|
| 1 | +--- |
| 2 | +title: OpenSSL quick cheatsheet |
| 3 | +date: 2025-03-16 |
| 4 | +tags: ["Security", "PKI"] |
| 5 | +author: "Kapil Agrawal" |
| 6 | +comments: false |
| 7 | +--- |
| 8 | + |
| 9 | +Every now and then I come across a situation where I need to work with PKI, X.509 certs etc. specially after transtioning into a more security focused role. I wanted to document some super handy OpenSSL one liners which I often rely on. |
| 10 | + |
| 11 | +### Generate (unencrypted) private key |
| 12 | + |
| 13 | +``` |
| 14 | +❯ openssl genpkey -algorithm rsa -out priv.key |
| 15 | +``` |
| 16 | + |
| 17 | +### Generate (Encrypted) private key |
| 18 | + |
| 19 | +``` |
| 20 | +# Let's review all supported cipher options first |
| 21 | +❯ openssl list -cipher-algorithms |
| 22 | +
|
| 23 | +❯ openssl genpkey -algorithm rsa -out priv.key -AES128 |
| 24 | +.+......+..+...............+......+......+.........+..........+..............+.+.................+............+...+...+....+..+.+........+..........+......+......+........+......+.........+..........+..............+.......+...+...+...+......+.....+..........+........+...+...+............+....+.........++++++ |
| 25 | +Enter PEM pass phrase: |
| 26 | +Verifying - Enter PEM pass phrase: |
| 27 | +``` |
| 28 | + |
| 29 | +### Extract public key from a private key |
| 30 | + |
| 31 | +``` |
| 32 | +❯ openssl pkey -in priv.key -pubout -out pub.key |
| 33 | +Enter pass phrase for priv.key: |
| 34 | +``` |
| 35 | + |
| 36 | +We now have our key pairs in PEM format |
| 37 | + |
| 38 | +### Using generated keys for SSH |
| 39 | + |
| 40 | +``` |
| 41 | +# add key to ssh-agent |
| 42 | +❯ ssh-add priv.key |
| 43 | +
|
| 44 | +# show ssh public key in PKCS8 format |
| 45 | +❯ ssh-keygen -f pub.key -i -mPKCS8 |
| 46 | +OR |
| 47 | +❯ ssh-add -L |
| 48 | +``` |
| 49 | + |
| 50 | +### Decoding keys with OpenSSL |
| 51 | + |
| 52 | +``` |
| 53 | +# keys must be in PEM format |
| 54 | +❯ openssl pkey -in priv.key -noout -text |
| 55 | +
|
| 56 | +# decode a public key (RSA) |
| 57 | +❯ openssl rsa -RSAPublicKey_in -in pub.key -noout -text |
| 58 | +``` |
| 59 | + |
| 60 | +### Create a new CSR |
| 61 | + |
| 62 | +``` |
| 63 | +# use a pre-existing private key |
| 64 | +❯ openssl req -new -key priv.key -out csr.pem |
| 65 | +
|
| 66 | +# Generates a fresh new private key for CSR |
| 67 | +❯ openssl req -new -out csr.pem |
| 68 | +
|
| 69 | +# decode a CSR |
| 70 | +❯ openssl req -in csr.pem -noout -text |
| 71 | +``` |
| 72 | + |
| 73 | +### Create a x509 cert |
| 74 | + |
| 75 | +``` |
| 76 | +# Only using a private key |
| 77 | +❯ openssl req -x509 -key priv.key -out cert.pem |
| 78 | +
|
| 79 | +# Using a CSR & private key |
| 80 | +❯ openssl x509 -req -in csr.pem -key priv.key -out cert.pem |
| 81 | +
|
| 82 | +# Decoding a certificate |
| 83 | +❯ openssl x509 -in cert.pem -noout -text |
| 84 | +``` |
| 85 | + |
| 86 | +### Encrypting & Decrypting files |
| 87 | + |
| 88 | +``` |
| 89 | +# encrypt with public key |
| 90 | +❯ openssl pkeyutl -encrypt -in file.txt -out encrypted.txt -pubin -inkey pub.key |
| 91 | +
|
| 92 | +# decrypt using private key |
| 93 | +❯ openssl pkeyutl -decrypt -in encrypted.txt -out decrypted.txt -inkey priv.key |
| 94 | +
|
| 95 | +# Verify file integrity |
| 96 | +❯ shasum file.txt |
| 97 | +❯ shasum decrypted.txt |
| 98 | +``` |
0 commit comments