Most used OpenSSL Commands

A list of most used Openssl Commands

• Ich bin davon genervt jedes mal nach einem openssl Befehl zu Suchen. Hier eine Sammlung der häufigsten verwendeten Befehle
• Bonus link zu OPENSSL Manual

• 1. Table of Content
• 2. Information
     • 2.1. Get OpenSSL Version
• 3. Generating
  • 3.1. Blub
    • 3.1.1. Generate new private key
    • 3.1.2. Generate encrypted private key with Password
    • 3.1.3. Generate the public key from private key
    • 3.1.4. Generate a Certificate Singning Request (CSR) for an existing private key
    • 3.1.5. Generate a Self-Signed Certificate
    • 3.1.6. Create a PKCS#12 (.p12, .pfx) container with private key and certificate
    • 3.1.7. Create a PKCS#12 (.p12, .pfx) container private Key, certificate and CA certificate
    • 3.1.8. Create a PKCS#12 (.p12, .pfx) container only with private key
    • 3.1.9. Create a PKCS#12 (.p12, .pfx) container only with certificates
    • 3.1.10. Remove password from a private key
• 4. Converting
     • 4.1. Convert a DER Binary Format (.der, .cer) file to PEM (.crt, .pem, .cer)
     • 4.2. Convert a PEM (.crt, .pem, .cer) file to DER (.der, .cer)
     • 4.3. Convert a PKCS#12 file (.pfx .p12) including the private key and certificate to PEM
     • 4.4. Convert public key
     • 4.5. foo
     • 4.6. foo
• 5. Validating
     • 5.1. foo

1. Table of Content

2. Information

2.1. Get OpenSSL Version

openssl version

3. Generating

3.1. Blub

3.1.1. Generate new private key

openssl genrsa -out private-key.pem 4096

Output:

-----BEGIN RSA PRIVATE KEY-----
MIIJKQIBAAKCAgEAz07dxYumJ8ehkWiCwBX25QR89+sunjytiHokNph/CTb+JQ1H
LISO8UTuWBLHTPZzr9zJzav/VHOR0bYtktl7hxEw5xDxf+AjILbfuIl1/X9UHma0
A7N4aL5sOjJhP9WAWEr4nqIwkE2sch3yyP1yn8cZ9WUyJu1qKC+FAl9dfggrcqhR
tQtfMclMh6MjA6Fa1FMzAmvShNRlnqyogQlbTkW91EIxi1a6+RCH8ZBKOlNaQSdK
VuaTrZCzSnO8TMn2BahmTgArXNKCDzUptWKJ0Tr2IcTiNKkaxMeKsshW8x/3XfQk
ZcPvlZe7LgS+cFj/mzzS+qpOEhsdm1KhDTemm5nmv2xEXmBKun5XFIxo9u+2oOvZ
....
-----END RSA PRIVATE KEY-----

3.1.2. Generate encrypted private key with Password

openssl genrsa -aes256 -out private-key.pem 4096

Output:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,EA6FFC06DA689C8EF13818E6CCA8F559

h+os980FwiK90m1bJjhxDEzcjvEWVB5nTipu3stS7F2fwqjbLWnI0o3ONy3oTUIi
aEGHD6Fyk5F7z+/FFIC96ALRRvG4WzQmuP7o2/VEaiY5Cak4fq3BwTvEE4bLkIti
XpqcZvV1Fq9puam0ULGkm2APIGIurUCJ/e2UafnXXbEuUhml6wOVpmGZoIaoU/a9
......
-----END RSA PRIVATE KEY-----

3.1.3. Generate the public key from private key

openssl rsa -in private-key.pem -pubout -outform PEM -out public-key.pem

Output:

-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAl58SlffmOQbx7xSnhvu0
V51Ov7nCkbFdVmqsPWB8aR7+uwqoFOGgOL9XdfAX65eANUas0jpQ8sB8nINFA5mI
Gf2WbKkS+1Jivp+GJ5eTXgDUQcG1A52AldycPCk5s2ZXezZnTlKg+yBi5U4SohXp
....
-----END PUBLIC KEY-----

3.1.4. Generate a Certificate Singning Request (CSR) for an existing private key

openssl req -out my-csr.csr -key private-key.pem -new

Output:

