Learn to use OpenSSL command lines
Writing a comprehensive guide to OpenSSL commands seems an odd job to give an aging man who, up until recently, thought servers could only be found hoofing it from kitchen to table in a chain restaurant. Probably one that can’t attract millennial customers. Seriously. Millenials are the worst thing to ever happen to Applebee’s. But that’s another discussion for another time.
Today, we’re here to discuss OpenSSL command lines.
What is OpenSSL?
OpenSSL is a software library, a cryptography library to be exact. It’s a robust, full-featured toolkit for the open-source implementation of the SSL and TLS protocols. It includes tools for generating Certificate Signing Requests and Private Keys. It’s written in the programming language, C, though there are wrappers available for a wide range of computer languages. About two-thirds of all web servers are using OpenSSL.
Why do I need to learn OpenSSL commands?
Now, I know what you’re asking: “can’t I just generate a private key and a CSR in my browser with an online tool?” No. No you may not. Google recently buried Mr. Trustico for that. And Google hasn’t pulled a wet job since it whacked Jeeves. So that means we need to learn some command lines. That’s right, today we’re going to forget some relevant information so we can make space in our brains for some random strings of text that a computer will understand.
So say goodbye to the Pythagorean theorem and say hello to… this.
Checking your OpenSSL Version
Sometimes you’ll need to identify which version of OpenSSL is being used on a given server. And even if you already know, sometimes it’s nice just to ask the server a few questions about itself before you start bossing it around. That’s called foreplay.
Anyway, figuring out what version of OpenSSL you’re working with lets you know about what it’s compatible with. This will be even more important when TLS 1.3 rolls out, as you’ll need to make sure your OpenSSL implementation supports it.
Use the following command line check OpenSSL Version:
openssl version -a
OpenSSL Commands Lines for Generating a CSR
You can’t get an SSL certificate issued without a CSR. Fortunately, OpenSSL makes it easy to complete one. Sort of. Your CSR contains the Common Name of the website you want to secure, along with other identifying information about the company or organization acquiring the certificate. It also contains your public key. But to generate a public key, and by extension a CSR, you need to first generate a private key.
Generating a Private Key with OpenSSL
Now let’s get into generating your super secret private key (relax, it’s not as cool as it sounds – it’s really just a 2,048-bit string of random numbers).
Good luck sticking that in a keyhole.
Anyway, you’re going to need to determine a few things about your Private Key before you can generate it. You need to:
- Pick a Key Algorithm – From a compatibility standpoint we suggest RSA. Other options are available if you need them though.
- Pick a Key Size – Again, we recommend going with 2048-bit RSA
- Pick a Password – This is optional, if you decide to use one you’ll need to remember your password anytime you want to use your private key.
Now that you’ve decided, let’s get to the command lines.
To generate a 2048-bit RSA key, use this:
openssl genrsa -out yourdomain.key 2048
To view the raw, encoded contents of the key, use this:
To decode the private key, use this:
openssl rsa -text -in yourdomain.key -noout
Extracting your Public Key using OpenSSL
Your private key is actually what spawns your public key in a scientific process called budding. [Editor’s Note: That’s not true.] Ok, ok, the Private Key file contains the Public Key too, if you ever need to extract it, use this:
openssl rsa -in yourdomain.key -pubout -out yourdomain_public.key
Creating your CSR with OpenSSL (Finally)
Ok, on to the CSR. Now that your private key is ready, it’s time to get to your Certificate Signing Request. To begin, use this:
openssl req -new -key yourdomain.key -out yourdomain.csr
The server will respond by asking you a series of questions. Your answers to these questions will be embedded in your CSR. So answer them correctly.
- Country Name: (2 Letter Code) – Enter your Country Code
- State or Province (full name) – Enter your State/Province
- Locality Name – Enter your city
- Organization Name – Enter the name of your company
- Organization Unit – What department are you forced to do team-building with?
- Common Name – Enter your Fully-Qualified Domain Name
- Email Address – Enter your email address
- A challenge password – Skip this, press enter
- An optional company name – Skip this, press enter
When you’re done press enter.
Creating your CSR with a single OpenSSL command
This is for the advanced users. If you want to generate a private key and a CSR simultaneously then you can use the following command. Just remember to saw the placeholder information with your information. If you copy-paste this command directly you’re not going to get a certificate.
openssl req -new \-newkey rsa:2048 -nodes -keyout yourdomain.key \-out yourdomain.csr \-subj "/C=US/ST=Utah/L=Lehi/O=Your Company, Inc./OU=IT/CN=yourdomain.com"
Verifying the Contents of your CSR with OpenSSL commands
Sometimes you may want to double-check whether the information contained in your CSR is correct. Maybe someone else at your company did the CSR and you need to double-check their work because they are an idiot. Or maybe you went shopping online a little inebriated and ordered some SSL certificates and now you need to make sure you got the information correct. Whatever your reason, here’s how to check the contents of your CSR:
openssl req -text -in yourdomain.csr -noout -verify
Exporting your CSR to send to a CA with OpenSSL commands
You need to send your CSR to your Certificate Authority in the PEM file format. That means using a command line to get the raw output of the CSR, then copying it in to a text editor and then either pasting it in your CA’s order form or getting it to them by some other means.
Anyway, here’s the command line to get the raw output from your CSR:
Viewing your SSL Certificate information with OpenSSL commands
To view the contents of any X.509 certificate use the following command:
openssl x509 -text -in yourdomain.crt -noout
Verifying Keys match with OpenSSL commands
Sometimes you need to make sure that your key pairs match. Using the following commands generates a hash of the output for your CSR, Private Key and Certificate. You need to compare the values, and if they match you know that your key pairs match, too.
openssl rsa -modulus -in yourdomain.key -noout | openssl sha256 openssl req -modulus -in yourdomain.csr -noout | openssl sha256 openssl x509 -modulus -in yourdomain.crt -noout | openssl sha256
Enter all three commands separately.
Converting Certificate Formats with OpenSSL commands
Sometimes you need to change formats, certain servers require certain file types and OpenSSL is capable of converting them for you if you can speak its secret language. Here’s how you:
Convert PEM to PKCS#12
openssl pkcs12 -export -name "yourdomain-digicert-(expiration date)" \-out yourdomain.pfx -inkey yourdomain.key -in yourdomain.crt
PKCS#12 to PEM
To extract the Private Key
openssl pkcs12 -in yourdomain.pfx -nocerts -out yourdomain.key -nodes
To extract the SSL certificate
openssl pkcs12 -in yourdomain.pfx -nokeys -clcerts -out yourdomain.crt
PEM to DER
Encode your SSL certificate
openssl x509 -inform PEM -in yourdomain.crt -outform DER -out yourdomain.der
Encode your Private Key
openssl rsa -inform PEM -in yourdomain.key -outform DER -out yourdomain_key.der
DER to PEM
Convert your Certificate
openssl x509 -inform DER -in yourdomain.der -outform PEM -out yourdomain.crt
Convert your Private Key
openssl rsa -inform DER -in yourdomain_key.der -outform PEM -out yourdomain.key
Stay cautious, my friends…
Buy SSL Certificates at Low Prices