knowledge/technology/cryptography/OpenSSL.md

---
website:
- https://www.openssl.org
- https://www.libressl.org
obj: application
---

# OpenSSL
OpenSSL is a [cryptography](Cryptography.md) toolkit implementing the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) network protocols and related [cryptography](Cryptography.md) standards required by them.

The openssl program is a command line program for using the various [cryptography](Cryptography.md) functions of OpenSSL's crypto library from the [shell](../applications/cli/Shell.md).  It can be used for:
- Creation and management of private keys, public keys and parameters
- Public key cryptographic operations
- Creation of X.509 certificates, CSRs and CRLs
- Calculation of Message Digests and Message Authentication Codes
- Encryption and Decryption with Ciphers
- SSL/TLS Client and Server Tests
- Handling of S/MIME signed or encrypted mail
- Timestamp requests, generation and verification

## Usage
```shell
openssl [command] [options]
```

### Certificates (`openssl req`, `openssl x509`)
#### Generate a certificate
Usage: `openssl req -x509 -key private_key.pem -out certificate.pem -days 365`

#### Generate a signed certificate
```shell
# Create Certificate Request
openssl req -new -key entity.key -out entity.csr

# Sign with CA
openssl x509 -req -in entity.csr -CA ca.crt -CAkey ca.key -out entity.crt -CAcreateserial
```

#### Show information about a certificate
Usage: `openssl x509 -in certificate.pem -text -noout`

### Digest (`openssl dgst`)
Use digest (hash) functions. (Use `openssl dgst -list` for a list of all available digests)
Usage: `openssl dgst [options] [file]`

#### Options
| Option        | Description                         |
| ------------- | ----------------------------------- |
| `-c`          | Print digest with seperating colons |
| `-r`          | Print digest in coreutils format    |
| `-out <file>` | Output to filename                  |
| `-hex`        | Output as hex                       |
| `-binary`     | Output in binary                    |
| `-<digest>`   | Use \<digest>                       |

### Encryption (`openssl enc`)
Encrypt and decrypt using ciphers (Use `openssl enc -ciphers` for a list of all available ciphers)
Usage: `openssl enc [options]`

#### Options
| Option          | Description                                     |
| --------------- | ----------------------------------------------- |
| `-e`            | Do Encryption                                   |
| `-d`            | Do Decryption                                   |
| `-<cipher>`     | Use \<cipher>                                   |
| `-in <input>`   | Input file                                      |
| `-k <val>`      | Passphrase                                      |
| `-kfile <file>` | Read passphrase from file                       |
| `-out <output>` | Output file                                     |
| `-a, -base64`   | [Base64](../files/Base64.md) decode/encode data |
| `-pbkdf2`       | Use password-based key derivation function 2    |
| `-iter <num>`   | Change iterations of `-pbkdf2`                  |

### [RSA](RSA.md) (`openssl genrsa`, `openssl rsa`, `openssl pkeyutl`)
#### Generate [RSA](RSA.md) Private Key (`openssl genrsa`)
```shell
openssl genrsa -out <keyfile> [-<cipher>] [-verbose] [-quiet] <numbits>
```

The `-<cipher>` option lets you protect the key with a password using the specified cipher algo (See `openssl enc -ciphers` for a list of available ciphers).

#### Generate [RSA](RSA.md) Public Key (`openssl rsa`)
```shell
openssl rsa -pubout -in <privatekey> [-passin file:<password_file>] -out <publickey>
```

#### Working with [RSA](RSA.md) (`openssl pkeyutl`)
```shell
# Sign with Private Key
openssl pkeyutl -sign -in <input> -inkey <private_key> [-passin file:<password_file>] -out <output> [-digest algo]

# Verify with Public Key
openssl pkeyutl -verify -in <input> -pubin -inkey <public_key> -sigfile <signature_file>

# Encrypt with Public Key
openssl pkeyutl -encrypt -pubin -inkey <public_key> -in <input> -out <output>

# Decrypt with Private Key
openssl pkeyutl -decrypt -inkey <private_key> [-passin file:<password_file>] -in <input> -out <output>
```

