The software described in this documentation is either in Extended Support or Sustaining Support. See https://www.oracle.com/us/support/library/enterprise-linux-support-policies-069172.pdf for more information.
Oracle recommends that you upgrade the software described by this documentation as soon as possible.
The openssl command, which is included in the
openssl
package, allows you to perform
various cryptography functions from the OpenSSL library
including:
Creating and managing pairs of private and public keys.
Performing public key cryptographic operations.
Creating self-signed certificates.
Creating certificate signing requests (CSRs).
Creating certificate revocation lists (CRLs).
Converting certificate files between various formats.
Calculating message digests.
Encrypting and decrypting files.
Testing both client-side and server-side TLS/SSL with HTTP and SMTP servers.
Verifying, encrypting and signing S/MIME email.
Generating and testing prime numbers, and generating pseudo-random data.
The following are some sample openssl commands.
Create a self-signed X.509 certificate that is valid for 365
days, writing the unencrypted private key to
prikey.pem
and the certificate to
cert.pem
.
#openssl req -x509 -nodes -days 365 -subj '/C=US/ST=Ca/L=Sunnydale/CN=www.unserdom.com'
\-newkey rsa:1024 -keyout prikey.pem -out cert.pem
Test a self-signed certificate by launching a server that listens on port 443.
# openssl s_server -accept 443 -cert cert.pem -key prikey.pem -www
Test the client side of a connection. This command returns information about the connection including the certificate, and allows you to directly input HTTP commands.
# openssl s_client -connect server
:443 -CAfile cert.pem
Convert a root certificate to a form that can be published on a web site for downloading by a browser.
# openssl x509 -in cert.pem -out rootcert.crt
Extract a certificate from a server.
#echo | openssl s_client -connect
\server
:443 2>/dev/null |sed -ne '/BEGIN CERT/,/END CERT/p' > svrcert.pem
Display the information contained in an X.509 certificate.
# openssl x509 -text -noout -in svrcert.pem
Display the SHA1 fingerprint of a certificate.
# openssl x509 -sha1 -noout -fingerprint -in cert.pem
Generate a CSR, writing the unencrypted private key to
prikey.pem
and the request to
csr.pem
for submission to a CA. The CA signs
and returns a certificate or a certificate chain that
authenticates your public key.
#openssl req -new -nodes '/CN=www.unserdom.com/O=Unser Dom, Corp./C=US/ST=Ca/L=Sunnydale'
\-newkey rsa:1024 -keyout prikey.pem -out csr.pem
Display the information contained in a CSR.
# openssl req -in csr.pem -noout -text
Verify a certificate including the signing authority, signing chain, and period of validity.
# openssl verify cert.pem
Display the directory that holds information about the CAs
trusted by your system. By default, this directory is
/etc/pki/tls
. The
/etc/pki/tls/certs
subdirectory contains
trusted certificates.
# openssl version -d
Create an SHA1 digest of a file.
# openssl dgst -sha1 file
Sign the SHA1 digest of a file using the private key stored in
the file prikey.pem
.
# openssl dgst -sha1 -sign prikey.pem -out file
.sha1 file
Verify the signed digest for a file using the public key stored
in the file pubkey.pem
.
# openssl dgst -sha1 -verify pubkey.pem -signature file
.sha1 file
List all available ciphers.
# openssl list-cipher-commands
Encrypt a file using Blowfish.
# openssl enc -blowfish -salt -in file
-out file
.enc
Decrypt a Blowfish-encrypted file.
# openssl enc -d -blowfish -in file
.enc -out file
.dec
Convert a base 64 encoded certificate (also referred to as PEM or RFC 1421) to binary DER format.
# openssl x509 -in cert.pem -outform der -out certificate.der
Convert the base 64 encoded certificates for an entity and its CA to a single PKCS7 format certificate.
# openssl crl2pkcs7 -nocrl -certfile entCert.cer -certfile CACert.cer -out certificate.p7b
For more information, see the openssl(1)
,
ciphers(1)
, dgst(1)
,
enc(1)
, req(1)
,
s_client(1)
, s_server(1)
,
verify(1)
, and x509(1)
manual pages.