OpenSSL
About
OpenSSL is an open-source command line tool that is commonly used to generate private keys, create CSRs, install your SSL/TLS certificate, and identify certificate information.
OpenSSL is usually included in most Linux distributions. On Windows it is a bit trickier as you need to install a pre-compiled binary to get started.
Version and Info
Run the following command to get the version and other information about the OpenSSL app:
openssl version -a
The output looks something like this:
LibreSSL 2.8.3
built on: date not available
platform: information not available
options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
compiler: information not available
OPENSSLDIR: "/private/etc/ssl"
In the output, the OPENSSLDIR
value is the directory where OpenSSL will read configurations and local settings from.
Uses
There are many different reasons to use OpenSSL, the most common are:
Generating a self-signed certificate
A common server operation is to generate a self-signed certificate. There are many reasons for doing this such as local testing or encrypting communications between internal servers.
Generate the private key and the x.509 cert
- Open Terminal.
- Navigate (change directory) to the directory in your project where you will store the generated public key and cert files.
- Generate the files using OpenSSL with the following command:
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:4096 -keyout private.key -out certificate.crt
Key | Value | Description |
---|---|---|
req |
Command passed to OpenSSL intended for creating and processing certificate requests usually in the PKCS#10 format. | |
-x509 |
This multipurpose command allows OpenSSL to sign the certificate somewhat like a certificate authority. X.509 refers to a digitally signed document according to RFC 5280. | |
-sha256 |
When encrypting the certificate use a SHA 256 hash. | |
-nodes |
This command is for no DES, which means that the private key will not be password protected. | |
-days |
365 |
The number of days that the certificate will be valid. |
-newkey |
rsa:4096 |
The format of the key, in this case an RSA key with 4096 bit encryption. |
-keyout |
private.key |
The name and location to output the private key file. |
-out |
certificate.crt |
The name and location to output the certificate file. |
The command will instantly generate a private.key
file. You will then be asked a series of questions, after which a certificate.crt
file will be generated:
Generating a 4096 bit RSA private key
.....................++
.....................................................++
writing new private key to 'private.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:01
State or Province Name (full name) []:.
Locality Name (eg, city) []:.
Organization Name (eg, company) []:.
Organizational Unit Name (eg, section) []:.
Common Name (eg, fully qualified host name) []:mydomainname.com
Email Address []:.
Test the cert file
Once the certificate has been generated, we should verify that it is correct according to the parameters that we have set.
openssl x509 -in certificate.crt -text -noout
Key | Value | Description |
---|---|---|
-x509 |
This is a multipurpose command, and when combined with the other parameters here, it is for retrieving information about the given the certificate. | |
-in |
certificate.crt |
The certificate that we are verifying. |
-text |
Strips the text headers from the output. | |
-noout |
No need to output the encoded version of the certificate. |
The test should return something like this:
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 10077740461970821292 (0x8bdb538e565a10ac)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=01, CN=appdocs
Validity
Not Before: Sep 24 21:40:20 2020 GMT
