Openssl commands cheat sheet

byGonzalo Marcos -

As a Mule Developer, OpenSSL is one of the tools you MUST know how to use it. Here's the list of commands, with their optional and mandatory arguments that I mostly use to secure my apps.

1. openssl genpkey

  • Description: Generates a private key.
  • Mandatory:
    • -algorithm <name>: Specifies the algorithm (e.g., RSA, DSA, EC).
    • -out <file>: Specifies the output file for the private key.
  • Optional:
    • -aes256: Encrypts the private key with AES-256.
    • -pkeyopt <opt>: Passes options to the key generation algorithm.
  • Example: 
openssl genpkey -algorithm RSA -out private.key -aes256

2. openssl genrsa

  • Description: Generates an RSA private key.
  • Mandatory:
    • <bits>: Specifies the key size in bits (e.g., 2048, 4096).
  • Optional:
    • -out <file>: Specifies the output file for the private key.
    • -aes256: Encrypts the private key with AES-256.
    • -des3: Encrypts the private key with triple DES.
  • Example: 
openssl genrsa -out private.key 2048

3. openssl req

  • Description: Creates and processes certificate signing requests (CSRs).
  • Mandatory:
    • -new: Generates a new CSR.
    • -key <file>: Specifies the private key file to use.
  • Optional:
    • -out <file>: Specifies the output file for the CSR.
    • -x509: Generates a self-signed certificate instead of a CSR.
    • -days <n>: Specifies the number of days the certificate is valid (used with -x509).
    • -subj <name>: Sets the subject name for the request.
  • Example: 
openssl req -new -key private.key -out request.csr

4. openssl x509

  • Description: Manages X.509 certificates.
  • Mandatory:
    • -req: Indicates input is a CSR (if creating a certificate from a CSR).
    • -in <file>: Specifies the input file.
  • Optional:
    • -out <file>: Specifies the output file.
    • -signkey <file>: Signs the certificate with the specified key.
    • -days <n>: Specifies the number of days the certificate is valid.
    • -text: Displays the certificate in text format.
    • -noout: Suppresses the output of the encoded version of the certificate.
  • Example: 
openssl x509 -req -days 365 -in request.csr -signkey private.key -out certificate.crt

5. openssl pkcs12

  • Description: PKCS#12 file utility.
  • Mandatory:
    • -export: Exports to a PKCS#12 file.
    • -out <file>: Specifies the output PKCS#12 file.
  • Optional:
    • -in <file>: Specifies the input certificate file.
    • -inkey <file>: Specifies the private key file.
    • -name <name>: Specifies a friendly name for the certificate and key.
  • Example: 
openssl pkcs12 -export -out certificate.pfx -inkey private.key -in certificate.crt

6. openssl enc

  • Description: Encrypts and decrypts files.
  • Mandatory:
    • -aes-256-cbc: Specifies the cipher algorithm to use.
  • Optional:
    • -in <file>: Specifies the input file.
    • -out <file>: Specifies the output file.
    • -d: Decrypts the input file.
  • Example: 
openssl enc -aes-256-cbc -salt -in plaintext.txt -out encrypted.txt

7. openssl rand

  • Description: Generates random numbers.
  • Mandatory:
    • <num>: Specifies the number of bytes to generate.
  • Optional:
    • -base64: Encodes the output in base64.
    • -hex: Encodes the output in hexadecimal.
  • Example: 
openssl rand -base64 12

8. openssl s_client

  • Description: Tests SSL/TLS client connections.
  • Mandatory:
    • -connect <host:port>: Specifies the host and port to connect to.
  • Optional:
    • -showcerts: Displays the server certificate chain.
    • -servername <name>: Sets the SNI (Server Name Indication) hostname.
  • Example: 
openssl s_client -connect anypoint.mulesoft.com:443

9. openssl ciphers

  • Description: Lists available SSL/TLS ciphers.
  • Optional:
    • -v: Displays verbose output.
    • -tls1_2: Lists only TLSv1.2 ciphers.
    • <cipher>: Lists a specific cipher.
  • Example: 
openssl ciphers -v

10. openssl x509 -noout -text

  • Description: Displays detailed information about a certificate.
  • Mandatory:
    • -in <file>: Specifies the input certificate file.
  • Optional:
    • -text: Displays the certificate details in text format.
    • -noout: Suppresses the output of the encoded version of the certificate.
  • Example: 
openssl x509 -in certificate.crt -text -noout

11. openssl ca

  • Description: Certificate Authority (CA) management.
  • Mandatory:
    • -in <file>: Specifies the input CSR file.
    • -out <file>: Specifies the output certificate file.
    • -cert <file>: Specifies the CA certificate file.
    • -keyfile <file>: Specifies the CA private key file.
  • Optional:
    • -config <file>: Specifies the configuration file.
    • -days <n>: Specifies the number of days the certificate is valid.
  • Example: 
openssl ca -config openssl.cnf -in request.csr -out newcert.pem -days 365

12. openssl passwd

  • Description: Generates password hashes.
  • Optional:
    • -1: Uses the MD5-based BSD password algorithm.
    • -salt <salt>: Specifies the salt to use.
    • -stdin: Reads passwords from standard input.
  • Example: 
echo -n "password" | openssl passwd -1 -salt xyz

For detailed usage and all possible options, you can always use the -help option with any command (e.g., openssl req -help). This will provide you with comprehensive information on all the options available for that specific command.

Tags
Previous Post Next Post