### Password Hash (`openssl passwd`)
Generate hashed passwords
Usage: `openssl passwd [options] [password]`

### Options
| Option       | Description                                      |
| ------------ | ------------------------------------------------ |
| `-in infile` | Read passwords from file                         |
| `-noverify`  | Never verify when reading password from terminal |
| `-stdin`     | Read passwords from stdin                        |
| `-salt val`  | Use provided salt                                |
| `-6`         | SHA512-based password algorithm                  |
| `-5`         | SHA256-based password algorithm                  |
| `-apr1`      | MD5-based password algorithm, Apache variant     |
| `-1`         | MD5-based password algorithm                     |
| `-aixmd5`    | AIX MD5-based password algorithm                 |

### Prime Numbers (`openssl prime`)
Generate and verify prime numbers
Usage: `openssl prime [options] [num]`

#### Options
| Option       | Description                                       |
| ------------ | ------------------------------------------------- |
| `-bits +int` | Size of number in bits                            |
| `-hex`       | Hex output                                        |
| `-generate`  | Generate a prime                                  |
| `-safe`      | When used with `-generate`, generate a safe prime |

### Random Data (`openssl rand`)
Generate random data.
Usage: `openssl rand [options] num`

#### Options
| Option         | Description                                             |
| -------------- | ------------------------------------------------------- |
| `-out outfile` | Output file                                             |
| `-base64`      | [Base64](../files/Base64.md) encode output              | 
| `-hex`         | Hex encode output                                       |
| `-rand val`    | Load the given file(s) into the random number generator |
init 2023-12-04 10:02:23 +00:00			`---`
			`website:`
			`- https://www.openssl.org`
			`- https://www.libressl.org`
			`obj: application`
			`---`

			`# OpenSSL`
restructure 2024-01-17 08:00:45 +00:00			`OpenSSL is a [cryptography](Cryptography.md) toolkit implementing the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) network protocols and related [cryptography](Cryptography.md) standards required by them.`
init 2023-12-04 10:02:23 +00:00
path fix 2024-02-12 14:32:44 +00:00			`The openssl program is a command line program for using the various [cryptography](Cryptography.md) functions of OpenSSL's crypto library from the [shell](../applications/cli/Shell.md). It can be used for:`
init 2023-12-04 10:02:23 +00:00			`- Creation and management of private keys, public keys and parameters`
			`- Public key cryptographic operations`
			`- Creation of X.509 certificates, CSRs and CRLs`
			`- Calculation of Message Digests and Message Authentication Codes`
			`- Encryption and Decryption with Ciphers`
			`- SSL/TLS Client and Server Tests`
			`- Handling of S/MIME signed or encrypted mail`
			`- Timestamp requests, generation and verification`

			`## Usage`
			```shell
			`openssl [command] [options]`
			```

			### Certificates (`openssl req`, `openssl x509`)
			`#### Generate a certificate`
			Usage: `openssl req -x509 -key private_key.pem -out certificate.pem -days 365`

refactor 2023-12-13 22:45:40 +00:00			`#### Generate a signed certificate`
			```shell
			`# Create Certificate Request`
			`openssl req -new -key entity.key -out entity.csr`

			`# Sign with CA`
			`openssl x509 -req -in entity.csr -CA ca.crt -CAkey ca.key -out entity.crt -CAcreateserial`
			```
init 2023-12-04 10:02:23 +00:00
			`#### Show information about a certificate`
			Usage: `openssl x509 -in certificate.pem -text -noout`

			### Digest (`openssl dgst`)
			Use digest (hash) functions. (Use `openssl dgst -list` for a list of all available digests)
			Usage: `openssl dgst [options] [file]`

			`#### Options`
			`\| Option \| Description \|`
			`\| ------------- \| ----------------------------------- \|`
			\| `-c` \| Print digest with seperating colons \|
			\| `-r` \| Print digest in coreutils format \|
			\| `-out <file>` \| Output to filename \|
			\| `-hex` \| Output as hex \|
			\| `-binary` \| Output in binary \|
			\| `-<digest>` \| Use \<digest> \|

			### Encryption (`openssl enc`)
			Encrypt and decrypt using ciphers (Use `openssl enc -ciphers` for a list of all available ciphers)
			Usage: `openssl enc [options]`

