OpenSSL is a general purpose cryptographty toolkit that provides an open source implementation of Transport Layer Security(TLS) and Secure Socket Layer(SSL) protocols. It is written in C,assembly and Perl language but wrappers are available in all languages. This article explains about OpenSSL commands.

Holistic usage guide for OpenSSL

<a href="https://www.openssl.org/" target="_blank" rel="noopener">OpenSSL</a> is a general purpose cryptographty toolkit that provides an open source implementation of Transport Layer Security(TLS) and Secure Socket Layer(SSL) protocols. It is written in C,assembly and Perl language but wrappers are available in all languages. This article explains about OpenSSL commands.
License
For the 3.0.0 release, and later releases derived from that, the Apache License v2 applies. Before that it is licensed under <a href="https://www.openssl.org/source/license.html" target="_blank" rel="noopener">OpenSSL license</a>.
Functions
It provides various cryptographic functions
<ul>
 <li>RSA &amp; AES keys</li>
 <li>Certificate Signing Requests(CSR), X509 certificates</li>
 <li>Message digest/checksums</li>
 <li>Encryption / Decryption with ciphers and encoding commands.</li>
</ul>
Encoding/Decoding
Encoding and decoding schemes are used to convert the binary to text and vice versa respectively. Base64 is one of the encoding scheme where a group of similar binary-to-text encoding schemes that represent binary data in an ASCII string format by translating it into a radix-64 representation. This base64 encoding used in the encrypted bytes to convert into textual format and transmit the data securely.
Below commands will base64 encode the text and then decode back to the text format.
<pre class="language-bash"><code class="language-bash">$ echo "secret password" | openssl enc -base64 $ echo "c2VjcmV0IHBhc3N3b3JkZAo=" | openssl enc -base64 -d</code></pre>
Advanced Encryption Standard(AES)
AES is symmetric encryption algorithm, where text will be encrypted by secret key, then it will be decrypted by same secret key. Openssl provides AES encryption/decryption facilities of different block sizes.
Cipher algorithm (AES cyber block chain of 256 bit) which will encrypt and then does base64 encoding. To encrypt the data, provide encryption password (secret key). During decryption, same password / secret has to be provided. <a href="https://en.wikipedia.org/wiki/File:CBC_decryption.svg#file" target="_blank" rel="noopener">Cyber block chain</a> will split the message text into block size, xor with initialiation vector and encrypt with key, then output will be xor with next block of message text which will again encrypt with key, it will continue until all blocks encrypted.
<pre class="language-bash"><code class="language-bash">$ echo "confidential-data" | openssl enc -aes-256-cbc -base64 enter aes-256-cbc encryption password: Verifying - enter aes-256-cbc encryption password: U2FsdGVkX1/2T5aTQE9K/PCJlXCqtAC9RIxGoQIdrFc= $ echo "U2FsdGVkX1/2T5aTQE9K/PCJlXCqtAC9RIxGoQIdrFc=" | openssl enc -aes-256-cbc -base64 -d enter aes-256-cbc decryption password: confidential-data </code></pre>
Rivest-Shamir-Adleman Encryption Algorithm
RSA algorithm works with public (known to everyone) and private key (secret key) combinations based on factorization difficulty of large prime numbers. Message will be encrypted with public key and transmitted to recipient who will decrypt with his secret private key. It is slow algorithm so it is used to share the symmetric secret key, less commonly used for encryption of user data.
Alice and Bob want to transfer secure information.
<ol>
 <li>Bob has securely stored his private key and&nbsp; Bob's public key is available with Alice.</li>
 <li>Alice encrypts the data using Bob's public key and sends the encrypted data to Bob</li>
 <li>Bob decrypts the data using his private key</li>
</ol>
Below OpenSSL commands used to generate private key and then public key from private key.
<pre class="language-bash"><code class="language-bash">&nbsp;$ openssl genrsa -out rsaprivatekey.pem 2048 &nbsp;$ openssl rsa -in rsaprivatekey.pem -pubout -outform PEM -out rsapublickey.pem </code></pre>
rsautl command option will encrypt the message with public key which produce secure message. Redirect the output to a file. Decrypt the secure message with generated private key.
<pre class="language-bash"><code class="language-bash">&nbsp;$ echo "confidential-data" | openssl rsautl -encrypt -pubin -inkey rsapublickey.pem &gt; encryptedmsg &nbsp;$ openssl rsautl -decrypt -inkey rsaprivatekey.pem -in encryptedmsg -out decryptedmsg &nbsp; &nbsp;$ cat decryptedmsg</code></pre>
 Message Digest/Hashing Message
Message Digest or Hash Function takes any arbitrary message (with any content or length) as an input and provides a fixed size hash value as a result.
Use Case:
<ul>
 <li>It is to used to verify the message was transmitted without any loss or tampering by hashing the message matches with message checksums.</li>
 <li>It is also used to store password by hashing the password. (Hashing is one-way function which will not be reversed).</li>
</ul> OpenSSL has dgst command option to hash the password. If same command executed again, it will give the same hash value. Below command generates hash using sha256 algorithm. 
<pre class="language-bash"><code class="language-bash">&nbsp;$ echo 'password' | openssl dgst -sha256 &nbsp;&nbsp; (stdin)= 6b3a55e0261b0304143f805a24924d0c1c44524821305f31d9277843b8a10f4e &nbsp;$ echo 'password' | openssl dgst -sha256 &nbsp;&nbsp; (stdin)= 6b3a55e0261b0304143f805a24924d0c1c44524821305f31d9277843b8a10f4e</code></pre>
Certificate Signing Requests
SSL Certificate is valid certificate only after authorized by Certificate Authority(CA). So to get the authoriztion, certificate signing request has to be sent to CA.
OpenSSL is to generate the certificate signing request, which will prompt for the details like location, organization details and finally generatedcertificate.csr is generated.
<pre class="language-bash"><code class="language-bash">$ openssl req -new -key rsaprivatekey.pem -out generatedcertificate.csr -sha256</code></pre>
<pre class="language-bash"><code class="language-bash">You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:IN State or Province Name (full name) [Some-State]:TAMILNADU Locality Name (eg, city) []:COIMBATORE Organization Name (eg, company) [Internet Widgits Pty Ltd]:Findbestopensource Organizational Unit Name (eg, section) []:TechnicalBlogs Common Name (e.g. server FQDN or YOUR name) []: Email Address []:nagappan08@gmail.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:password An optional company name []:TechnicalBlogs</code></pre>
&nbsp;
Print the generated certificate request file.
<pre class="language-bash"><code class="language-bash">$ cat generatedcertificate.csr</code></pre>
