End-user stuff

Poor man's benchmark

Quick way to compare processing power of CPUs.

openssl speed sha1  # for single-core performance, incl hardware acceleration
openssl speed -multi $(nproc) rsa4096  # for multi-core performance

To test whether the CPU and installed version of OpenSSL can work with crypto acceleration (i.e. AES-NI):

openssl speed aes-256-cbc
openssl speed -evp aes-256-cbc

throughput should be faster (bigger numbers) with the second command.

Create certificate request/unsigned key

# Create a key at the same time
openssl req -nodes -new -sha256 -keyout $DOMAIN.key.pem -out $DOMAIN.csr.pem
# Use an existing key
openssl req -nodes -new -sha256 -key $DOMAIN.key.pem -out $DOMAIN.csr.pem

$DOMAIN.key.pem will act as an SSLCertificateKeyFile for mod_ssl in Apache.

Create certificate request w/ SubjectAltName fields

SubjectAltName fields let a certificate apply to more than 1 domain. Unfortunately, OpenSSL does not allow to create these easily from the command line.

Create a configuration file, $DOMAIN.conf:

   1 cat > $DOMAIN.conf << EOF
   3 [req]
   4 distinguished_name = req_distinguished_name
   5 req_extensions = req_ext
   7 [req_distinguished_name]
   8 countryName = Country Name (2 letter code)
   9 countryName_default = US
  10 stateOrProvinceName = State or Province Name (full name)
  11 stateOrProvinceName_default = New York
  12 localityName = Locality Name (eg, city)
  13 localityName_default = New York City
  14 organizationalUnitName = Organizational Unit Name (eg, section)
  15 commonName = Common Name
  16 commonName_default = $DOMAIN
  17 commonName_max = 64
  19 [req_ext]
  20 subjectAltName = @alt_names
  22 [alt_names]
  23 DNS.1   = $DOMAIN
  24 DNS.2   = www.$DOMAIN
  26 EOF

Then use this configuration file to create a CSR:

openssl req -nodes -new -sha256 -key $DOMAIN.key.pem -out $DOMAIN.csr.pem -config $DOMAIN.conf

Show key fingerprint

openssl x509 -subject -dates -fingerprint -in $DOMAIN.key.pem

Generate key

# RSA key
openssl genrsa -out $DOMAIN.key.pem 4096
# EC key (using prime256v1 curve)
openssl ecparam -out $DOMAIN.key.pem -name prime256v1 -genkey

Display certificate information

# For a certificate signing request
openssl req -text -noout -in $DOMAIN.csr.pem
# For a generated certificate
openssl x509 -in $DOMAIN.crt.pem -noout -text

Creating a PEM file for servers

cat $DOMAIN.key.pem $DOMAIN.crt.pem $DOMAIN.dhp.pem > $DOMAIN.pem

Used by courier-imap, etc.

If there are intermediate certificates, those must be concatenated AFTER the other certificates.

Creating a PKCS12-format file

openssl pkcs12 -export -in $DOMAIN.crt.pem -inkey $DOMAIN.key.pem -out blah.p12 -name "Bill Gates"

Used for creating certificates used in e-mail clients and web browsers

Signing e-mails

openssl smine -sign -in msg.txt -text -out msg.encrypted -signer $DOMAIN.crt.pem -inkey $DOMAIN.key.pem

Certificate Authority stuff

When setting up a new CA on a system, make sure index.txt and serial exist (empty and set to 01, respectively), and create directories private and newcert. Edit openssl.cnf - change default_days, certificate and private_key, possibly key size (1024, 1280, 1536, 2048) to whatever is desired.

Create CA certificate

openssl req -new -x509 -keyout private/something-CA.key.pem -out ./something-CA.crt.pem -days 3650

Export CA certificate in DER format

openssl x509 -in something-CA.crt.pem -outform der -out something-CA.crt

Used by web browsers.

Revoke certificate

openssl ca -revoke $DOMAIN.crt.pem

Generate Certificate Revocation List (CRL)

openssl ca -gencrl -out crl/$DOMAIN-CA.crl

Sign Certificate Request

openssl ca -out blah.crt.pem -in $DOMAIN.req.pem

blah.crt.pem acts as SSLCertificateFile for Apache

Create Diffie-Hoffman Parameters for Current CA

openssl dhparam -out $DOMAIN-CA.dhp.pem 1536

Create self-signed certificate from generated key

openssl req -new -x509 -sha256 -key $DOMAIN.key.pem -out $DOMAIN.crt.pem

Use only when you've no CA and will only be generating one key/certificate (useless for anything that requires signed certificates on both ends)

Command-line tricks

Simple file encryption

openssl enc -bf -A -in file_to_encrypt.txt

Simple file decryption

openssl enc -bf -d -A -in file_to_encrypt.txt

Verify hosts

   1 # IMAP
   2 openssl s_client -connect localhost:993 -quiet > /dev/null
   3 # SMTP
   4 openssl s_client -connect localhost:465 -quiet > /dev/null
   5 # HTTP
   6 echo HEAD / | openssl s_client -connect localhost:443 -quiet > /dev/null

Depth (first line) should be 2, with a return value of 0.


SamatsWiki: CheatSheet/OpenSSL (last edited 2020-05-04 22:20:10 by SamatJain)