Examples for Usage of openssl Command

openssl
  • Keys and Requests
    • to generate a triple DES private key which has to be encrypted with pass phrase, 1024 bits used for key, randfile[s] containing random data used to seed the random number generator
         openssl genrsa -des3 -out mykey.pem [-rand randfiles] 1024
         chmod 400 mykey.pem
    • to generate a certificate request(CSR) for a user:
         openssl req -new -days 365 -key mykey.pem -out myreq.pem \
                        -extensions user_ext
    • to create a private key and generate a certificate request without encryption for a server
         openssl req -extensions server_ext -nodes -keyout myserver.key \
                        -out myserver.req 1024
         chmod 400 myserver.key
    • to change the pass phrase in the private key:
         cp key.pem key.pem.old
         openssl rsa -in key.pem.old -out key.pem
    • to print out the components of a private key to standard out:
         openssl rsa -noout -text -in key.pem
    • to examine and verify certificate request:
         openssl req -noout -text -verify -in userreq.pem
    • to convert a private key from PEM to DER format:
         openssl rsa -in userkey.pem -out userkey.der -outform DER 
                      # MS Internet Explorer

  • Certificates:
    • to verify certificate chains:
         openssl verify [-CApath directory] cert.pem
    • to display the contents of a certificate:
         openssl x509 -noout -text -in cert.pem
    • to display the certificate MD5 fingerprint:
         openssl x509 -noout -fingerprint -in cert.pem
    • to display the certificate SHA1 fingerprint:
         openssl x509 -noout -sha1 -fingerprint -in cert.pem
    • to convert a certifcate from PEM to DER format:
         openssl x509 -in cert.pem -out cert.der -outform DER 
                      # MS Internet Explorer

  • PKCS#12 Files:
    • to create a PKCS#12 file, input: file to read certificates from(PEM),
      (input for Netscape)
         cat cert1.pem cert2.pem mycert.pem > certs.pem
         openssl pkcs12 -export -in certs.pem -inkey mykey.pem -out user.p12 \
                 -name "Willi Winzig, DESY Zeuthen"
       or 
         openssl pkcs12 -export -in mycert.pem -inkey mykey.pem -out user.p12 \
                 -certfile othercerts.pem -name "Willi Winzig, DESY Zeuthen"
    • to print some info about the PKCS#12 file:
         openssl pkcs12 -noout -info -in user.p12



    Shortcuts:

    • CA	Certificate Authority 
    • CRL	Certificate Revocation List 
    • CSR	Certificate Signing Request 
    • DCA	Deligate Certificate Authority 
    • DER	Data Encryption Standard 
    • DES	Data Encryption Standard 
    • DH	Diffie-Hellmann 
    • DSA	Digital Signature Algorithm 
    • DSS	Digital Signature Standard 
    • ICE	Interworking Public Key Certification Infrastructure for Europe 
    • IDEA	International Data Encryption Algorthm 
    • MD5	Message Digest #5 
    • PEM	Privacy Enhanced Mail 
    • PGP	Pretty Good Privacy 
    • PKI	Public-Key Infrastructure 
    • PKIX	Public-Key Infrastructure on X.509 basis
    • RSA	Ron Rivest, Fiat Shamir, Leonard Adleman 
    • SHA	Secure Hash Algorithm 
    • S/MIME	Secure/Multipurpose Internet Mail Extentions 
    • SSL	Secure Socket Layer 
    • X.509	ITU-T recommendations X.509 (the Directory - Authentication Framework) 

    13.09.2000, Waltraut Niepraschk