			`#### Options`
			`\| Option \| Description \|`
			`\| --------------- \| ----------------------------------------------- \|`
			\| `-e` \| Do Encryption \|
			\| `-d` \| Do Decryption \|
			\| `-<cipher>` \| Use \<cipher> \|
			\| `-in <input>` \| Input file \|
			\| `-k <val>` \| Passphrase \|
			\| `-kfile <file>` \| Read passphrase from file \|
			\| `-out <output>` \| Output file \|
			\| `-a, -base64` \| [Base64](../files/Base64.md) decode/encode data \|
			\| `-pbkdf2` \| Use password-based key derivation function 2 \|
			\| `-iter <num>` \| Change iterations of `-pbkdf2` \|

restructure 2024-01-17 08:00:45 +00:00			### [RSA](RSA.md) (`openssl genrsa`, `openssl rsa`, `openssl pkeyutl`)
			#### Generate [RSA](RSA.md) Private Key (`openssl genrsa`)
init 2023-12-04 10:02:23 +00:00			```shell
			`openssl genrsa -out <keyfile> [-<cipher>] [-verbose] [-quiet] <numbits>`
			```

			The `-<cipher>` option lets you protect the key with a password using the specified cipher algo (See `openssl enc -ciphers` for a list of available ciphers).

restructure 2024-01-17 08:00:45 +00:00			#### Generate [RSA](RSA.md) Public Key (`openssl rsa`)
init 2023-12-04 10:02:23 +00:00			```shell
			`openssl rsa -pubout -in <privatekey> [-passin file:<password_file>] -out <publickey>`
			```

restructure 2024-01-17 08:00:45 +00:00			#### Working with [RSA](RSA.md) (`openssl pkeyutl`)
init 2023-12-04 10:02:23 +00:00			```shell
			`# Sign with Private Key`
			`openssl pkeyutl -sign -in <input> -inkey <private_key> [-passin file:<password_file>] -out <output> [-digest algo]`

			`# Verify with Public Key`
			`openssl pkeyutl -verify -in <input> -pubin -inkey <public_key> -sigfile <signature_file>`

			`# Encrypt with Public Key`
			`openssl pkeyutl -encrypt -pubin -inkey <public_key> -in <input> -out <output>`

			`# Decrypt with Private Key`
			`openssl pkeyutl -decrypt -inkey <private_key> [-passin file:<password_file>] -in <input> -out <output>`
			```

			### Password Hash (`openssl passwd`)
			`Generate hashed passwords`
			Usage: `openssl passwd [options] [password]`

			`### Options`
			`\| Option \| Description \|`
			`\| ------------ \| ------------------------------------------------ \|`
			\| `-in infile` \| Read passwords from file \|
			\| `-noverify` \| Never verify when reading password from terminal \|
			\| `-stdin` \| Read passwords from stdin \|
			\| `-salt val` \| Use provided salt \|
			\| `-6` \| SHA512-based password algorithm \|
			\| `-5` \| SHA256-based password algorithm \|
			\| `-apr1` \| MD5-based password algorithm, Apache variant \|
			\| `-1` \| MD5-based password algorithm \|
			\| `-aixmd5` \| AIX MD5-based password algorithm \|

			### Prime Numbers (`openssl prime`)
			`Generate and verify prime numbers`
			Usage: `openssl prime [options] [num]`

			`#### Options`
			`\| Option \| Description \|`
			`\| ------------ \| ------------------------------------------------- \|`
			\| `-bits +int` \| Size of number in bits \|
			\| `-hex` \| Hex output \|
			\| `-generate` \| Generate a prime \|
			\| `-safe` \| When used with `-generate`, generate a safe prime \|

			### Random Data (`openssl rand`)
			`Generate random data.`
			Usage: `openssl rand [options] num`

			`#### Options`
			`\| Option \| Description \|`
			`\| -------------- \| ------------------------------------------------------- \|`
			\| `-out outfile` \| Output file \|
			\| `-base64` \| [Base64](../files/Base64.md) encode output \|
			\| `-hex` \| Hex encode output \|
			\| `-rand val` \| Load the given file(s) into the random number generator \|