OpenSSL Cheat Sheet

  By

Tested with OpenSSL 3.0.8 7 Feb 2023 (Library: OpenSSL 3.0.8 7 Feb 2023) on (K)Ubuntu 23.04.

Certificate Revocation Status

Verify Status with CRL

OpenSSL does offer the option to connect to a server and verify its certificate against the published CRL via the s_client sub-command [1].

The following example does perform a verification, including a CRL check of google.com.

openssl s_client -crl_check -crl_download -connect google.com:443 < /dev/null

Note: -crl_check_full might most likely fail, either because the ROOT certificate does not provide a CRL or it does provide an empty CRL [2].

Verify Status with OCSP

OCSP requests can be send by the ocsp sub-command [3].

First, the certificates need to be made locally available:

openssl s_client \
    -connect google.com:443 < /dev/null \
    -showcerts \
| awk '/BEGIN CERTIFICATE/ { i++; } /BEGIN/, /END CERT/ { if(i==1) print > "server.pem"; else print > "intermediate" i-1 ".pem";  }'

This one-liner uses awk to split the downloaded chain (note the -showcerts option) into a server.pem and all following into intermediate[i].pem files.

These files can then pe placed into another one-liner and use the ocsp sub-command to send a verification request [4]:

openssl ocsp \
    -issuer <(find . -iname "inter*.pem" | sort | xargs cat) \
    -cert server.pem \
    -text \
    -url $(openssl x509 -in server.pem -ocsp_uri -noout)

The root certificate will be used from the CA store of the local machine or can be supplied via the -CAfile option.

Certificate and CSR Generation

RSA

In order to create a self-signed certificate, the OpenSSL CSR sub-command req can be used [5].

This command creates an self-signed certificate with the issuer and subject /C=AT/CN=foo and a validity period of 2 years.

openssl req \
    -x509 \
    -nodes \
    -days $((365*2)) \
    -newkey rsa:4192 \
    -keyout selfsigned.key \
    -out selfsigned.pem \
    -outform PEM \
    -subj "/C=AT/CN=foo"

The command creates a private RSA key with 4192 bits and embeds the public key into the certificate. To supply an already generated key, the -key option can be used. To create a new key, refer to Section Generation of a Password Protected Private RSA Key,

To verify the correctness, the x509 sub-command can be used [6]:

openssl x509 -in selfsigned.pem -text -noout | grep -zoP "(Issuer:|Subject:|Validity\n.*\n).*\n"

The output should look like:

Issuer: C = AT, CN = foo
Validity
            Not Before: Oct 26 12:04:46 2023 GMT
            Not After : Oct 25 12:04:46 2025 GMT
Subject: C = AT, CN = foo

Note that Issuer and Subject are identical, this is the definition of self-signed certificate.

ECDSA

A ECDSA private key is needed first and can be forged with the ecparam command [7]:

openssl ecparam -genkey -name prime256v1 -out ec_key.pem -outform PEM

The option -name prime256v1 instructs OpenSSL to use the prime256v1 (secp256r1) parameters.

Verification of the key content can be archived with the ec command [8]:

openssl ec -in ec_key.pem -text -noout

Generation of a CSR works analogous to above explained RSA, with the req command.

openssl req \
    -x509 \
    -nodes \
    -days $((365*2)) \
    -key ec_key.pem \
    -out selfsigned.pem \
    -outform PEM \
    -subj "/C=AT/CN=foo"

Verification is analogous to the RSA key:

openssl x509 -in selfsigned.pem -text -noout | grep -zoP "(Issuer:|Subject:|Validity\n.*\n).*\n"

The output should look like:

Issuer: C = AT, CN = foo
Validity
            Not Before: Oct 26 21:07:45 2023 GMT
            Not After : Oct 25 21:07:45 2025 GMT
Subject: C = AT, CN = foo

Format Conversion of x509 Certificates

The x509 command provides the option to read certificates in format A and convert it to format B:

openssl x509 \
    -in  selfsigned.pem -inform  PEM \
    -out selfsigned.der -outform DER

The diff command can be used to verify the content is identical:

diff \
    <(openssl x509 -in selfsigned.der -inform DER -noout -text) \
    <(openssl x509 -in selfsigned.pem -inform PEM -noout -text) \
    -s

Generation of a Pass Phrase Protected Private RSA Key

Via the genrsa command a RSA private key can be generated [9].

openssl genrsa -out encrypted_key.pem -aes256 3072

The option -aes256 instructs OpenSSL to use symmetric encryption with AES256. The command will ask for a pass phrase within the shell.

Pass Phrase Removal

To remove the pass phrase, simply pass the key though the rsa sub-command [10]. The command will ask for the phrase and pipe the unencrypted key into the file specified with the -out option.

openssl rsa -in encrypted_key.pem -out key.pem

To set a new pass phrase, use:

openssl rsa -in encrypted_key.pem -out other_password_key.pem -aes256
Tagged  .
Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *