The most useful commands in OpenSSL
A few weeks ago I made an introduction about symmetric and asymmetric cryptography. Personally, I would have liked to read an introductory article completely aimed at dummies about this since when I started I only found articles that already assumed that the reader knew the meaning of a private key, a public key, a certificate, etc. In this way, if you arrived here and still do not have clear the basic concepts of cryptography, I invite you to review each of the following articles.
- Symmetric cryptography in OpenSSL - encryption algorithms
- Asymmetric cryptography in OpenSSL - public key
- Asymmetric cryptography in OpenSSL - private key
- Asymmetric cryptography in OpenSSL - encrypted key
- Public key infrastructure (PKI)
That said, now you have a list of the commands that I consider most useful in OpenSSL.
Encode the content of a file to base64
openssl enc -base64 -in message.txtEncrypt the contents of a file
openssl enc -ALG -in message.txt -out encrypted.binYou must replace ALG with the encryption algorithm. The above command will ask you for a password. To see the list of encryption algorithms you can execute the command openssl help.
Decrypt the contents of a file
openssl enc -ALG -d -in encrypted.bin -pass pass:PASSYou must replace ALG with the encryption algorithm and PASS with the password with which the content was encrypted. To see the list of encryption algorithms you can execute the command openssl help.
Generate a private key
openssl genrsa -out key.pem [bits]In the above command you must replace [bits] with the desired bit value.
Convert PEM to DER/NET key
openssl genrsa -in key.pem -outform [OUTF] -out key.der 1024 [bits]In the above command you must replace [bits] with the desired bit value, and [OUTF] with the output format of the key (DER/NET).
Extraction of public key from private key
openssl rsa -in key.pem -pubout -out pub-key.pemEncrypt the contents of a file with public key
openssl rsautl -encrypt -inkey pub-key.pem -pubin -in message.txt -out message.encThis type of encryption ensures confidentiality of the message.
Decrypt the contents of a file with private key
openssl rsautl -decrypt -inkey key.pem -in message.enc -out message.decThis command decrypts the message from the previous point.
Encrypt the contents of a file with private key
openssl rsautl -inkey key.pem -in message.txt -sign > message.encThis type of encryption ensures the authenticity of the message.
Decrypt the contents of a file with public key
openssl rsautl -inkey pub-key.pem -pubin -in message.enc -out message.decThis command decrypts the message from the previous point.
Encrypt an unencrypted private key
openssl rsa -in key.pem -ALG -out enc-key.pemYou must replace ALG with the encryption algorithm. The above command will ask you for a password. To see the list of encryption algorithms you can execute the command openssl help.
Create a private key + certificate
openssl req -new -x509 -keyout cakey.pem -out cacert.pemRead information entered in a certificate
openssl req -text -in usercert-req.pem -nooutSign user certificate with the trust entity
openssl ca -in usercert-req.pem -out usercert.pemThis command requires previous configuration of the PKI in the system.
Convert PEM certificate to P12 (installable format in browser)
openssl pkcs12 -export -in usercert.pem -inkey userkey.pem > usercert.p12Verify if a certificate was generated by a private key
openssl x509 -noout -modulus -in cert.pem | openssl md5openssl rsa -noout -modulus -in key.pem | openssl md5If the output of the two commands is the same, then the certificate was generated with the private key.
Extract encrypted key private key
openssl rsa -in key.pem -out dec.pem