Skip to content

Instantly share code, notes, and snippets.

@mrmichalis

mrmichalis/OpenSSL Cheatsheet.md

Last active August 20, 2021 13:55
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save mrmichalis/b42407324bf5d588a8ecfca6f1681686 to your computer and use it in GitHub Desktop.
Save mrmichalis/b42407324bf5d588a8ecfca6f1681686 to your computer and use it in GitHub Desktop.
Download ZIP
OpenSSL Cheatsheet
Raw
OpenSSL Cheatsheet.md

OpenSSL Cheatsheet

Generating Certificates

Generate RSA Private Key + CSR
openssl req -out newkey.csr -new -newkey rsa:[bits] -nodes -keyout priv.key

Generate Self Signed Certificate + Priv Key
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:[bits] -keyout priv.key -out cert.crt

Generate CSR for existing Cert
openssl x509 -x509toreq -in cert.crt -out newreq.csr -signkey priv.key

Generate CSR for Existing Key
openssl req -out oldkey.csr -key priv.key -new

Create a CA
openssl req -new -x509 -extensions v3_ca -keyout ca.key -out ca.crt -days [days valid]

Generate Diffie-Hellman Keys
openssl dhparam -out dhparam.pem [bits]

Examining Certificates

Examine a CSR
openssl req -text -noout -verify -in oldreq.csr

Examine a Private Key
openssl rsa -in priv.key -check

Examine a Certificate
openssl x509 -in cert.crt -text -noout

Examine PKCS files
openssl pkcs12 -info -in key.pfx

Converting Formats

PEM to DER
openssl x509 -outform der -in cert.pem -out cert.der

DER to PEM
openssl x509 -inform der -in cert.cer -out cert.pem

PKCS to PEM
openssl pkcs12 -in key.pfx -out key.pem -nodes

PEM to PKCS
openssl pkcs12 -export -out cert.pfx -inkey priv.key -in cert.crt -certfile ca.crt

Encryption and Decryption

List Encryption Schemes
openssl enc -h

Advanced Encryption Standard CBC Mode

Encrypt
openssl aes-256-cbc -salt -in priv.txt -out priv.txt.enc

Decrypt
openssl aes-256-cbc -d -in priv.txt.enc -out priv.txt.new

AES CBC Output as Base64 File

Encrypt
openssl aes-256-cbc -a -salt -in priv.txt -out priv.txt.enc

Decrypt
openssl aes-256-cbc -a -d -in priv.txt.enc -out priv.txt.new

Check Remote Certificates

HTTPS Server
openssl s_client -showcerts -connect www.example.com:443

IMAP Server
openssl s_client -showcerts -starttls imap -connect mail.eample.com:139

XMPP Server
openssl s_client -showcerts -starttls xmpp -connect chat.example.com:5222

Present Client Certificate
openssl s_client -showcerts -cert cert.crt -key cert.key -connect www.example.com:443

Verify Certificates

Verify Certificate with CA Certificate
openssl verify -verbose -CAFile ca.crt cert.crt

Verify Private Key Matches Certificate
openssl x509 -modulus -noout -in cert.crt | openssl md5

openssl rsa -modulus -noout -in priv.key | openssl md5

References

https://bitrot.sh/cheatsheet/20-12-2017-openssl/
https://langui.sh/2009/03/14/checking-a-remote-certificate-chain-with-openssl/
https://www.sslshopper.com/article-most-common-openssl-commands.html
https://thornelabs.snet/2014/05/18/openssl-commands-cheat-sheet.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment