1. Home
  2. Linux
  3. 20 OpenSSL Commands Examples that you must know
  1. Home
  2. Network and security
  3. 20 OpenSSL Commands Examples that you must know

20 OpenSSL Commands Examples that you must know

OpenSSL is an open source toolkit used to implement the Secure Socket Layer (SSL) and Transport Layer Security (TLS) protocols. The toolkit is loaded with tons of functionalities that can be performed using various options. As a Linux administrator, you must know openssl commands to secure your network, which includes testing POP, IMAP servers, https certificates, generating self signed keys, benchmarking speeds etc…

Well, the end user can also make use of openssl commands to generate CSR (Certificate Signing Requests), convert PEM to PKCS12, PKC12 to PEM, verify certificates, extract distinguished name etc…

Ok! Here we go,

OpenSSL

1. How to install OpenSSL Toolkit?

Nothing tough doing this. If you have configured YUM on your machine, then run the below command.

$yum install openssl

$yum install openssl-devel

If you are running Ubuntu, then the command will be like this.

$apt-get install openssl

$apt-get install openssl-devel

2. How to check the version of OpenSSL?

$openssl version
OpenSSL 1.0.0-fips 29 Mar 2010

You can also retrieve detailed information using ‘-a’ option,

$openssl version -a

OpenSSL 1.0.0-fips 29 Mar 2010
built on: Mon Mar 4 22:19:53 UTC 2013
platform: linux-x86_64
options: bn(64,64) md2(int) rc4(8x,int) des(idx,cisc,16,int) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector –param=ssp-buffer-size=4 -m64 -mtune=generic -Wa,–noexecstack -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DWHIRLPOOL_ASM
OPENSSLDIR: “/etc/pki/tls”
engines: aesni dynamic

Is your production server running OpenSSL version 1.0.1e-fips? then here’s a serious OpenSSL vulnerability reported on march 2015 and a quick fix also has been suggested by our team of security experts.

3. How to list the help options of openssl?

Identifying the list of options available in openssl is not that user friendly. For instance using ‘-h’ or ‘-help’ or ‘help’ options will say “Invalid option”, but that’s how you can get the list of options supported by openssl. Provide an invalid option to openssl and it will list what are the valid options.

openssl -h
openssl:Error: '-h' is an invalid command.

Standard commands
asn1parse ca ciphers cms
crl crl2pkcs7 dgst dh
dhparam dsa dsaparam enc
engine errstr gendh gendsa
genpkey genrsa nseq ocsp
passwd pkcs12 pkcs7 pkcs8
pkey pkeyparam pkeyutl prime
rand req rsa rsautl
s_client s_server s_time sess_id
smime speed spkac ts
verify version x509

Message Digest commands (see the `dgst’ command for more details)
md2 md4 md5 rmd160
sha sha1

Cipher commands (see the `enc’ command for more details)
aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb
aes-256-cbc aes-256-ecb base64 bf
bf-cbc bf-cfb bf-ecb bf-ofb
camellia-128-cbc camellia-128-ecb camellia-192-cbc camellia-192-ecb
camellia-256-cbc camellia-256-ecb cast cast-cbc
cast5-cbc cast5-cfb cast5-ecb cast5-ofb
des des-cbc des-cfb des-ecb
des-ede des-ede-cbc des-ede-cfb des-ede-ofb
des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb
des-ofb des3 desx rc2
rc2-40-cbc rc2-64-cbc rc2-cbc rc2-cfb
rc2-ecb rc2-ofb rc4 rc4-40
seed seed-cbc seed-cfb seed-ecb

Now, the same tip can be used for getting help for subcommands as well.

$openssl crl -h
unknown option -h
usage: crl args

-inform arg – input format – default PEM (DER or PEM)
-outform arg – output format – default PEM
-text – print out a text format version
-in arg – input file – default stdin
-out arg – output file – default stdout
-hash – print hash value
-fingerprint – print the crl fingerprint
-issuer – print issuer DN
-lastupdate – lastUpdate field
-nextupdate – nextUpdate field
-crlnumber – print CRL number
-noout – no CRL output
-CAfile name – verify CRL using certificates in file “name”
-CApath dir – verify CRL using certificates in “dir”
-nameopt arg – various certificate name options

4. How to list the supported ciphers in openssl?

$openssl ciphers -v
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1
DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(256) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
CAMELLIA256-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA1
PSK-AES256-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=AES(256) Mac=SHA1
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
PSK-3DES-EDE-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=3DES(168) Mac=SHA1
KRB5-DES-CBC3-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=3DES(168) Mac=SHA1
KRB5-DES-CBC3-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=3DES(168) Mac=MD5
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
DHE-RSA-SEED-SHA SSLv3 Kx=DH Au=RSA Enc=SEED(128) Mac=SHA1
DHE-DSS-SEED-SHA SSLv3 Kx=DH Au=DSS Enc=SEED(128) Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA1
DHE-DSS-CAMELLIA128-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(128) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
SEED-SHA SSLv3 Kx=RSA Au=RSA Enc=SEED(128) Mac=SHA1
CAMELLIA128-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(128) Mac=SHA1
PSK-AES128-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=AES(128) Mac=SHA1
RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
PSK-RC4-SHA SSLv3 Kx=PSK Au=PSK Enc=RC4(128) Mac=SHA1
KRB5-RC4-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=SHA1
KRB5-RC4-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=MD5
EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1
EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1
DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
KRB5-DES-CBC-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=DES(56) Mac=SHA1
KRB5-DES-CBC-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=DES(56) Mac=MD5
EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export
EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-KRB5-RC2-CBC-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=RC2(40) Mac=SHA1 export
EXP-KRB5-DES-CBC-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=DES(40) Mac=SHA1 export
EXP-KRB5-RC2-CBC-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=RC2(40) Mac=MD5 export
EXP-KRB5-DES-CBC-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=DES(40) Mac=MD5 export
EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
EXP-KRB5-RC4-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(40) Mac=SHA1 export
EXP-KRB5-RC4-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(40) Mac=MD5 export

5. How to generate Certificate Signing Request (CSR)?

Submitting a Certificate Signing Request involves certain formalities and that entire process varies from Certificate Authority (CA) to CA. But the request can be generated from the client side, if the Certificate Authorities doesn’t provide any certificate generation interface.

When you have openssl, what else you do need?

$openssl req -new -newkey rsa:1024 -nodes -keyout key.pem -out req.pem

Here,

req: option used to generate a request.

-new: generate a new request

-newkey: generate a new key

rsa:1024: Algorithm used, and the length of key 1024 bit. It can be replaced with rsa:2048, rsa:4096 etc..

-keyout: output the new key in key.pem file.

-out: output the request in ‘req.pem’ file.

Sample output,

$openssl req -new -newkey rsa:1024 -nodes -keyout key.pem -out req.pem
Generating a 1024 bit RSA private key
.................................................................................................++++++
....++++++
writing new private key to 'key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:CHE
Locality Name (eg, city) [Default City]:CH
Organization Name (eg, company) [Default Company Ltd]:F4
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:myserver
Email Address []:myserver@myserver.com

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Output files,

$ls
-rw-r--r--. 1 root root 916 Oct 28 13:06 key.pem
-rw-r--r--. 1 root root 676 Oct 28 13:06 req.pem

6. How to generate Self Signed Keys using Openssl?

You can generate self signed certificates for deploying it on servers. To do that, run the below command. By default, OpenSSL uses sha1 algorithm for signing your certificate request. You can explicitly generate x509 SHA256 hash self-signed certificate too as a better security measure [By the by sha1 is already broken!].

$openssl req -x509 -days 365 -nodes -newkey rsa:2048 -keyout key.pem -out cert.pem

Here,

x509: is the digital certificate standard

-days: validity of your certificate, mostly one year.

7. How to test remote web server’s certificate?

You can use openssl’s client option to display certificate information of a remote server,

$openssl s_client -connect google.com:443 -showcerts

Sample output when google.com is queried,

$openssl s_client -connect google.com:443 -showcerts
CONNECTED(00000003)
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = *.googl e.com
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
i:/C=US/O=Google Inc/CN=Google Internet Authority G2
-----BEGIN CERTIFICATE-----
MIIHIDCCBgigAwIBAgIIPRfoBTWJubswDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl

—–END CERTIFICATE—–

Server certificate
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2

No client certificate CA names sent

SSL handshake has read 4055 bytes and written 426 bytes

New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-SHA
Session-ID: 7036D2353DD2A38D13A24F2791A65FAD5B332628C8FDD37EBF633D9575178BB4
Session-ID-ctx:
Master-Key: 113AAED5B1E5A23CA33B07AF37DD464BA671922EF5274F116FB7C7835A0749B9 48B6445AC6F10CEB78C0713727713D81
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 100800 (seconds)
TLS session ticket:
0000 – d2 e0 d9 0a 1c 92 16 a7-9f a6 62 4e 06 94 24 9b ……….bN..$.
0010 – a2 da 35 9f 1b 57 1f f7-ae c2 c8 c1 28 84 48 c0 ..5..W……(.H.
0020 – ca 97 87 79 7e c3 49 13-78 ed 6b cc 6d 28 90 7a …y~.I.x.k.m(.z
0030 – 6d 1d 11 af ac be 74 d9-2c b4 c6 2d 2e fc 7d b1 m…..t.,..-..}.
0040 – ec 23 9d c3 ec 49 80 77-bf 49 41 57 bf a3 3a 1a .#…I.w.IAW..:.
0050 – d6 3d c1 61 60 d6 e3 bf-90 6e 2f 4d 96 36 78 7d .=.a`….n/M.6x}
0060 – 7d b0 bd e0 df 22 09 01-e3 11 09 67 f1 5b 1e 49 }….”…..g.[.I
0070 – 42 02 eb 6c 6d a4 d6 5b-e8 ce ef 05 d5 f7 19 a9 B..lm..[……..
0080 – 36 77 66 8b 74 38 09 bf-6c fd 28 37 fb 3a 14 fc 6wf.t8..l.(7.:..
0090 – b2 e6 dd 2b …+

Start Time: 1382946144
Timeout : 300 (sec)
Verify return code: 0 (ok)

8. How to verify SSL certificate?

$openssl verify pem-file
$openssl verify mycert.pem

Sample output,

mycert.pem: OK

You should see OK as output. For instance, if the certificate was expired, you will see a complain about it. OpenSSL cannot verify all the certificates. For e.g, self signed certificates are not trusted by OpenSSL. OpenSSL trusts the certificate by verifying the issuer certificate that resides under ‘/usr/lib/ssl’ (however this location might vary from OS to OS). You can follow simple OpenSSL commands to find out what signature algorithm are used in secure websites SSL certificates.

To find out what certificate authorities OpenSSL recognizes or trusts, then the below command will reveal the directory that stores trusted CA certificates.

$openssl version -d

Sample output,

OPENSSLDIR: "/etc/pki/tls"

9. How to verify or display POP server certificate information?

$openssl s_client -connect mailserver:995

10. How to test or verify IMAP servers?

$openssl s_client -connect mailserver:993

11. How to display or test .PEM certificate?

$ openssl x509 -text -in usercert.pem

Sample Output,

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1504 (0x5e0)
Signature Algorithm: sha1WithRSAEncryption
::::::::::::::::::::::::::::::::::::::::

