3.3.1 About the openssl Command

The openssl command, which is included in the openssl package, allows you to perform various cryptography functions from the OpenSSL library including:

  • Creating and managing pairs of private and public keys.

  • Performing public key cryptographic operations.

  • Creating self-signed certificates.

  • Creating certificate signing requests (CSRs).

  • Creating certificate revocation lists (CRLs).

  • Converting certificate files between various formats.

  • Calculating message digests.

  • Encrypting and decrypting files.

  • Testing both client-side and server-side TLS/SSL with HTTP and SMTP servers.

  • Verifying, encrypting and signing S/MIME email.

  • Generating and testing prime numbers, and generating pseudo-random data.

The following are some sample openssl commands.

Create a self-signed X.509 certificate that is valid for 365 days, writing the unencrypted private key to prikey.pem and the certificate to cert.pem.

# openssl req -x509 -nodes -days 365 -subj '/C=US/ST=Ca/L=Sunnydale/CN=www.unserdom.com' \
  -newkey rsa:1024 -keyout prikey.pem -out cert.pem

Test a self-signed certificate by launching a server that listens on port 443.

# openssl s_server -accept 443 -cert cert.pem -key prikey.pem -www

Test the client side of a connection. This command returns information about the connection including the certificate, and allows you to directly input HTTP commands.

# openssl s_client -connect server:443 -CAfile cert.pem

Convert a root certificate to a form that can be published on a web site for downloading by a browser.

# openssl x509 -in cert.pem -out rootcert.crt

Extract a certificate from a server.

# echo | openssl s_client -connect server:443 2>/dev/null | \
  sed -ne '/BEGIN CERT/,/END CERT/p' > svrcert.pem

Display the information contained in an X.509 certificate.

# openssl x509 -text -noout -in svrcert.pem

Display the SHA1 fingerprint of a certificate.

# openssl x509 -sha1 -noout -fingerprint -in cert.pem

Generate a CSR, writing the unencrypted private key to prikey.pem and the request to csr.pem for submission to a CA. The CA signs and returns a certificate or a certificate chain that authenticates your public key.

# openssl req -new -nodes '/CN=www.unserdom.com/O=Unser Dom, Corp./C=US/ST=Ca/L=Sunnydale' \
  -newkey rsa:1024 -keyout prikey.pem -out csr.pem

Display the information contained in a CSR.

# openssl req -in csr.pem -noout -text

Verify a certificate including the signing authority, signing chain, and period of validity.

# openssl verify cert.pem

Display the directory that holds information about the CAs trusted by your system. By default, this directory is /etc/pki/tls. The /etc/pki/tls/certs subdirectory contains trusted certificates.

# openssl version -d

Create an SHA1 digest of a file.

# openssl dgst -sha1 file

Sign the SHA1 digest of a file using the private key stored in the file prikey.pem.

# openssl dgst -sha1 -sign prikey.pem -out file.sha1 file

Verify the signed digest for a file using the public key stored in the file pubkey.pem.

# openssl dgst -sha1 -verify pubkey.pem -signature file.sha1 file

List all available ciphers.

# openssl list-cipher-commands

Encrypt a file using Blowfish.

# openssl enc -blowfish -salt -in file -out file.enc

Decrypt a Blowfish-encrypted file.

# openssl enc -d -blowfish -in file.enc -out file.dec

Convert a base 64 encoded certificate (also referred to as PEM or RFC 1421) to binary DER format.

# openssl x509 -in cert.pem -outform der -out certificate.der

Convert the base 64 encoded certificates for an entity and its CA to a single PKCS7 format certificate.

# openssl crl2pkcs7 -nocrl -certfile entCert.cer -certfile CACert.cer -out certificate.p7b 

For more information, see the openssl(1), ciphers(1), dgst(1), enc(1), req(1), s_client(1), s_server(1), verify(1), and x509(1) manual pages.