Skip to content

Instantly share code, notes, and snippets.

@jimmyFlash

jimmyFlash/OpenSSL_cheatsheet.md

Created February 16, 2025 22:14
Show Gist options
  • Save jimmyFlash/9c9d55214cfe7a92af897f9f6457fe6e to your computer and use it in GitHub Desktop.
Save jimmyFlash/9c9d55214cfe7a92af897f9f6457fe6e to your computer and use it in GitHub Desktop.
Download ZIP
OpenSSL cheatsheet
Raw
OpenSSL_cheatsheet.md

Certificate types X.509 certificates: X.509 certificates are the most common type of digital certificate. They are often used for website security and for email encryption. X.509 certificates can be issued by either a trusted third party or by a company or organization include many types :-

  1. PEM (Privacy Enhanced Mail ): the most common type of X.509 certificate format and is most likely used in Unix/Linux-based operating systems. It is a Base64-encoded DER certificate. This is the format most of the Certificate Authorities (CA) issue certificates with .pem, .crt, .cer, or .key extensions. PEM certificates can be used with Apache, Microsoft IIS , and other web servers. It is possible to bundle the server certificate, the intermediate certificate, and the private key within a single PEM certificate. Or you can have all of them in a separate file.
  2. DER (Distinguished Encoding Rule) : is a binary form of a PEM certificate. Often used in Windows and with Java-based web servers. This format is barely seen used in Linux-based operating systems. So, you can choose this if you need the certificate for your Windows servers.
  3. P7B (PKCS#7) : This is a format that can be used to store multiple chain certificates. However, unlike PEM, it doesn’t store a private key. PKCS#7 certificates can be used with Apache, Microsoft IIS , and other web servers.
  4. PFX (PKCS#12/P12) : Personal Information Exchange is a format that can be used to store multiple private keys and certificates like PEM. However, the difference is that PFX is a password-protected container. PKCS#12 certificates can be used with Apache, Microsoft IIS , and other web servers.

[!warning] Using winpty before openssl on windows through GIT bash If you are using OpenSSL commands on windows through the GIT bash you may need to prefix each openssl command with winpty

Converting Using OpenSSL

Note : the (text in between), references a file name, like (filename).xml can be any .xml with name of your choice

CER to P12 (PFX)

openssl pkcs12 -export -out (OUTPUTNAME).pfx -inkey (KEY).key -in (FILENAME).cer -certfile (CACert).crt

DER file (.crt /.cer / .der) to PEM

openssl x509 -inform der -in (certificate).cer -out (certificate).pem

PEM to DER

openssl x509 -outform der -in (certificate).pem -out (certificate).der

(PKCS#12 file (.pfx / .p12) + private key + certificates) to PEM

openssl pkcs12 -in (keyStore).pfx -out (keyStore).pem -nodes

You can add -nocerts to only output the private key or add -nokeys to only output the certificates.

PEM + private key to PKCS#12 (.pfx / .p12)

openssl pkcs12 -export -out (certificate).pfx -inkey (privateKey).key -in (certificate).crt -certfile (CACert).crt

PEM to CRT (.CRT file)

openssl x509 -outform der -in (certificate).pem -out (certificate).crt

PEM to P7B

openssl crl2pkcs7 -nocrl -certfile (certificate).cer -out (certificate).p7b -certfile (CACert).cer

P7B to PEM

openssl pkcs7 -print_certs -in (certificate).p7b -out (certificate).cer

P7B to PFX

  1. openssl pkcs7 -print_certs -in (certificate).p7b -out (certificate).cer
  2. openssl pkcs12 -export -in (certificate).cer -inkey (privateKey).key -out (certificate).pfx -certfile (CACert).cer

PFX to PEM

openssl pkcs12 -in (certificate).pfx -out (certificate).cer -nodes

Test HTTPS methods

The following command can be used to test connectivity to an https service. Basically s_client attribute is used to debug SSL Servers.

This will open an SSL connection to example.com with port 443 and print the SSL certificate used by the service. After connecting you can manually send http requests. This is similar to using telnet to connect to an http service and manually sending an http, i.e GET, OPTIONS or TRACE request. Press Enter Twice:

openssl s_client -connect example.com:443

Encoding

One commonly used and secure encryption scheme is PBKDF2, which stands for Password-Based Key Derivation Function 2 :

openssl enc -pbkdf2 -aes-256-cbc -in {file to encrypt} -out {output file}

Encrypting

1- Symmetric encryption
  • Using AES256
openssl aes-256-cbc -e -in {file to encrypt} -out {encrypted_message file}

to decrypt that file :-

openssl aes-256-cbc -d -in {encrypted_message file} -out {decrypted file}
  • To make the encryption more secure and resilient against brute-force attacks, we can add -pbkdf2 to use the Password-Based Key Derivation Function 2 (PBKDF2); moreover, we can specify the number of iterations on the password to derive the encryption key using -iter NUMBER.
openssl enc -pbkdf2 -aes-256-cbc -d -in {file to encrypt} > {encrypted file}
 
