Skip to content

Instantly share code, notes, and snippets.

@Hakky54
Forked from p3t3r67x0/openssl_commands.md
Last active December 17, 2024 13:16
Show Gist options
  • Save Hakky54/b30418b25215ad7d18f978bc0b448d81 to your computer and use it in GitHub Desktop.
Save Hakky54/b30418b25215ad7d18f978bc0b448d81 to your computer and use it in GitHub Desktop.
OpenSSL Cheat Sheet - Some list of openssl commands for check and verify your keys

OpenSSL Cheat Sheet 🔐

Install

Install the OpenSSL on Debian based systems

sudo apt-get install openssl

Commands

Creation

Create a private key

openssl genrsa -out server.key 4096

Generate a new private key and certificate signing request

openssl req -out server.csr -new -newkey rsa:4096 -nodes -keyout server.key

Generate a self-signed certificate

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:4096 -keyout server.key -out server.crt

Generate a certificate signing request (CSR) for an existing private key

openssl req -out server.csr -key server.key -new

Generate a certificate signing request based on an existing certificate

openssl x509 -x509toreq -in server.crt -out server.csr -signkey server.key

Generate a Diffie Hellman key

openssl dhparam -out dhparam.pem 2048

Generate a v3 certificate by signing CSR

openssl x509 -days 365 -in myCSR.csr -extfile v3.ext -CA myCA.crt -CAkey myCA.key -CAcreateserial -out userCertificate.crt

See below for an example v3.ext file

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment

Checking

Check a certificate signing request (CSR)

openssl req -text -noout -verify -in server.csr

Check a private key

openssl rsa -in server.key -check

Check a public key

openssl rsa -inform PEM -pubin -in pub.key -text -noout
openssl pkey -inform PEM -pubin -in pub.key -text -noout

Check a certificate

openssl x509 -in server.crt -text -noout
openssl x509 -in server.cer -text -noout

Check a PKCS#12 file (.pfx or .p12)

openssl pkcs12 -info -in server.p12

Verify a private key matches an certificate

openssl x509 -noout -modulus -in server.crt | openssl md5
openssl rsa -noout -modulus -in server.key | openssl md5
openssl req -noout -modulus -in server.csr | openssl md5

Display all certificates including intermediates

openssl s_client -connect www.paypal.com:443

Converting

Convert a DER file (.crt .cer .der) to PEM

openssl x509 -inform der -in server.cer -out server.pem

Convert a PEM file to DER

openssl x509 -outform der -in server.pem -out server.der

Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM

openssl pkcs12 -in server.pfx -out server.pem -nodes

Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)

openssl pkcs12 -export -out server.pfx -inkey server.key -in server.crt -certfile CACert.crt

Other commands

Remove a passphrase from a private key

openssl rsa -in server.pem -out newserver.pem

Parse a list of revoked serial numbers

openssl crl -inform DER -text -noout -in list.crl

Encrypt files with rsautl

openssl rsautl -encrypt -in plaintext.txt -out encrypted.txt -pubin -inkey pubkey.pem

Decrypt files with rsautl

openssl rsautl -decrypt -in encrypted.txt -out plaintext.txt -inkey privkey.pem

Exporting

Extracting Public Key from Private Key

openssl rsa -in privkey.pem -pubout > key.pub

Extracting Public Key from Certificate

openssl x509 -pubkey -noout -in cert.pem  > pubkey.pem

@eisterman
Copy link

Creating an x509 v3 user certificate by signing CSR

openssl x509 -days 365 -in myCSR.csr -extfile v3.ext -CA myCA.crt -CAkey myCA.key -CAcreateserial -out userCertificate.crt

where v3.ext3 is an extension file that can look like:

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment

source: https://stackoverflow.com/a/18242720/5903025

@Hakky54
Copy link
Author

Hakky54 commented Dec 17, 2022

Thank you @eisterman I updated the gist, this is a nice addition. I was using extension files before, but did not notice it was missing here 😄

@crossbone-magister
Copy link

Extracting Public Key from Private Key

openssl rsa -in privkey.pem -pubout > key.pub

source: https://stackoverflow.com/questions/10271197/how-to-extract-public-key-using-openssl

Extracting Public Key from Certificate

openssl x509 -pubkey -noout -in cert.pem > pubkey.pem

source: https://stackoverflow.com/questions/17143606/how-to-save-public-key-from-a-certificate-in-pem-format

I find myself using these more often than expected. Hopefully they make a good addition to the list.

@Hakky54
Copy link
Author

Hakky54 commented Feb 22, 2023

Hi @crossbone-magister Thank you for your contribution ❤️ I added a separate exporting section.

@Kalmarv
Copy link

Kalmarv commented Jun 28, 2023

I was having some issue with the pkcs12 commands, getting Error outputting keys and certificates

The fix from here worked, just adding --legacy to the end of the command. openssl/openssl#14790

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment