Cryptography: openssl scenarios

I want to summarize some examples of using openssl as tool to manage certificates. If you are interested in a good introduction about cryptography you can check this link gpgtools.

Let’s start with some basic uses:

Create our own Certificate Authority (CA)

$ openssl genrsa -des3 -out root-ca.key 2048
$ openssl req -new -x509 -days 3650 -subj "/C=ES/ST=Zaragoza/O=Home/CN=localhost.local" -key root-ca.key -out root-ca.crt

Check a CA certificate

 $ openssl x509 -noout -text -in root-ca.crt

Custom CA certificate

You may want to change /etc/ssl/openssl.conf file to point the new CA certificate:

[ ca ]
 default_ca      = CA_custom
 [ CA_custom ]
 ...
 certificate     = $dir/root-ca.crt       # The CA certificate
 private_key     = $dir/private/root-ca.key # The private key

Self-signed certificate

Create a self-signed certificate using one command, remember if your are creating a server certificate Common Name line has to match with server FQDN.

 # openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/server-selfsigned.key -out /etc/ssl/certs/server-selfsigned.crt

Generate a private key

– Generate private key with AES128 algorithm, this key is not signed by anybody:

 $ openssl genrsa -aes128 2048 > foo.key

Create Certificate Signing Request (CSR)

Creating a Certificate Signing Request (CSR) from a private key:

 $ openssl req -new -key foo.key -out foo_key.csr

Review CSR content

 $ openssl req -in foo_key.csr -noout -text

Signing a CSR

To sign our CSR with our CA:

 $ openssl ca -in foo_key.csr -out foo.crt

Get server certificates

To get certificates from a server, this command could be useful (found here):

$ openssl s_client -showcerts -connect shipit.ubuntu.com:443  ("level" c ".crt")}
 /---END CERTIFICATE-----/{inc=0}'

Check information about certificates

Viewing information about downloaded certificates:

 $ for i in level?.crt; do openssl x509 -noout -serial -subject -issuer -in "$i"; echo; done

Create a Diffie-Hellman group

Let’s create a strong Diffie-Hellman group, to negotiate Perfect Forward Secrecy with clients:

 # openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Nginx webserver: install a certificate

– Installing server certificate in Nginx using the following configuration file /etc/nginx/snippets/selfsigned.conf:

 ssl_certificate /etc/ssl/certs/server-selfsigned.crt;
 ssl_certificate_key /etc/ssl/private/server-selfsigned.key;
 ssl_dhparam /etc/ssl/certs/dhparam.pem;

Customizing Nginx configuration

To setup a more secure (strong encryption) settings check the following link out. Also take a look to this link HSTS:

/etc/nginx/sites-available/default
 ...
 server {
 # SSL configuration
 listen 443 ssl http2 default_server;
 listen [::]:443 ssl http2 default_server;
 include snippets/self-signed.conf;

# nginx -t
# systemctl restart nginx

Webserver Apache2: Configuring a certificate

The SSL settings in server certificate in Apache2 are located in this file:

 /etc/apache2/sites-available/default-ssl.conf
 SSLEngine on
 SSLCertificateFile /usr/local/apache/conf/ssl.crt/server-selfsigned.crt
 SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server-selfsigned.key
 SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"

Customizing Apache2 SSL settings

To enforce a stronger encryption settings to Apache2 check this link.

Export PKCS12 format from PEM

Exporting as PKCS12 certificate from PEM format, in case you would need this format:

$ cat foo.key foo_key.csr > foo.pem
 $ openssl pkcs12 -export -in foo.pem -out foo.p12 -name foo

Export certificate to DER format from PEM

Exporting certificate in DER format:

 $ openssl x509 -in foo.pem -outform DER -out foo.der

Create a simple OSCP server

To start simple OSCP server check link for more information but we could us this:

 $ openssl ocsp -index index.txt -CA root-ca.key -rsigner root-ca.key -rkey root-ca.key -port 3456
 Waiting for OCSP client connections...

Let’s Hash

Calculating Message Digests with SHA algorithm:

 $ openssl dgst -sha1 foo
 SHA1(foo)= 9f43d756fa00e241dd614728f5e13461bfc8dde1

Encode text using base64

 $ openssl base64 -in foo
 bGFsYWxhbAo=

I hope you find useful this collection of use case to work with such great tool as openssl is.


“If you know the enemy and know yourself, you need not fear the result of a hundred battles.”
— Sun Tzu, (Art of War)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s