OpenSSL is free security protocols and implementation library provided by Free Software community. OpenSSL libraries are used by a lot of enterprises in their systems and products. OpenSSL libraries and algorithms can be used with
openssl command. In this tutorial we will look different use cases for
Private keys should kept secret. Private keys generally used to decrypt data.
Public keys are provided every one and it not secret. Public keys generally used to encrypt data.
Certificates holds keys and related information. Certificates generally holds public keys.
Generate Private Key and Certificate Signing Request
We can generate a private key with a Certificate Signing Request. We can send generated
CertificateSigningRequest.csr to the Certificate Authority for approvel and then we can use
$ openssl req -out CertificateSigningRequest.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
Generate Self-Signed Certificate
If we will use certificate in our local environment and systems we do not need to sign it by Global Certificate Authority. So we can generate a self signed certificate with the following command.
$ openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
Generate Certificate Signing Request (CSR) with Existing Certificate
If we have all ready a certificate but we need to approve it by Global Certificate Authorities we need to generate Certificate Signing Request with the following command.
$ openssl req -out CSR.csr -key privateKey.key -new
Remove Passphrase From Private Key
Private Keys generally stored as encrypted to make it more secure. But every time we want to use Private Key we have to decrypt it. To make it more practical we can extract Private Key and store as unencrypted.
$ openssl rsa -in privateKey.pem -out newPrivateKey.pem
Check and Print Certificate Signing Request (CSR)
We can print every information provided by a Certificate Signing Request on the shell. We will use following command for this.
$ openssl req -text -noout -verify -in CertificateSigningRequest.csr
Check and Print Private Key
We can print and check a private key with the following command. This will print key information.
$ openssl rsa -in privateKey.key -check
Check and Print Certificate
We can print certificate information and related parts with the following command.
$ openssl x509 -in certificate.crt -text -noout
Check and Print PKCS#12 Certificate (.pfx , .p12)
We can check and print
PKCS#12 certificates with the following command.
$ openssl pkcs12 -info -in keyStore.p12
Check SSL Connection and Certificates
OpenSSL provides a web client which can connect web servers with SSL/TLS and print SSL/TLS certificate information.
$ openssl s_client -connect poftut.com:443
Convert DER (.crt .cer .der) To PEM
Certificates can be stored in different formats.
PEM are two popular format used to store certificates. We can convert
PEM with the following command.
$ openssl x509 -inform der -in certificate.cer -out certificate.pem
Convert PEM To DER
The reverse conversation from
DER can be done with the following.
$ openssl x509 -outform der -in certificate.pem -out certificate.der
Convert PKCS#12 (.pfx .p12) To PEM
We can convert
PKCS#12 format files to the
PEM files with the following command.
$ openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes
Convert PEM To PKCS#12 (.pfx .p12)
We can convert
PEM format to the
PKCS#12 format with the following command.
$ openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt