A Guide to OpenSSL Commands – The Basics

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading...

Learn to use OpenSSL command lines

Writing a comprehensive guide to OpenSSL commands seems an odd job to give an aging man who, up until recently, thought servers could only be found hoofing it from kitchen to table in a chain restaurant. Probably one that can’t attract millennial customers. Seriously. Millenials are the worst thing to ever happen to Applebee’s. But that’s another discussion for another time.

Today, we’re here to discuss OpenSSL command lines.

What is OpenSSL?

OpenSSL is a software library, a cryptography library to be exact.  It’s a robust, full-featured toolkit for the open-source implementation of the SSL and TLS protocols. It includes tools for generating Certificate Signing Requests and Private Keys. It’s written in the programming language, C, though there are wrappers available for a wide range of computer languages. About two-thirds of all web servers are using OpenSSL.

Why do I need to learn OpenSSL commands?

Now, I know what you’re asking: “can’t I just generate a private key and a CSR in my browser with an online tool?” No. No you may not. Google recently buried Mr. Trustico for that. And Google hasn’t pulled a wet job since it whacked Jeeves. So that means we need to learn some command lines. That’s right, today we’re going to forget some relevant information so we can make space in our brains for some random strings of text that a computer will understand.

So say goodbye to the Pythagorean theorem and say hello to… this.

Checking your OpenSSL Version

Sometimes you’ll need to identify which version of OpenSSL is being used on a given server. And even if you already know, sometimes it’s nice just to ask the server a few questions about itself before you start bossing it around. That’s called foreplay.

Anyway, figuring out what version of OpenSSL you’re working with lets you know about what it’s compatible with. This will be even more important when TLS 1.3 rolls out, as you’ll need to make sure your OpenSSL implementation supports it.

Use the following command line check OpenSSL Version:

openssl version -a

OpenSSL Commands Lines for Generating a CSR

You can’t get an SSL certificate issued without a CSR. Fortunately, OpenSSL makes it easy to complete one. Sort of. Your CSR contains the Common Name of the website you want to secure, along with other identifying information about the company or organization acquiring the certificate. It also contains your public key. But to generate a public key, and by extension a CSR, you need to first generate a private key.

Generating a Private Key with OpenSSL

Now let’s get into generating your super secret private key (relax, it’s not as cool as it sounds – it’s really just a 2,048-bit string of random numbers).

OpenSSL commands for generating a private key

Good luck sticking that in a keyhole.

Anyway, you’re going to need to determine a few things about your Private Key before you can generate it. You need to:

  • Pick a Key Algorithm – From a compatibility standpoint we suggest RSA. Other options are available if you need them though.
  • Pick a Key Size – Again, we recommend going with 2048-bit RSA
  • Pick a Password – This is optional, if you decide to use one you’ll need to remember your password anytime you want to use your private key.

Now that you’ve decided, let’s get to the command lines.

To generate a 2048-bit RSA key, use this:

openssl genrsa -out yourdomain.key 2048

To view the raw, encoded contents of the key, use this:

cat yourdomain.key

To decode the private key, use this:

openssl rsa -text -in yourdomain.key -noout

Extracting your Public Key using OpenSSL

Your private key is actually what spawns your public key in a scientific process called budding. [Editor’s Note: That’s not true.] Ok, ok, the Private Key file contains the Public Key too, if you ever need to extract it, use this:

openssl rsa -in yourdomain.key -pubout -out yourdomain_public.key

Creating your CSR with OpenSSL (Finally)

Ok, on to the CSR. Now that your private key is ready, it’s time to get to your Certificate Signing Request. To begin, use this:

openssl req -new -key yourdomain.key -out yourdomain.csr

The server will respond by asking you a series of questions. Your answers to these questions will be embedded in your CSR. So answer them correctly.

  • Country Name: (2 Letter Code) – Enter your Country Code
  • State or Province (full name) – Enter your State/Province
  • Locality Name – Enter your city
  • Organization Name – Enter the name of your company
  • Organization Unit – What department are you forced to do team-building with?
  • Common Name – Enter your Fully-Qualified Domain Name
  • Email Address – Enter your email address
  • A challenge password – Skip this, press enter
  • An optional company name – Skip this, press enter

When you’re done press enter.

Creating your CSR with a single OpenSSL command

This is for the advanced users. If you want to generate a private key and a CSR simultaneously then you can use the following command. Just remember to saw the placeholder information with your information. If you copy-paste this command directly you’re not going to get a certificate.

openssl req -new \-newkey rsa:2048 -nodes -keyout yourdomain.key \-out yourdomain.csr \-subj "/C=US/ST=Utah/L=Lehi/O=Your Company, Inc./OU=IT/CN=yourdomain.com"

Verifying the Contents of your CSR with OpenSSL commands

Sometimes you may want to double-check whether the information contained in your CSR is correct. Maybe someone else at your company did the CSR and you need to double-check their work because they are an idiot. Or maybe you went shopping online a little inebriated and ordered some SSL certificates and now you need to make sure you got the information correct. Whatever your reason, here’s how to check the contents of your CSR:

openssl req -text -in yourdomain.csr -noout -verify

Exporting your CSR to send to a CA with OpenSSL commands

You need to send your CSR to your Certificate Authority in the PEM file format. That means using a command line to get the raw output of the CSR, then copying it in to a text editor and then either pasting it in your CA’s order form or getting it to them by some other means.

Ancient CSR
Ravens delivered CSRs in antiquity

 

Anyway, here’s the command line to get the raw output from your CSR:

cat yourdomain.csr

Viewing your SSL Certificate information with OpenSSL commands

To view the contents of any X.509 certificate use the following command:

openssl x509 -text -in yourdomain.crt -noout

Verifying Keys match with OpenSSL commands

Sometimes you need to make sure that your key pairs match. Using the following commands generates a hash of the output for your CSR, Private Key and Certificate. You need to compare the values, and if they match you know that your key pairs match, too.

openssl rsa -modulus -in yourdomain.key -noout | openssl sha256

openssl req -modulus -in yourdomain.csr -noout | openssl sha256

openssl x509 -modulus -in yourdomain.crt -noout | openssl sha256

Enter all three commands separately.

Converting Certificate Formats with OpenSSL commands

Sometimes you need to change formats, certain servers require certain file types and OpenSSL is capable of converting them for you if you can speak its secret language. Here’s how you:

Convert PEM to PKCS#12

openssl pkcs12 -export -name "yourdomain-digicert-(expiration date)" \-out yourdomain.pfx -inkey yourdomain.key -in yourdomain.crt

PKCS#12 to PEM

To extract the Private Key

openssl pkcs12 -in yourdomain.pfx -nocerts -out yourdomain.key -nodes

To extract the SSL certificate

openssl pkcs12 -in yourdomain.pfx -nokeys -clcerts -out yourdomain.crt

PEM to DER

Encode your SSL certificate

openssl x509 -inform PEM -in yourdomain.crt -outform DER -out yourdomain.der

Encode your Private Key

openssl rsa -inform PEM -in yourdomain.key -outform DER -out yourdomain_key.der

DER to PEM

Convert your Certificate

openssl x509 -inform DER -in yourdomain.der -outform PEM -out yourdomain.crt

Convert your Private Key

openssl rsa -inform DER -in yourdomain_key.der -outform PEM -out yourdomain.key

Stay cautious, my friends…

 

Buy SSL Certificates at Low Prices

RapidSSL Logo

Protect a website using the best SSL certificate at low prices from trusted SSL Brands.

 

Leave a Reply

Your email address will not be published. Required fields are marked *