12. How to view your Certificate DN, validity, hash?

$openssl x509 -subject -in usercert.pem

Get the Issuer information

openssl x509 -noout -in usercert.pem -issuer

Get the validity information

openssl x509 -noout -in usercert.pem -dates

Get the hash value of the certificate

openssl x509 -noout -in usercert.pem -hash

Get the MD5 fingerprint

openssl x509 -noout -in usercert.pem -fingerprint

13. How to convert .PEM certificate to .P12 or PKCS#12 format?

$ openssl pkcs12 -export -inkey userkey.pem -in usercert.pem -out mypcks.p12

or

$ openssl pkcs12 -export -inkey userkey.pem -in usercert.pem -out mypcks.pfx

While converting your .PEM files to PFX or P12, you will asked to enter the password that secured your private key. Finally the output format will also be secured with a password.

14. How to convert .P12 certificate to .PEM format?

.P12 or PFX or PCKS#12 formats will contain both the public and private keys. Exporting .p12 file to .PEM will yield two files.

To extract password less public key, run the below command.

openssl pkcs12 -in mycert.p12 -out mycert.pem -nodes

To extract password protected private, run the below command.

openssl pkcs12 -in mycert.p12 -out mycert.pem

You should have these files now,

usercert.pem
userkey.pem

15. How to generate MD5 or SHA1 hash for a file?

$openssl dgst -md5 foo.gif
MD5(foo.gif)= a303ed7ce439738c2ce9f0791d9799c1
openssl dgst -sha1 foo.gif
SHA1(foo.gif)= e5cba219bad315b7d0d6e0912a2d423ee9801611

16. How to base64 encode a file using openssl?

Let me create a sample file,

$more tg.txt
I am goin to be encoded

To base64 encode, run the below command,

$openssl enc -base64 -in tg.txt -out tg-en.txt

Encoded data is stored in ‘tg-en.txt’

$more tg-en.txt
SSBhbSBnb2luIHRvIGJlIGVuY29kZWQK

17. How to decode base64 encoded file using openssl?

$openssl enc -base64 -d -in tg-en.txt
I am goin to be encoded

or

$echo "SSBhbSBnb2luIHRvIGJlIGVuY29kZWQK" | openssl enc -base64 -d

18. How to encrypt a file using openssl?

As told earlier, checkout the available ciphers using,

$openssl ciphers -v

To encrypt tg.txt to tg.enc using one of the supported cipher

openssl enc -aes-256-cbc -salt -in tg.txt -out tg.enc

You will get a binary file tg.enc, which is an encrypted file.

19. How to decrypt a file using Openssl?

To decrypt the encrypted binary file, you should remember the cipher and passphrase used during encryption.

openssl enc -d -aes-256-cbc -in tg.enc

20. How do I check the speed of my system using Openssl benchmarking option?

$openssl speed
Doing md2 for 3s on 16 size blocks: 373915 md2's in 3.00s
Doing md2 for 3s on 64 size blocks: 209326 md2's in 3.00s
Doing md2 for 3s on 256 size blocks: 71001 md2's in 3.00s
Doing md2 for 3s on 1024 size blocks: 19460 md2's in 3.00s
Doing md2 for 3s on 8192 size blocks: 2506 md2's in 3.00s
Doing md4 for 3s on 16 size blocks: 8402125 md4's in 3.00s
Doing md4 for 3s on 64 size blocks: 6484713 md4's in 3.00s
Doing md4 for 3s on 256 size blocks: 3877820 md4's in 3.00s
Doing md4 for 3s on 1024 size blocks: 1473222 md4's in 3.00s
Doing md4 for 3s on 8192 size blocks: 218591 md4's in 3.00s
Doing md5 for 3s on 16 size blocks: 5838256 md5's in 2.99s
::::::::::::::::::::::::::::::::::::::::::::::::::::::::

OpenSSL comes with an in-built benchmarking option called ‘speed’. It tells you how many operations it can perform in a given time.

Have more? Tell us in the comments.


Related Content

Updated on September 3, 2017

Was this article helpful?

Related Articles

Add A Comment