27 Apr 2017

OpenSSL Cheatsheet

A cheatsheet of common OpenSSL commands.

Generate 512 bit RSA private key

openssl genrsa

Generate 1024 bit RSA private key

openssl genrsa 1024

Generate 1024 bit RSA private key and save to file

openssl genrsa -out private.key 1024

Check private key

openssl rsa -in private.key -check

Generate 1024 bit RSA private key with passphrase

openssl genrsa -des3 -out private.key 1024

Generate certificate authority (CA) key

openssl genrsa -out ca.key 1024

Generate a CA certificate signing request (CSR) using CA key

openssl req -new -key ca.key -out ca.csr

Generate a CA CSR using CA key and config file

config openssl.cnf

[ req ]
prompt = no
distinguished_name = req_distinguished_name

[ req_distinguished_name ]
C = "US"                        # country
ST = "CA"                       # state
L = "LA"                        # locality
O = "Internet Widgits Pty Ltd"  # org name
OU = "IT"                       # org unit name
CN = "example.com"              # Common Name
emailAddress = "webmaster@example.com"
openssl req -config openssl.cnf -new -key ca.key -out ca.csr

Self-sign CA CSR for creation of the CA certificate (CRT)

openssl x509 -req -in ca.csr -out ca.crt -signkey ca.key

Self-sign CA CSR for creation of the CA certificate valid for 365 days

openssl req -new -key ca.key -out ca.csr -days 365

Check X.509 certificate

openssl x509 -in ca.crt -text

Generate new server private key

openssl genrsa -out example.com.key 1024

Generate new CSR using server private key

openssl req -new -key example.com.key -out example.com.csr

Generate new CSR with multiple domains using config

config openssl.cnf

[ req ]
prompt = no
distinguished_name = req_distinguished_name
req_extensions = v3_req

[ req_distinguished_name ]
C = "US"                        # country
ST = "CA"                       # state
L = "LA"                        # locality
O = "Internet Widgits Pty Ltd"  # org name
OU = "IT"                       # org unit name
CN = "example.com"              # Common Name
emailAddress = "webmaster@example.com"

[ v3_req ]
subjectAltName = @alt_names

[alt_names]
DNS.1 = www.example.com
DNS.2 = www2.example.com
openssl req -config openssl.cnf -new -key example.com.key -out example.com.csr

Sign the server’s certificate with CA certificate

openssl ca -in example.com.csr -cert ca.crt -keyfile ca.key -out example.com.crt

Check server CSR

openssl x509 -in example.com.crt -text

Verify chain of trust for certificate

openssl verify -CAfile ca.crt example.com.crt

Export certificate in PKCS#12 format

openssl pkcs12 -export -clcerts -in example.com.crt -inkey example.com.key -out example.com.p12

Check a PKCS#12 file (.pfx or .p12)

openssl pkcs12 -info -in example.com.p12

Convert CRT to PEM

openssl x509 -in ca.crt -out ca.pem -outform PEM

Convert PEM to DER

openssl x509 -outform der -in ca.pem -out ca.der

Convert PEM certificate and private key to PKCS#12 (.pfx .p12)

openssl pkcs12 -export -out example.com.pfx -inkey private.key -in example.com.crt -certfile ca.crt

Remove passphrase from private key

openssl rsa -in private.key -out new_private.key

Check an SSL connection. Prints all certificates including intermediates

openssl s_client -connect example.com:443

Print full chain of certificates for host

openssl s_client -connect example.com:443 -showcerts

Print public key of certificate

openssl s_client -connect example.com:443 | openssl x509 -pubkey -noout

Default openssl.cnf location in Mac OS X

/System/Library/OpenSSL/openssl.cnf

Generate new CA command in Mac OS X

/System/Library/OpenSSL/misc/CA.pl -newca