OpenSSL - My Quick Guide

byGonzalo Marcos -

Creating keys, keystores, certificates... it's something you need to know as a Mule developer. One of the most useful tools (if not the most) for that is OpenSSL.

OpenSSL is a robust, full-featured open-source toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. It provides a comprehensive suite of cryptographic functions used to secure communications over computer networks. 

OpenSSL includes a powerful command-line utility for various cryptographic operations, such as creating and managing private keys, generating certificate signing requests (CSRs), converting between different certificate formats, and testing SSL/TLS connections.

Here's a quick guide to the operations I used as a developer for my mule apps.

We’ll use the following names:
  • private.key: The private key.
  • request.csr: The certificate signing request.
  • certificate.crt: The self-signed certificate.
  • certificate.pfx: The PKCS#12 (PFX) file.

Check OpenSSL Version

openssl version

Generate a Private Key

First, generate a private key. You can choose different algorithms (RSA, EC, etc.). Here is an example using RSA:
openssl genpkey -algorithm RSA -out private.key -aes256
This command generates an RSA private key encrypted with AES-256. You will be prompted to enter a passphrase for the private key.

Create a Certificate Signing Request (CSR)

Next, create a CSR using the private key. The CSR will contain information about your organization and the public key:
openssl req -new -key private.key -out request.csr
You will be prompted to provide information like country, state, organization, and Common Name (CN).

Generate a Self-Signed Certificate

openssl x509 -req -days 365 -in request.csr -signkey private.key -out certificate.crt
This creates a self-signed certificate valid for 365 days.

We can also generate a self-signed certificate with only one command, without generating the private key and CSR previously
openssl req -x509 -newkey rsa:2048 -keyout private.key -out certificate.crt -days 365
This command will:
  • Generate a new RSA private key with a size of 2048 bits (-newkey rsa:2048).
  • Output the private key to private.key (-keyout private.key).
  • Generate a self-signed certificate and output it to certificate.crt (-out certificate.crt).
  • Set the certificate validity period to 365 days (-days 365).

Display Certificate Details

openssl x509 -in certificate.crt -text -noout
This shows the details of the certificate.

Convert Certificates Between Formats

PEM to DER

openssl x509 -in certificate.crt -outform der -out certificate.der

DER to PEM

openssl x509 -in certificate.der -inform der -out certificate.crt -outform pem

Generate a PKCS#12 (PFX) - Keystore File 

openssl pkcs12 -export -out certificate.pfx -inkey private.key -in certificate.crt
This command packages the private key and certificate into a PKCS#12 file.

Display the contents of a PFX file (keystore) 

openssl pkcs12 -info -in certificate.pfx


Encrypt and Decrypt Files

Encrypt a File

openssl enc -aes-256-cbc -salt -in plaintext.txt -out encrypted.txt

Decrypt a File

openssl enc -d -aes-256-cbc -in encrypted.txt -out decrypted.txt

Generate a Random Password

openssl rand -base64 12
This generates a random 12-character password in base64 encoding.

Test SSL/TLS Connection

openssl s_client -connect anypoint.mulesoft.com:443
This tests the SSL/TLS connection to a specified server.

List Available Ciphers

openssl ciphers -v
This lists all available SSL/TLS ciphers.

Create an EC (Elliptic Curve) Key

openssl ecparam -name prime256v1 -genkey -noout -out ec_private.key
This generates an elliptic curve private key using the prime256v1 curve.
Tags
Previous Post Next Post