Not After : Sep 24 21:40:20 2021 GMT
Subject: C=01, CN=appdocs
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:bc:39:f8:68:fc:33:8b:f4:97:e8:1c:9f:4c:93:
40:38:98:cd:1d:12:2a:c5:ad:6a:38:1d:ad:57:04:
63:ca:b3:ba:8d:a6:cf:93:46:27:dd:c7:ed:c0:eb:
05:4c:56:f3:e3:da:de:73:9c:6e:f0:85:a3:a8:18:
7a:e9:68:d7:16:69:ac:46:9f:f9:9a:84:94:d7:be:
81:12:5d:3c:67:5e:ae:4a:2b:9e:e5:09:60:c3:01:
a3:65:11:e2:2b:97:c4:3b:f2:d0:58:f5:56:c9:12:
35:36:4f:19:83:1c:f7:e3:4b:7f:29:db:ee:b9:5a:
2c:17:6e:71:41:78:74:e0:76:ca:16:71:ad:bf:e3:
6f:c1:30:fb:45:37:a2:80:a9:0a:b1:ac:96:3e:5a:
51:e6:31:cb:b5:64:41:38:97:d0:de:60:ff:d8:6c:
00:ad:4b:ae:2d:66:69:28:3d:77:f4:d7:56:83:89:
fb:db:0f:ed:96:d8:2c:d8:d6:72:e2:7e:14:0c:19:
76:b6:1e:ce:c2:c3:c7:9c:35:63:ea:98:ef:89:7d:
ea:04:ca:79:46:89:84:23:32:76:46:b7:e4:a9:9f:
a1:31:01:f7:32:4f:fc:7e:28:18:52:72:fc:0f:c7:
5b:1f:ba:ca:cf:bc:d3:d9:de:3b:b5:53:ef:41:cf:
81:6c:f8:63:93:10:aa:41:03:2c:8c:ea:80:cf:3d:
fd:38:d0:3a:97:e2:ab:cf:77:99:dc:20:50:6a:f2:
f9:3d:a5:da:5b:86:dc:fa:7c:52:f9:1f:71:93:36:
ab:3c:da:a0:4b:18:ac:5e:f4:df:51:37:79:90:47:
d7:c9:f8:a8:0d:9c:91:3c:90:5f:cf:6a:55:15:58:
3a:f4:ae:aa:f6:ee:c9:aa:c9:41:f8:77:07:d5:29:
f0:23:c6:db:d1:54:75:22:a6:b6:eb:d5:3d:59:51:
d9:2e:f7:ea:36:9b:f3:ff:f2:18:14:b3:9d:46:8e:
a4:21:11:3e:c6:96:37:03:ea:38:85:39:dd:00:68:
b6:1b:c4:e4:11:ce:51:43:0e:ca:8c:a5:e1:73:b9:
6f:98:b4:35:d0:83:e2:1b:73:06:f5:9c:e8:41:0c:
b6:97:7a:3b:da:bd:ce:bf:ab:d3:ea:f8:61:7f:54:
d1:21:d6:4e:22:74:29:10:b0:65:06:4e:44:47:c0:
be:0d:67:50:b6:e8:a5:18:bf:30:0b:78:fc:7e:3d:
3a:7b:2e:5e:62:7e:04:2c:44:50:9d:23:f1:51:51:
c7:6c:43:70:99:fa:07:c2:7c:57:d1:8e:09:e2:c4:
43:98:b7:82:bf:06:7a:ac:8a:45:a5:b1:5e:36:e0:
45:68:85
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
92:3a:03:1f:e1:72:05:31:25:78:e4:a9:7e:2f:f3:75:a5:5a:
d2:0d:1a:bb:df:f1:7b:c3:23:28:3e:16:73:13:66:e0:8d:54:
58:73:4f:f0:a7:3d:41:67:d4:c1:85:71:5b:dd:14:3f:e7:c5:
01:5d:52:ee:20:d4:b4:08:04:71:9e:49:4d:43:30:4f:30:98:
6e:19:eb:1b:3d:bc:7b:00:0c:78:a9:72:c7:eb:d8:f4:0f:5b:
c6:5a:64:3c:c1:8e:5b:62:76:81:fc:84:1b:69:62:5b:39:36:
cf:a9:fc:47:90:a3:e2:08:3e:29:fc:42:61:17:f5:34:49:f5:
a3:de:4c:e2:c8:4b:e2:b0:ec:2f:70:81:87:08:9d:b7:0b:07:
bf:df:1a:3d:b4:c4:c6:80:b2:a4:b8:98:df:ca:e9:ca:fc:6b:
68:6e:0b:04:3d:99:98:c3:33:e0:14:de:94:e1:b7:f2:fa:2b:
2d:28:a5:72:50:99:05:a0:48:71:2d:0c:98:63:a7:dc:46:f5:
a6:bc:48:aa:f3:a4:ef:61:57:6a:be:96:c8:e1:a2:8b:d1:47:
c7:16:12:69:a9:84:d1:dd:aa:35:80:a7:c8:70:19:08:bd:9f:
e3:83:2e:4d:19:c1:72:51:07:5a:db:5b:b7:6b:0e:c7:a2:08:
00:4c:e7:63:1e:83:a1:08:41:eb:ed:b0:a0:c3:ab:39:f7:cd:
ca:b2:e6:90:ca:28:be:0b:3b:ee:87:9b:df:18:57:e6:e7:25:
7c:4e:01:6e:82:df:35:81:8e:4c:d6:e7:ca:44:1d:4c:db:3f:
55:85:a2:89:b2:de:76:c2:84:10:a8:c3:8b:ac:0a:76:68:e4:
75:06:48:a7:e2:ce:0b:2a:bf:d3:77:bf:e7:85:95:02:b1:dd:
d9:98:a4:51:f9:79:47:6c:58:35:1e:30:4c:f1:d4:17:f2:d4:
4e:6f:b3:ea:ba:22:c0:88:d3:c4:03:de:b6:de:02:35:0a:d0:
15:4b:c9:ab:da:4a:b1:13:e8:ba:62:db:9c:4f:4d:22:4d:f3:
66:2e:a2:d9:b6:1d:92:d0:b8:f0:22:9a:87:c3:23:28:ba:8e:
5a:eb:e1:6a:8e:1e:db:ed:14:dc:ca:a6:27:e7:0b:a4:2f:c9:
af:71:80:3a:34:d2:ce:40:70:e5:05:11:10:39:e0:69:5d:67:
e4:6b:a6:01:9c:6c:9d:ac:29:18:7f:43:91:6d:be:03:ef:0e:
fa:7a:fc:64:7e:3c:59:48:81:fe:8a:89:ff:c8:15:89:6b:14:
71:3a:86:f8:d3:78:0d:c2:08:15:d0:2d:1d:91:8f:6a:55:4d:
9f:23:af:95:36:12:fa:e3
That is it. Now the self-signed certificate can be installed on a local web host!
More Resources
- https://opensource.com/article/19/6/cryptography-basics-openssl-part-1
- https://opensource.com/article/19/6/cryptography-basics-openssl-part-2
- https://blog.ipswitch.com/how-to-use-openssl-to-generate-certificates
- https://www.digicert.com/kb/ssl-support/openssl-quick-reference-guide.htm
- https://www.openssl.org/