The Only OpenSSL CheatSheet You Will Need! |
您所在的位置:网站首页 › openssl create rsa key pair › The Only OpenSSL CheatSheet You Will Need! |
In this tutorial we will cover different examples using openssl command, so in short let's get started with our openssl cheatsheet. Topics we will cover hide Generating Keys Generate Private and Public Key Generating CA certificate Creating Certificates Encrypting and Decrypting Files Checking and Verifying Certificates Generate certificate with SAN Field Creating and Managing CRLs Converting Certificate Formats Working with SSL Connections Managing Passwords and Hashes One liner OpenSSL commands Generating Keys 1. RSA Keys Generate a standard RSA key (2048 bits) openssl genrsa -out rsa_private.key 2048Generate a stronger RSA key (4096 bits) openssl genrsa -out rsa_private.key 4096Generate an RSA key with a custom exponent openssl genrsa -out rsa_private.key 2048 -F42. EC (Elliptic Curve) Keys Generate an EC key using a specific curve openssl ecparam -name prime256v1 -genkey -out ec_private.keyList all available EC curves openssl ecparam -list_curvesGenerate an EC key with explicit parameters openssl ecparam -name secp384r1 -param_enc explicit -genkey -out ec_private_explicit.key3. DSA Keys Generate a DSA key pair openssl dsaparam -genkey 2048 -out dsa_private.key4. EdDSA Keys (such as Ed25519) Generate an Ed25519 private key openssl genpkey -algorithm Ed25519 -out ed25519_private.key5. Key with Encrypted Password Protection Generate an RSA key encrypted with AES-256 openssl genrsa -aes256 -out rsa_private_encrypted.key 2048Generate an EC key with password protection openssl ecparam -name prime256v1 -genkey -out ec_private_encrypted.key -aes2566. Convert Keys Between Formats Convert a private key from PEM to DER format openssl rsa -in rsa_private.key -outform DER -out rsa_private.derConvert a private key to PKCS#8 format openssl pkcs8 -topk8 -inform PEM -outform PEM -in rsa_private.key -out rsa_private_pkcs8.pem -nocryptGenerate Private and Public Key Generating an RSA Key Pair: openssl genrsa -out private_key.pem 2048 openssl rsa -in private_key.pem -pubout -out public_key.pemGenerating an ECDSA Key Pair: openssl ecparam -genkey -name prime256v1 -out private_key_ec.pem openssl ec -in private_key_ec.pem -pubout -out public_key_ec.pemExtract public key from certificate: openssl x509 -in domain_ecdsa.crt -pubkey -nooutGenerating CA certificate 1. Generate the Root Key openssl genrsa -out ca.key 40962. Generate the Root Certificate openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.crtNow you can use these ca.crt and ca.key to sign certificates. Creating Certificates 1. Generate Private Keys First, you need a private key. The type and size of the key can vary depending on your security requirement. RSA Private Key openssl genrsa -out rsa_private.key 2048ECDSA Private Key openssl ecparam -name prime256v1 -genkey -out ecdsa_private.key2. Generate a Certificate Signing Request (CSR) A CSR is what you submit to a Certificate Authority (CA) to apply for a digital identity certificate. It includes your public key and other identity information. Using an RSA Key openssl req -new -key rsa_private.key -out rsa_csr.csrUsing an ECDSA Key openssl req -new -key ecdsa_private.key -out ecdsa_csr.csr3. Generating Self-Signed Certificates Self-signed Certificate with RSA openssl req -new -x509 -days 365 -key rsa_private.key -out rsa_certificate.crtSelf-signed Certificate with ECDSA openssl req -new -x509 -days 365 -key ecdsa_private.key -out ecdsa_certificate.crt4. Signing a CSR with Your CA If you act as your own certificate authority or have access to a CA, you can sign CSRs to generate certificates. openssl x509 -req -days 365 -in csr.csr -signkey ca.key -out signed_certificate.crt5. Verify a Certificate Verify a Certificate openssl x509 -in certificate.crt -text -noout
Encrypting and Decrypting Files 1. Encrypting Files Encrypt a file using AES-256 in CBC mode openssl enc -aes-256-cbc -salt -in plainfile.txt -out encryptedfile.enc -k PASSWORDEncrypt a file using AES-256 in GCM mode openssl enc -aes-256-gcm -in plainfile.txt -out encryptedfile.enc -k PASSWORDEncrypt a file using 3DES openssl enc -des-ede3-cbc -salt -in plainfile.txt -out encryptedfile.enc -k PASSWORD2. Decrypting Files Decrypt a file using AES-256 in CBC mode openssl enc -d -aes-256-cbc -in encryptedfile.enc -out decryptedfile.txt -k PASSWORDDecrypt a file using AES-256 in GCM mode openssl enc -d -aes-256-gcm -in encryptedfile.enc -out decryptedfile.txt -k PASSWORDDecrypt a file using 3DES openssl enc -d -des-ede3-cbc -in encryptedfile.enc -out decryptedfile.txt -k PASSWORD3. Encrypting Files with a Key and IV (Initialization Vector) Generate a random key and IV for AES-256 openssl enc -aes-256-cbc -k secret -P -md sha1Encrypt a file using the generated key and IV openssl enc -aes-256-cbc -in plainfile.txt -out encryptedfile.enc -K [HEX_KEY] -iv [HEX_IV]Decrypt a file using the generated key and IV openssl enc -d -aes-256-cbc -in encryptedfile.enc -out decryptedfile.txt -K [HEX_KEY] -iv [HEX_IV]4. Encrypting and Decrypting with Public and Private Keys Encrypt a file with RSA public key openssl rsautl -encrypt -inkey public.pem -pubin -in file.txt -out file.encDecrypt a file with RSA private key openssl rsautl -decrypt -inkey private.pem -in file.enc -out file_decrypted.txtChecking and Verifying Certificates 1. Viewing Certificate Details openssl x509 -in certificate.crt -text -noout2. Verifying a Certificate Against a Trusted CA openssl verify -CAfile ca.crt certificate.crt3. Checking a Certificate's Expiration Date openssl x509 -in certificate.crt -noout -enddate4. Verify a Certificate Chain openssl verify -CAfile ca.crt -untrusted intermediate.crt server.crt5. Checking for a Certificate Revocation List (CRL) openssl verify -crl_check -CAfile ca.crt -CRLfile crl.pem server.crt6. Checking Certificate Serial Number openssl x509 -in certificate.crt -noout -serial7. Checking Certificate's Signature Algorithm openssl x509 -in certificate.crt -noout -text | grep "Signature Algorithm"Generate certificate with SAN Field Create a file called san.cnf with the following content: [ req ] default_bits = 2048 prompt = no default_md = sha256 distinguished_name = req_distinguished_name req_extensions = req_ext [ req_distinguished_name ] C = US ST = New York L = Rochester O = Example Corp OU = IT CN = www.example.com [ req_ext ] subjectAltName = @alt_names [ alt_names ] DNS.1 = www.example.com DNS.2 = example.com DNS.3 = subdomain.example.com IP.1 = 192.168.0.1Generate your private key using the following command: openssl genrsa -out example.key 2048Using the configuration file and the private key, generate your CSR: openssl req -new -key example.key -out example.csr -config san.cnfOr to generate CSR using single line openssl command openssl req -new -key example.key -out example.csr -subj "/C=US/ST=New York/L=Rochester/O=Example Corp/OU=IT/CN=www.example.com" -addext "subjectAltName=DNS:www.example.com,DNS:example.com,IP:192.168.0.1"Generate the self-signed certificate using the CSR: openssl x509 -req -days 365 -in example.csr -signkey example.key -out example.crt -extensions req_ext -extfile san.cnfIf you wish to sign using your ca.crt and ca.key then you can use: openssl x509 -req -days 365 -in example.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out example.crt -extensions v3_ca -extfile |
CopyRight 2018-2019 办公设备维修网 版权所有 豫ICP备15022753号-3 |