-----BEGIN CERTIFICATE REQUEST-----
MIIEhzCCAm8CAQAwQjELMAkGA1UEBhMCREUxFTATBgNVBAcMDERlZmF1bHQgQ2l0
eTEcMBoGA1UECgwTRGVmYXVsdCBDb21wYW55IEx0ZDCCAiIwDQYJKoZIhvcNAQEB
BQADggIPADCCAgoCggIBAM9O3cWLpifHoZFogsAV9uUEfPfrLp48rYh6JDaYfwk2
...
-----END CERTIFICATE REQUEST-----

3.1.5. Generate a Self-Signed Certificate

openssl req -new -x509 -key private-key.pem -out mycertificate.crt -days 365

Output:

-----BEGIN CERTIFICATE-----
MIIFhTCCA22gAwIBAgIUTZro+2uPIRzLw7J/2JcPyfVL7KQwDQYJKoZIhvcNAQEL
BQAwUjELMAkGA1UEBhMCREUxFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEcMBoGA1UE
CgwTRGVmYXVsdCBDb21wYW55IEx0ZDEOMAwGA1UEAwwFSGVsbG8wHhcNMjEwNzAx
...
-----END CERTIFICATE-----

3.1.6. Create a PKCS#12 (.p12, .pfx) container with private key and certificate

-name: is the alias of the certificate in .p12 file

openssl pkcs12 -export -name mycert -inkey private-key.pem -in mycertificate.crt -out mycontainer.p12

3.1.7. Create a PKCS#12 (.p12, .pfx) container private Key, certificate and CA certificate

-name is the alias of the certificate in .p12 file

-certfile filename of the CAFile which has signed the certificate. Be aware that the file must be in PEM Format and NOT DER. Check below for a command to convert from DER to PEM

openssl pkcs12 -export -name mycert -inkey clientCert-mtls-E2EBankSign.prv.key -in mycertificate.crt -certfile CAFile.pem.crt -out mycontainer.p12

3.1.8. Create a PKCS#12 (.p12, .pfx) container only with private key

-name: is the alias of the certificate in .p12 file

-nocerts: no certificate is imported to the .p12 file

openssl pkcs12 -export -name mykey -nocerts -inkey private-key.pem -out mycontainer.p12

3.1.9. Create a PKCS#12 (.p12, .pfx) container only with certificates

-name is the alias of the certificate in .p12 file

-nokeys no private key is imported to the .p12 file

openssl pkcs12 -export  -name mycert -nokeys -in mycertificate.crt -out mycontainer.p12

3.1.10. Remove password from a private key

openssl rsa -in private-key.pem -out new-private-key.pem

4. Converting

4.1. Convert a DER Binary Format (.der, .cer) file to PEM (.crt, .pem, .cer)

openssl x509 -inform der -in certificate.der -out certificate.pem.crt

4.2. Convert a PEM (.crt, .pem, .cer) file to DER (.der, .cer)

openssl x509 -outform der -in certificate.pem.crt -out certificate.der 

Output:

-----BEGIN CERTIFICATE-----
MIIFhTCCA22gAwIBAgIUTZro+2uPIRzLw7J/2JcPyfVL7KQwDQYJKoZIhvcNAQEL
BQAwUjELMAkGA1UEBhMCREUxFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEcMBoGA1UE
CgwTRGVmYXVsdCBDb21wYW55IEx0ZDEOMAwGA1UEAwwFSGVsbG8wHhcNMjEwNzAx
...
-----END CERTIFICATE-----

4.3. Convert a PKCS#12 file (.pfx .p12) including the private key and certificate to PEM

openssl pkcs12 -in keyStore.p12 -out keyStore.pem -nodes

Output:

bar

4.4. Convert public key

bar

Output:

bar

4.5. foo

bar

Output:

bar

4.6. foo

bar

Output:

bar

4.7. foo

bar

Output:

bar

4.8. foo

bar

Output:

bar

4.9. foo

bar

Output:

bar

4.10. foo

bar

Output:

bar

4.11. foo

bar

Output:

bar

5. Validating

openssl req -out CSR.csr -pubkey -new -keyout privateKey.key -config .shareopenssl.cmf

5.1. foo

bar

Output:

bar