# OR to iterate 10,000 times, the  command would become:
openssl aes-256-cbc -pbkdf2 -iter 10000 -e -in {file to encrypt} -out {encrypted_message_file}

decryption :

openssl aes-256-cbc -pbkdf2 -iter 10000 -d -in {encrypted_message} -out {original_message_file}
2- Asymmetric encryption
  • To use RSA, first generate a new 1024-bit private key stored in the file
openssl genrsa -out {private key file}.pem 1024

• Next, use that private key to generate a public key

openssl rsa -in {private key file}.pem -out {public key file}.pem -outform PEM -pubout

# OR 
openssl rsa -in {private key file}.pem -pubout -out {public key file}.pem

• Display public key and private keys (example)

cat {public key file}.pem

# display private key
openssl rsa -in {private key file}.pem -text -noout

• Now you (or anyone!) can encrypt a file using this public key:

openssl rsautl -encrypt -inkey {pem-file}.pem -pubin -in {file-text}.txt -out {rsa-encrypt-file}.txt

• Finally, only you can decrypt this file, so long as only you know your private key

openssl rsautl -decrypt -inkey {pem-file}.pem -in {rsa-encrypt}.txt -out {rsa-decrypted file}.txt

Diffie-Hellman Key Exchange

Diffie-Hellman is an asymmetric encryption algorithm. It allows the exchange of a secret over a public channel.

openssl dhparam -out dhparams.pem 2048

we can view the prime number P and the generator G using the command

openssl dhparam -in dhparams.pem -text -noout

HMAC

Hash-based message authentication code (HMAC) is a message authentication code (MAC) that uses a cryptographic key in addition to a hash function.

Example:

openssl dgst -sha256 -hmac "secret key in quotes" {file to hash}

Generate rsa keys by OpenSSL

OpenSSL on the command line you’d first need to generate a public and private key Should password protect this file using the -passout argument

  1. Create a key file called private.pem that uses 1024 bits, file actually has both the private and public keys

    • openssl genrsa -out (private).pem 1024

  2. Extract the public key from this file with either one of the these commands

    • openssl rsa -in (private).pem -out (public).pem -outform PEM -pubout
    • openssl rsa -in (private).pem -pubout > (public).pem
    • openssl rsa -in (private).pem -pubout -out (public).pem

Encryption and decryption

Create a dummy data file : echo 'too many secrets' > (file).txt

  1. encrypt the file with public key openssl rsautl -encrypt -inkey (public).pem -pubin -in (file).txt -out (file).ssl

  2. decrypt using private key openssl rsautl -decrypt -inkey (private).pem -in file.ssl -out (decrypted).txt

Extras

  • Extract all the certs, including the CA Chain openssl crl2pkcs7 -nocrl -certfile (foo).pem | openssl pkcs7 -print_certs -out (foo).cert
  • Extract the textually first cert as DER openssl x509 -in foo.pem -outform DER -out first-cert.der

Other usage samples for RSA

  • remove the pass phrase on an RSA private key openssl rsa -in key.pem -out keyout.pem

  • encrypt a private key using triple DES openssl rsa -in key.pem -des3 -out keyout.pem

  • private key from PEM to DER openssl rsa -in key.pem -outform DER -out keyout.der

  • print out the components of a private key openssl rsa -in key.pem -text -noout

  • output the public part of a private key openssl rsa -in key.pem -pubout -out pubkey.pem

  • Output the public part of a private key in RSAPublicKey openssl rsa -in key.pem -RSAPublicKey_out -out pubkey.pem

Java keystore & OpenSSL

To make SSL work between your server and client

On server

a. Generate keystore :

keytool -genkey -alias {alias name} -keyalg RSA -keystore (KeyStore).jks -keysize 2048

Optional: export the certificate for that key to PEM format

_keytool -export -rfc -alias {alias name} -file (certificate).pem -keystore (KeyStore).jks

b. Generate new ca-cert and ca-key

openssl req -new -x509 -keyout ca-key -out ca-cert

c. Extracting cert/creating cert sign

keytool -keystore (KeyStore).jks -alias bmc -certreq -file cert-file

d. Sign the “cert-file” and cert-signed will be the new cert

openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out  cert-signed -days 365 -CAcreateserial -passin pass:yourpass

e. importing the ca-cert to keystore file

keytool -keystore KeyStore.jks -alias CARoot -import -file ca-cert

f. import cert-signed to keystore

keytool -keystore KeyStore.jks -alias bmc -import -file cert-signed

On client

g. Copy ca-cert into client machine and generate trust-store

keytool -keystore truststore.jks -alias bmc -import -file ca-cert-s

Repeat the steps ( a-f ) at client side

On server

h. Copy ca-cert into client machine and generate trust-store

keytool -keystore truststore.jks -alias bmc -import -file ca-cert-c

generate trust-store at server side by importing ca-cert of client(step h)

Renamed ca-cert after step f. Ex: ca-cert-s generated at server side and ca-cert-c at client and exchanged each other for generating trust-store

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment