WikiSec
Blog Solaris Debian Mobile Unix Development Tools Crypto Papers
Home
Up

Keys and requests
...Generating keys
...Displaying information
...Changing the passphrase
...Conversions
Certificates
...Creating certificates
...Viewing certificates
...Verify certificates
...Conversions
...CRLs
PKCS#12
...Create a PKCS#12
...Print information
SSL
Encrypting
Digests
Base 64 Encoding/Decoding
Dump ASN1
For information on OpenSSL's crypto library, please read my article in MISC magazine no.32.

Keys and requests

Generating keys

To generate a triple DES private key which has to be encrypted with pass phrase, 1024 bits used for key, randfile[s] containing random data used to seed the random number generator 

openssl genrsa -des3 -out mykey.pem [-rand randfiles] 1024
chmod 400 mykey.pem

To generate an RSA key pair 

openssl genrsa -out privatekey.pem 2048

To generate DSA parameters 

openssl dsaparam -outform DER -out param.der -text 1024

To generate a DSA private key (requires a DSA parameter PEM file) 

openssl gendsa -out dsaprv.pem param.pem

Displaying information

To print DSA parameters 

openssl dsaparam -outform DER -genkey -out param.der -text 1024

To print out the components of a private key to standard out: 

openssl rsa -noout -text -in key.pem
To display the components of a public key: 
openssl rsa -noout -text -in pubkey.pem -pubin
If you just want the modulus, add -modulus.

Changing the passphrase

To change the pass phrase in the private key: 

cp key.pem key.pem.old
openssl rsa -in key.pem.old -out key.pem

Conversions

To convert a private key from PEM to DER format: 

openssl rsa -in userkey.pem -out userkey.der -outform DER

Output in DER the private key 

openssl rsa -in privatekey.pem -out privatekey.der -outform DER

Output the public key in PEM or DER 

openssl rsa -in privatekey.pem -out pubkey.pem -pubout [-outform DER]

Certificates

Formats of certificates

  • .cer or .crt: DER Encoded Binary X.509 format, or Base 64 Encoded X.509 certificate
  • .p7b: CMS PKCS#7 containing a certificate chain
  • .p12 or .pfx: "Personal Information Exchange" PKCS#12, wrapper of DER X.509 certificates.

Creating certificates

  • Create your Root CA's keys, and its self signed certificate 
$ openssl req -x509 -newkey rsa:2048 -keyout cakey.pem -out cacert.pem -days 1000 -outform PEM
or: 
$ openssl req -passout file:./passwd -x509 -newkey rsa -out rootcert.pem -config ./openssl.cnf -batch -sha1
  • For each node, create their keys: 
openssl genrsa -des3 -out nodekey.pem 2048
  • For each node, create a certificate request (CSR): 
openssl req -new -key nodekey.pem -out node.csr -days 1000 [-extensions user_ext]
  • or all first three steps in one command: 
    openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ... -out ...
  • or using an openssl configuration file: 
    [req]
default_bits        = 2048 
distinguished_name  = req_distinguished_name
x509_extensions     = v3_req

[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = US
organizationalUnitName	= Organizational Unit Name (eg, section)
organizationalUnitName_default	= Blah
commonName = Common Name
commonName_default = Blah blah
commonName_max = 64

[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
IP.1 = 192.168.1.2
IP.2 = 1.2.3.4
    with command: 
    openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout mysitename.key -out mysitename.crt -config openssl.cnf
  • Send the signed certificate requests to your CA. The CA should verify the certificate request: 
openssl req -noout -text -verify -in userreq.pem
  • and sign it if everything is okay: 
$ openssl x509 -req -in node.csr -out nodecert.pem -CAkey cakey.pem -CA cacert.pem -CAcreateserial -days 1000

TO DO: openssl ca -in testreq.pem -passin file:./passwd -out testcert.pem -config ./openssl.cnf -extensions v3_ca

Viewing certificates

$ openssl x509 -inform PEM -text < certificate.pem
or: openssl x509 -noout -text -in cert.pem

To display the certificate MD5 fingerprint: 

openssl x509 -noout -fingerprint -in cert.pem
To display the modulus of a certificate: 
$ openssl x509 -modulus -noout < alice.crt
0xEFBA9C442084759DC9770021B03C...

To display the certificate SHA1 fingerprint: 

openssl x509 -noout -sha1 -fingerprint -in cert.pem
To grab the certificate of a SSL host: 
echo -n | openssl s_client -showcerts -connect thehost.fr:443 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > thehost.crt

Verify certificates

To verify certificate chains: 

openssl verify [-CApath directory] cert.pem

Certificate Conversions

To convert a certifcate from PEM to DER format: 


openssl x509 -in cert.pem -out cert.der -outform DER

CRLs

To view a CRL: 
openssl crl -inform DER -text -in the.crl -noout

PKCS#12

Create a PKCS#12

To create a PKCS#12 file: 
cat cert1.pem cert2.pem mycert.pem > certs.pem
openssl pkcs12 -export -in certs.pem -inkey mykey.pem -out user.p12 -name "Blah"

or in a single step: 

openssl pkcs12 -export -in mycert.pem -inkey mykey.pem -out user.p12 -certfile othercerts.pem -name "Blah"

Print information

openssl pkcs12 -noout -info -in user.p12

SSL

to test openssl connection: 
openssl s_client -connect URL

Encrypting

For example, to perform DES3 CBC: 
$ openssl enc -des-ede3-cbc -K thekey -iv theiv -in cipher > decrypt
where the key is the hexadecimal bytes of the key, and IV the hexadecimal bytes of the IV. Example: 
echo 'hello!' | openssl enc -des-ede3 -K 01234567890123456 -iv 01234567890123456
and -d to decrypt: 
openssl enc -des-ede3 -K 01234567890123456 -iv 01234567890123456

Hashing

Doing a MD5: 
echo "12345678hashcat" | openssl dgst -md5
Salting and using MD5 (-1): 
openssl passwd -1 -salt 12345678 hashcat

Base64 Encoding/Decoding

The openssl command can encode or decode base64.
To encode, use: 
openssl enc -base64 [-in file]
Note that if the base64 encoding is long, 0x0a is inserted to split the result in several lines. 
$ echo "I have a very long text that lasts on several lines and thus we need some wrapping and blah. I have a very long text that lasts on several lines and thus we need some wrapping and blah.I have a very long text that lasts on several lines and thus we need some wrapping and blah." | openssl enc -base64
SSBoYXZlIGEgdmVyeSBsb25nIHRleHQgdGhhdCBsYXN0cyBvbiBzZXZlcmFsIGxp
bmVzIGFuZCB0aHVzIHdlIG5lZWQgc29tZSB3cmFwcGluZyBhbmQgYmxhaC4gSSBo
YXZlIGEgdmVyeSBsb25nIHRleHQgdGhhdCBsYXN0cyBvbiBzZXZlcmFsIGxpbmVz
IGFuZCB0aHVzIHdlIG5lZWQgc29tZSB3cmFwcGluZyBhbmQgYmxhaC5JIGhhdmUg
YSB2ZXJ5IGxvbmcgdGV4dCB0aGF0IGxhc3RzIG9uIHNldmVyYWwgbGluZXMgYW5k
IHRodXMgd2UgbmVlZCBzb21lIHdyYXBwaW5nIGFuZCBibGFoLgo=
Alternatively, it is possible to use the command: 
$ base64
To decode Base64 input, it is possible to use openssl or base64 too. Openssl command will only work over input that has those newlines 0x0a, while base64 works on anything.
Example: openssl base64 decode fails when no newlines 
$ echo "SSBoYXZlIGEgdmVyeSBsb25nIHRleHQgdGhhdCBsYXN0cyBvbiBzZXZlcmFsIGxpbmVzIGFuZCB0aHVzIHdlIG5lZWQgc29tZSB3cmFwcGluZyBhbmQgYmxhaC4gSSBoYXZlIGEgdmVyeSBsb25nIHRleHQgdGhhdCBsYXN0cyBvbiBzZXZlcmFsIGxpbmVzIGFuZCB0aHVzIHdlIG5lZWQgc29tZSB3cmFwcGluZyBhbmQgYmxhaC5JIGhhdmUgYSB2ZXJ5IGxvbmcgdGV4dCB0aGF0IGxhc3RzIG9uIHNldmVyYWwgbGluZXMgYW5kIHRodXMgd2UgbmVlZCBzb21lIHdyYXBwaW5nIGFuZCBibGFoLgo=" | openssl enc -base64 -d
Example: openssl base64 decode works when new lines 
echo "SSBoYXZlIGEgdmVyeSBsb25nIHRleHQgdGhhdCBsYXN0cyBvbiBzZXZlcmFsIGxp
 bmVzIGFuZCB0aHVzIHdlIG5lZWQgc29tZSB3cmFwcGluZyBhbmQgYmxhaC4gSSBo
 YXZlIGEgdmVyeSBsb25nIHRleHQgdGhhdCBsYXN0cyBvbiBzZXZlcmFsIGxpbmVz
 IGFuZCB0aHVzIHdlIG5lZWQgc29tZSB3cmFwcGluZyBhbmQgYmxhaC5JIGhhdmUg
 YSB2ZXJ5IGxvbmcgdGV4dCB0aGF0IGxhc3RzIG9uIHNldmVyYWwgbGluZXMgYW5k
 IHRodXMgd2UgbmVlZCBzb21lIHdyYXBwaW5nIGFuZCBibGFoLgo=" | openssl enc -base64 -d
I have a very long text that lasts on several lines and thus we need some wrapping and blah. I have a very long text that lasts on several lines and thus we need some wrapping and blah.I have a very long text that lasts on several lines and thus we need some wrapping and blah.
Example: base64 works in all situations 
$ echo "SSBoYXZlIGEgdmVyeSBsb25nIHRleHQgdGhhdCBsYXN0cyBvbiBzZXZlcmFsIGxpbmVzIGFuZCB0aHVzIHdlIG5lZWQgc29tZSB3cmFwcGluZyBhbmQgYmxhaC4gSSBoYXZlIGEgdmVyeSBsb25nIHRleHQgdGhhdCBsYXN0cyBvbiBzZXZlcmFsIGxpbmVzIGFuZCB0aHVzIHdlIG5lZWQgc29tZSB3cmFwcGluZyBhbmQgYmxhaC5JIGhhdmUgYSB2ZXJ5IGxvbmcgdGV4dCB0aGF0IGxhc3RzIG9uIHNldmVyYWwgbGluZXMgYW5kIHRodXMgd2UgbmVlZCBzb21lIHdyYXBwaW5nIGFuZCBibGFoLgo=" | base64 -d
I have a very long text that lasts on several lines and thus we need some wrapping and blah. I have a very long text that lasts on several lines and thus we need some wrapping and blah.I have a very long text that lasts on several lines and thus we need some wrapping and blah.
To work on files, use -in or -out flags.

Dump ASN1

Reads at offset 128: 
dumpasn1 -a -128 -p -e msg.unb64
(c) A. Apvrille - 2015
Invisible border