OpenSSL

January 9, 2025
September 29, 2015

OpenSSL is a toolkit for the TLS and SSL.
OpenSSL - Wikiwand
ossl-guide-introduction - OpenSSL Documentation

Symmetric Key Decryption Methods (AES, ARIA, Blowfish, Camellia, ChaCha20, Cast, DES, 3DES, IDEA, RC2 and RC4) CLI command generator
The Most Common OpenSSL Commands
Some list of openssl commands for check and verify your keys
OpenSSL command cheatsheet
OpenSSL Quick Reference Guide

jbp.io :: TLS performance: rustls versus OpenSSL

key/cert types

X.509 - Wikiwand
RFC 2585 - Internet X.509 Public Key Infrastructure Operational Protocols: FTP and HTTP
DER vs. CRT vs. CER vs. PEM Certificates and How To Convert Them
PEM, DER, CRT, and CER: X.509 Encodings and Conversions - SSL.com

PKCS - Wikiwand
What are Public-Key Cryptography Standards (PKCS)?
Guide to Public Key Cryptography Standards in Cyber Security | RSI Security

key: no meta data, just the prime numbers and modulus
cert: with meta data

X.509 is the PKI protocol and defines the actual certificate
DER, PEM, PKCS#7, PKCS#8, PKCS#12 are encoding standards

PEM (Privacy Enhanced Mail) base64 DER, with text headers and footers
File extensions: .pem, .key, .csr, .crt
DER (Distinguished Encoding Rules), binary without text headers and footers
File extensions: .der, .cer
PKCS (Public-Key Cryptography Standards)
File extensions: .p7b (PKCS#7), .pfx, .p12 (PKCS#12 binary), .csr (PKCS#10 base64)

openssl x509 -in cert.pem -text -noout to view cert

cert generation

🔐 HTTPS certificate generation explained! Now setup HTTPS for local development environment (without sudo) | Blog
How to create a .pfx/.p12 certificate file using OpenSSL – SSL Information and FAQ
HOWTO: Generate a CSR for OpenSSL – (see tools.ssl.com) – SSL Information and FAQ
ssl - How to create a self-signed certificate with openssl? - Stack Overflow
OpenSSL CSR Tool - Create Your CSR Faster | DigiCert.com

How To Create a Self-Signed SSL Certificate for Nginx in Ubuntu 16.04 | DigitalOcean

Manage sensitive data with Docker secrets | Docker Documentation

Five Tips for Using Self Signed SSL Certificates with iOS | HttpWatch BlogHttpWatch Blog also on own CA

auth.cert

# private key and cert (CSR in the pipeline)
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout selfsigned.key -out selfsigned.crt

openssl genrsa -out privatekey.pem 2048 # key only
openssl req -new -key privatekey.pem -out CSR.csr # CSR only
# private key and CSR
openssl req -nodes -new -newkey rsa:2048 -keyout privatekey.key -out CSR.csr
# then sign SSH certificate (.crt) with csr
openssl x509 -req -days 365 -in CSR.csr -signkey privatekey.key -out selfsigned.crt

openssl genpkey -algorithm RSA -out privatekey.pem -pkeyopt rsa_keygen_bits:2048 # private key only
openssl rsa -pubout -in privatekey.pem -out publickey.pem

openssl genrsa -out rsa_1024_priv.pem 1024
openssl rsa -pubout -in rsa_1024_priv.pem -out rsa_1024_pub.pem

query cert

How to examine the metadata of an SSL (HTTPS/TLS) cert
SSL Certificate Tools

# X.509
openssl x509 -text -noout -in certificate.pem
openssl x509 -text -noout -in certificate.cert

# DER
openssl req -text -noout -in certificate.csr

# PKCS#12 (.pfx or .p12)
openssl pkcs12 -info -in key.p12

# read RSA key
openssl rsa -in private.key -text -noout
openssl rsa -RSAPublicKey_in -in public.key -text -noout

conversion

SSL Converter - Convert SSL Certificates to different formats
Converting OpenSSH public keys - Odd Bits

# DER (.crt .cer .der) -> PEM
openssl x509 -inform der -in certificate.cer -out certificate.pem
# PEM -> DER
openssl x509 -outform der -in certificate.pem -out certificate.der
# PKCS#12 -> PEM
openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes
#  You can add -nocerts to only output the private key or add -nokeys to only output the certificates.
# PEM -> PKCS#12
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

troubleshooting

sudo su
sudo tcpdump -vvv -s 0 -nni <interface> -w <file> host <host> and port <port> &
openssl s_client -connect <host>:<port> -state -msg

# e.g.
sudo su
sudo tcpdump -vvv -s 0 -nni eno1 -w internal.cap host 10.6.64.170 and port 443 &
openssl s_client -connect 10.6.64.170:443 -state -msg

SOL15475 - Troubleshooting SSL/TLS renegotiation
SOL15292 - Troubleshooting SSL/TLS handshake failures
SOL10209 - Overview of packet tracing with the ssldump utility

Alternate Implementations

LibreSSL

fork of OpenSSL by OpenBSD

LibreSSL
LibreSSL - Wikiwand

Tink

Google originally forked OpenSSL as BoringSSL

Tink  |  Google for Developers
Goodbye OpenSSL, and Hello To Google Tink | by Prof Bill Buchanan OBE FRSE | ASecuritySite: When Bob Met Alice | Medium

Tink Cryptography Library

wolfSSL

wolfSSL – Embedded SSL/TLS Library
WolfSSL - Wikiwand
wolfSSL/wolfssl: The wolfSSL library is a small, fast, portable implementation of TLS/SSL for embedded devices to the cloud. wolfSSL supports up to TLS 1.3 and DTLS 1.3! GPL

CFSSL

Introducing CFSSL - CloudFlare's PKI toolkit

cloudflare/cfssl: CFSSL: Cloudflare's PKI and TLS toolkit
kubernetes-the-hard-way/02-client-tools.md at master · kelseyhightower/kubernetes-the-hard-way

myca.json:

{
  "CN": "k3s",
  "hosts": ["k3s"],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "SG",
      "ST": "SG",
      "L": "Singapore"
    }
  ]
}
cfssl gencert -initca myca.json | cfssljson -bare myca

serverRuest.json

{
   "CN": "registry",
   "hosts": [ "ubuntu" ],
   "key": {
      "algo": "rsa",
      "size": 2048
   }
}
cfssl gencert -ca=myca.pem -ca-key=myca-key.pem -config=ca-config.json -profile=server -hostname=ubuntu serverRequest.json | cfssljson -bare registry