key
rsa:1024: Algorithm used, and the length of key 1024 bit. It can be replaced with rsa:2048, rsa:4096 etc..
-keyout: output the new key in key.pem file.
-out: output the request in ‘req.pem’ file.
Sample output,
$openssl req -new -newkey rsa:1024 -nodes -keyout key.pem -out req.pem Generating a 1024 bit RSA private key .................................................................................................++++++ ....++++++ writing new private key to 'key.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:IN State or Province Name (full name) []:CHE Locality Name (eg, city) [Default City]:CH Organization Name (eg, company) [Default Company Ltd]:F4 Organizational Unit Name (eg, section) []:IT Common Name (eg, your name or your server's hostname) []:myserver Email Address []:myserver@myserver.com
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Output files,
$ls -rw-r--r--. 1 root root 916 Oct 28 13:06 key.pem -rw-r--r--. 1 root root 676 Oct 28 13:06 req.pem
6. How to generate Self Signed Keys using Openssl?
You can generate self signed certificates for deploying it on servers. To do that, run the below command. By default, OpenSSL uses sha1 algorithm for signing your certificate request. You can explicitly generate x509 SHA256 hash self-signed certificate too as a better security measure [By the by sha1 is already broken!].
$openssl req -x509 -days 365 -nodes -newkey rsa:2048 -keyout key.pem -out cert.pem
Here,
x509: is the digital certificate standard
-days: validity of your certificate, mostly one year.
7. How to test remote web server’s certificate?
You can use openssl’s client option to display certificate information of a remote server,
$openssl s_client -connect google.com:443 -showcerts
Sample output when google.com is queried,
$openssl s_client -connect google.com:443 -showcerts CONNECTED(00000003) depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority verify return:1 depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA verify return:1 depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2 verify return:1 depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = *.googl e.com verify return:1 --- Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com i:/C=US/O=Google Inc/CN=Google Internet Authority G2 -----BEGIN CERTIFICATE----- MIIHIDCCBgigAwIBAgIIPRfoBTWJubswDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
—–END CERTIFICATE—–
—
Server certificate
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
—
No client certificate CA names sent
—
SSL handshake has read 4055 bytes and written 426 bytes
—
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-SHA
Session-ID: 7036D2353DD2A38D13A24F2791A65FAD5B332628C8FDD37EBF633D9575178BB4
Session-ID-ctx:
Master-Key: 113AAED5B1E5A23CA33B07AF37DD464BA671922EF5274F116FB7C7835A0749B9 48B6445AC6F10CEB78C0713727713D81
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 100800 (seconds)
TLS session ticket:
0000 – d2 e0 d9 0a 1c 92 16 a7-9f a6 62 4e 06 94 24 9b ……….bN..$.
0010 – a2 da 35 9f 1b 57 1f f7-ae c2 c8 c1 28 84 48 c0 ..5..W……(.H.
0020 – ca 97 87 79 7e c3 49 13-78 ed 6b cc 6d 28 90 7a …y~.I.x.k.m(.z
0030 – 6d 1d 11 af ac be 74 d9-2c b4 c6 2d 2e fc 7d b1 m…..t.,..-..}.
0040 – ec 23 9d c3 ec 49 80 77-bf 49 41 57 bf a3 3a 1a .#…I.w.IAW..:.
0050 – d6 3d c1 61 60 d6 e3 bf-90 6e 2f 4d 96 36 78 7d .=.a`….n/M.6x}
0060 – 7d b0 bd e0 df 22 09 01-e3 11 09 67 f1 5b 1e 49 }….”…..g.[.I
0070 – 42 02 eb 6c 6d a4 d6 5b-e8 ce ef 05 d5 f7 19 a9 B..lm..[……..
0080 – 36 77 66 8b 74 38 09 bf-6c fd 28 37 fb 3a 14 fc 6wf.t8..l.(7.:..
0090 – b2 e6 dd 2b …+
Start Time: 1382946144
Timeout : 300 (sec)
Verify return code: 0 (ok)
8. How to verify SSL certificate?
$openssl verify pem-file $openssl verify mycert.pem
Sample output,
mycert.pem: OK
You should see OK as output. For instance, if the certificate was expired, you will see a complain about it. OpenSSL cannot verify all the certificates. For e.g, self signed certificates are not trusted by OpenSSL. OpenSSL trusts the certificate by verifying the issuer certificate that resides under ‘/usr/lib/ssl’ (however this location might vary from OS to OS). You can follow simple OpenSSL commands to find out what signature algorithm are used in secure websites SSL certificates.
To find out what certificate authorities OpenSSL recognizes or trusts, then the below command will reveal the directory that stores trusted CA certificates.
$openssl version -d
Sample output,
OPENSSLDIR: "/etc/pki/tls"
9. How to verify or display POP server certificate information?
$openssl s_client -connect mailserver:995
10. How to test or verify IMAP servers?
$openssl s_client -connect mailserver:993
11. How to display or test .PEM certificate?
$ openssl x509 -text -in usercert.pem
Sample Output,
Certificate: Data: Version: 3 (0x2) Serial Number: 1504 (0x5e0) Signature Algorithm: sha1WithRSAEncryption ::::::::::::::::::::::::::::::::::::::::
12. How to view your Certificate DN, validity, hash?
$openssl x509 -subject -in usercert.pem
Get the Issuer information
openssl x509 -noout -in usercert.pem -issuer
Get the validity information
openssl x509 -noout -in usercert.pem -dates
Get the hash value of the certificate
openssl x509 -noout -in usercert.pem -hash
Get the MD5 fingerprint
openssl x509 -noout -in usercert.pem -fingerprint
13. How to convert .PEM certificate to .P12 or PKCS#12 format?
$ openssl pkcs12 -export -inkey userkey.pem -in usercert.pem -out mypcks.p12
or
$ openssl pkcs12 -export -inkey userkey.pem -in usercert.pem -out mypcks.pfx
While converting your .PEM files to PFX or P12, you will asked to enter the password that secured your private key. Finally the output format will also be secured with a password.
14. How to convert .P12 certificate to .PEM format?
.P12 or PFX or PCKS#12 formats will contain both the public and private keys. Exporting .p12 file to .PEM will yield two files.
To extract password less public key, run the below command.
openssl pkcs12 -in mycert.p12 -out mycert.pem -nodes
To extract password protected private, run the below command.
openssl pkcs12 -in mycert.p12 -out mycert.pem
You should have these files now,
usercert.pem userkey.pem
15. How to generate MD5 or SHA1 hash for a file?
$openssl dgst -md5 foo.gif MD5(foo.gif)= a303ed7ce439738c2ce9f0791d9799c1 openssl dgst -sha1 foo.gif SHA1(foo.gif)= e5cba219bad315b7d0d6e0912a2d423ee9801611
16. How to base64 encode a file using openssl?
Let me create a sample file,
$more tg.txt I am goin to be encoded
To base64 encode, run the below command,
$openssl enc -base64 -in tg.txt -out tg-en.txt
Encoded data is stored in ‘tg-en.txt’
$more tg-en.txt SSBhbSBnb2luIHRvIGJlIGVuY29kZWQK
17. How to decode base64 encoded file using openssl?
$openssl enc -base64 -d -in tg-en.txt I am goin to be encoded
or
$echo "SSBhbSBnb2luIHRvIGJlIGVuY29kZWQK" | openssl enc -base64 -d
18. How to encrypt a file using openssl?
As told earlier, checkout the available ciphers using,
$openssl ciphers -v
To encrypt tg.txt to tg.enc using one of the supported cipher
openssl enc -aes-256-cbc -salt -in tg.txt -out tg.enc
You will get a binary file tg.enc, which is an encrypted file.
19. How to decrypt a file using Openssl?
To decrypt the encrypted binary file, you should remember the cipher and passphrase used during encryption.
openssl enc -d -aes-256-cbc -in tg.enc
20. How do I check the speed of my system using Openssl benchmarking option?
$openssl speed Doing md2 for 3s on 16 size blocks: 373915 md2's in 3.00s Doing md2 for 3s on 64 size blocks: 209326 md2's in 3.00s Doing md2 for 3s on 256 size blocks: 71001 md2's in 3.00s Doing md2 for 3s on 1024 size blocks: 19460 md2's in 3.00s Doing md2 for 3s on 8192 size blocks: 2506 md2's in 3.00s Doing md4 for 3s on 16 size blocks: 8402125 md4's in 3.00s Doing md4 for 3s on 64 size blocks: 6484713 md4's in 3.00s Doing md4 for 3s on 256 size blocks: 3877820 md4's in 3.00s Doing md4 for 3s on 1024 size blocks: 1473222 md4's in 3.00s Doing md4 for 3s on 8192 size blocks: 218591 md4's in 3.00s Doing md5 for 3s on 16 size blocks: 5838256 md5's in 2.99s ::::::::::::::::::::::::::::::::::::::::::::::::::::::::
OpenSSL comes with an in-built benchmarking option called ‘speed’. It tells you how many operations it can perform in a given time.
Have more? Tell us in the comments.
pretty good, hope I remember the details 🙂 but in fact I was looking for some expamples to just know about it, as there has been such a huge discussion for digital certificates on vaccination, is is a mess, if you consider that one digit makes it an error..