--- website: - https://www.openssl.org - https://www.libressl.org obj: application --- # OpenSSL OpenSSL is a [cryptography](Cryptography.md) toolkit implementing the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) network protocols and related [cryptography](Cryptography.md) standards required by them. The openssl program is a command line program for using the various [cryptography](Cryptography.md) functions of OpenSSL's crypto library from the [shell](../applications/cli/Shell.md). It can be used for: - Creation and management of private keys, public keys and parameters - Public key cryptographic operations - Creation of X.509 certificates, CSRs and CRLs - Calculation of Message Digests and Message Authentication Codes - Encryption and Decryption with Ciphers - SSL/TLS Client and Server Tests - Handling of S/MIME signed or encrypted mail - Timestamp requests, generation and verification ## Usage ```shell openssl [command] [options] ``` ### Certificates (`openssl req`, `openssl x509`) #### Generate a certificate Usage: `openssl req -x509 -key private_key.pem -out certificate.pem -days 365` #### Generate a signed certificate ```shell # Create Certificate Request openssl req -new -key entity.key -out entity.csr # Sign with CA openssl x509 -req -in entity.csr -CA ca.crt -CAkey ca.key -out entity.crt -CAcreateserial ``` #### Show information about a certificate Usage: `openssl x509 -in certificate.pem -text -noout` ### Digest (`openssl dgst`) Use digest (hash) functions. (Use `openssl dgst -list` for a list of all available digests) Usage: `openssl dgst [options] [file]` #### Options | Option | Description | | ------------- | ----------------------------------- | | `-c` | Print digest with seperating colons | | `-r` | Print digest in coreutils format | | `-out <file>` | Output to filename | | `-hex` | Output as hex | | `-binary` | Output in binary | | `-<digest>` | Use \<digest> | ### Encryption (`openssl enc`) Encrypt and decrypt using ciphers (Use `openssl enc -ciphers` for a list of all available ciphers) Usage: `openssl enc [options]` #### Options | Option | Description | | --------------- | ----------------------------------------------- | | `-e` | Do Encryption | | `-d` | Do Decryption | | `-<cipher>` | Use \<cipher> | | `-in <input>` | Input file | | `-k <val>` | Passphrase | | `-kfile <file>` | Read passphrase from file | | `-out <output>` | Output file | | `-a, -base64` | [Base64](../files/Base64.md) decode/encode data | | `-pbkdf2` | Use password-based key derivation function 2 | | `-iter <num>` | Change iterations of `-pbkdf2` | ### [RSA](RSA.md) (`openssl genrsa`, `openssl rsa`, `openssl pkeyutl`) #### Generate [RSA](RSA.md) Private Key (`openssl genrsa`) ```shell openssl genrsa -out <keyfile> [-<cipher>] [-verbose] [-quiet] <numbits> ``` The `-<cipher>` option lets you protect the key with a password using the specified cipher algo (See `openssl enc -ciphers` for a list of available ciphers). #### Generate [RSA](RSA.md) Public Key (`openssl rsa`) ```shell openssl rsa -pubout -in <privatekey> [-passin file:<password_file>] -out <publickey> ``` #### Working with [RSA](RSA.md) (`openssl pkeyutl`) ```shell # Sign with Private Key openssl pkeyutl -sign -in <input> -inkey <private_key> [-passin file:<password_file>] -out <output> [-digest algo] # Verify with Public Key openssl pkeyutl -verify -in <input> -pubin -inkey <public_key> -sigfile <signature_file> # Encrypt with Public Key openssl pkeyutl -encrypt -pubin -inkey <public_key> -in <input> -out <output> # Decrypt with Private Key openssl pkeyutl -decrypt -inkey <private_key> [-passin file:<password_file>] -in <input> -out <output> ``` ### Password Hash (`openssl passwd`) Generate hashed passwords Usage: `openssl passwd [options] [password]` ### Options | Option | Description | | ------------ | ------------------------------------------------ | | `-in infile` | Read passwords from file | | `-noverify` | Never verify when reading password from terminal | | `-stdin` | Read passwords from stdin | | `-salt val` | Use provided salt | | `-6` | SHA512-based password algorithm | | `-5` | SHA256-based password algorithm | | `-apr1` | MD5-based password algorithm, Apache variant | | `-1` | MD5-based password algorithm | | `-aixmd5` | AIX MD5-based password algorithm | ### Prime Numbers (`openssl prime`) Generate and verify prime numbers Usage: `openssl prime [options] [num]` #### Options | Option | Description | | ------------ | ------------------------------------------------- | | `-bits +int` | Size of number in bits | | `-hex` | Hex output | | `-generate` | Generate a prime | | `-safe` | When used with `-generate`, generate a safe prime | ### Random Data (`openssl rand`) Generate random data. Usage: `openssl rand [options] num` #### Options | Option | Description | | -------------- | ------------------------------------------------------- | | `-out outfile` | Output file | | `-base64` | [Base64](../files/Base64.md) encode output | | `-hex` | Hex encode output | | `-rand val` | Load the given file(s) into the random number generator |