<pre class="language-bash"><code class="language-bash"> -----BEGIN CERTIFICATE REQUEST----- MIIDCDCCAfACAQAwgYoxCzAJBgNVBAYTAklOMRIwEAYDVQQIDAlUQU1JTE5BRFUx EzARBgNVBAcMCkNPSU1CQVRPUkUxFDASBgNVBAoMC0Jsb2dDcmVhdG9yMRcwFQYD VQQLDA5UZWNobmljYWxCbG9nczEjMCEGCSqGSIb3DQEJARYUbmFnYXBwYW4wOEBn bWFpbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDFjTV45a9e WF6ZJSee6X8vpsN9nLotFUFFFQLJcULKQzaKBCdOGyXgCecmFvdWZw/eG2DCig4z 1aLf93OhP03aVyUYpdqC8/a6OPNvTJdefHVxbU+xWYsCQYbDg+mwMsVKWBCb5RGW 0l8FnR/vxhLYqhA3/e7qaYFVYhgKD03NQrqdZSskwgaTLP267Ki2wgS9n03bitvM Hs7NhIZptxE8p5tsYLJXvdfmS1j9+krWOZbKnWc1pobz8lsv85T+EjiqJE4iSO4x orw33RYw32qRzwkeEX7ETy2i9gO0Kld/3HAprsj8dB88Bngjar3BodTCyGOqy9NO RQkYuvcjMUwtAgMBAAGgODAXBgkqhkiG9w0BCQcxCgwIcGFzc3dvcmQwHQYJKoZI hvcNAQkCMRAMDlRlY2huaWNhbEJsb2dzMA0GCSqGSIb3DQEBCwUAA4IBAQB5RVVY dZ3lVTLqL7ZLxtMiiY9SMPfTrdEEOPEdoYnZpdYjuqshFJzJeRkPbdmha1iYvx29 bS+ffKIUXviQccLSJTPKgs7NIq8Qj2KxfLBPj4mHeK0bwsKhYwNpNMLpXHNBRhEp mDpy40aBtfwL6QN+VikhZMXgwX2gVjcp6NZeRNT8GJqmtzAzKSds4oRmEn8b3r89 MQvw/XpzLPew9y/r7pQdSYlETWpK7NkQV9DbnMFFNGL8D1g3O+2JOqAbFFMqme/e 8Ow/k7QjKUZbWBUvNq65c+lgmiXY+zsHe7GnDihT2miIbH5cWLHsr6eX1LSyH7l1 I0yLyR16Uv/lm2nv -----END CERTIFICATE REQUEST-----</code></pre>
&nbsp;
X509 Certificate Generation
Similar to CA generating the certificate, we can use openssl to create certificate for local development purposes. <a href="https://en.wikipedia.org/wiki/X.509" target="_blank" rel="noopener">X509 certificate</a> is a standard defining public key certificate. It contains public key, identity, location and validity period..
OpenSSL with X509 tool to generate the certificate from certificate signing request, validity days and root CA certificate with private key. Root CA certificate and private key can be generated if it is not already using <a href="https://www.findbestopensource.com/article-detail/mkcert-no-config-ca">mkcert certificate authority tool</a>.
&nbsp;
<pre class="language-bash"><code class="language-bash">$ openssl x509 -req -in generatedcertificate.csr -signkey rsaprivatekey.pem -CA rootCA.pem -CAkey rootCA-key.pem -CAcreateserial -out technicalblogcertificate.crt -days 365</code></pre>
<pre class="language-bash"><code class="language-bash">Signature ok subject=C = IN, ST = TAMILNADU, L = COIMBATORE, O = Findbestopensource, OU = TechnicalBlogs, emailAddress = nagappan08@gmail.com Getting Private key Getting CA Private Key</code></pre>
Print the certificate and could find the root CA as mkcert with given identity.
<pre class="language-bash"><code class="language-bash">$ openssl x509 -in technicalblogcertificate.crt -text -noout | head -20</code></pre>
<pre class="language-bash"><code class="language-bash">Certificate: Data: Version: 1 (0x0) Serial Number: 85:dc:55:66:b4:6f:4c:fc Signature Algorithm: sha256WithRSAEncryption Issuer: O = mkcert development CA, OU = ubuntu@ip-172-31-40-103, CN = mkcert ubuntu@ip-172-31-40-103 Validity Not Before: Jan 24 07:25:42 2019 GMT Not After : Jan 24 07:25:42 2020 GMT Subject: C = IN, ST = TAMILNADU, L = COIMBATORE, O = Findbestopensource, OU = TechnicalBlogs, emailAddress = nagappan08@gmail.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c5:8d:35:78:e5:af:5e:58:5e:99:25:27:9e:e9: 7f:2f:a6:c3:7d:9c:ba:2d:15:41:45:15:02:c9:71: 42:ca:43:36:8a:04:27:4e:1b:25:e0:09:e7:26:16: f7:56:67:0f:de:1b:60:c2:8a:0e:33:d5:a2:df:f7: 73:a1:3f:4d:da:57:25:18:a5:da:82:f3:f6:ba:38:</code></pre>
 Certificate can also verified by verify command options provided by OpenSSL.
<pre class="language-bash"><code class="language-bash">$ openssl verify technicalblogcertificate.crt technicalblogcertificate.crt: OK</code></pre>
&nbsp;
Reference:
<a href="https://www.openssl.org/">https://www.openssl.org/</a>
<a href="https://www.findbestopensource.com/article-detail/mkcert-no-config-ca" target="_blank" rel="noopener">mkcert - no config certificate authority tool</a>
&nbsp;

Newsletter

Related Articles

Suggested keywords:

Newsletter

Related Articles