OpenSSL

Reads a certificate: openssl x509 -text -in certif.crt [-noout] Reads a Certificate Signing Request: openssl req -text -in request.csr [-noout]

command line syntax

Generates a Certificate Signing Request for the public key of a key pair: openssl req -new -key private.key -out request.csr Creates a 2048-bit RSA key pair and generates a Certificate Signing Request for it: openssl req -new -nodes -keyout newprivate.key -out request.csr -newkey rsa:2048 Signs a certificate: openssl ca -config ca.conf -in request.csr -out certif.cer -days validity [-verbose] Revokes a certificate: openssl ca -config ca.conf -gencrl -revoke certif.cer -crl_reason why Generates a Certificate Revocation List containing all revoked certificates so far: openssl ca -config ca.conf -gencrl -out crlist.crl Converts a certificate from PEM to DER: openssl x509 -in certif.pem -outform DER -out certif.der Converts a certificate from PEM to PKCS#12 including the private key: openssl pkcs12 -export -in certif.pem -inkey private.key -out certif.pfx [-name friendlyname] Generates the digest of a file: openssl dgst -hashfunction -out file.hash file Verifies the digest of a file: (uses the Unix command cmp; if there is no output, digest verification is successful) openssl dgst -hashfunction file | cmp -b file.hash Generates the signature of a file: openssl dgst -hashfunction -sign private.key -out file.sig file Verifies the signature of a file: openssl dgst -hashfunction -verify public.key -signature file.sig file Encrypts a file: openssl enc -e -cipher -in file -out file.enc [-salt] Decrypts a file: openssl enc -d -cipher -in file.enc -out file Generates a 2048-bit RSA key pair protected by TripleDES passphrase: openssl genpkey -algorithm RSA -cipher 3des -pkeyopt rsa_keygen_bits:2048 -out key.pem (for older versions of OpenSSL, use instead the command openssl genrsa -des3 -out key.pem 2048) Examines a private key: openssl pkey -text -in private.key [-noout] Changes a private key's passphrase: openssl pkey -in old.key -out new.key -cipher (for older versions of OpenSSL, use rsa instead of pkey) (for older versions of OpenSSL, use rsa instead of pkey)

Retrieves a certificate from a website and inspects it: openssl s_client -connect www.website.com:443 > tmpfile Lists all available hash functions: openssl list-message-digest-commands Lists all available ciphers: openssl list-cipher-commands

(hit Ctrl-C)

openssl x509 -in tmpfile -text

Recommended options are included within square brackets by Daniele Raffo www.crans.org/~raffo v1.6 10/3/2012