An Introduction to OpenSSL

1 comment

img_599473bbcdef3Imagine that you need to send a message to someone. However, you do not know where he is or what his contact detail is. You just know another man who has his contacts that can send your message to him.

Internet was designed in a way like the one describe above. The data passes through multiple nodes in the network to reach its destination.  By the default, data will be a text plain and insecure. Any nodes, which you pass the message to get package to, can read these messages.

SSL and TLS are the protocols to reduce this risk. So only message owner can read message and make sure that message sender is the true person that should be. SSL and TLS are standard security protocols for establishing an encrypted communication between a server and a client.

I added a simple flow how SSL and TLS connection establish between client and server. At this flow, the key point is symmetric key exchange step.

  • Client and Server agree on a common ciphers which both side are supported.
  • Client uses server’s public key to create encrypted symmetric key with supported ciphers and parameters.
  • Server uses its private key to decrypt the symmetric key and it uses to protect session.

symmetric keySSL_Charts_Casesup

An SSL Certificate (.cer, .crt) is a digital file that has two-specific purpose.

  1. Authentication and Verification: The SSL Certificate has information that identify of host or site. When you check certificate chain, you should probably get who issued certificate and where it can be used.
  2. Data Encryption: The SSL Certificate main purpose is data encryption, which means that all sensitive information will be encrypted between server and client.

certgoogle

OpenSSL is a powerful toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.  Also it’s  a  free software that implements  SSL and TLS  protocols and  enables server to send data across  the internet with encrypted mode.

The OpenSSL contains tools essential for the following tasks:

  • Generating private keys (RSA)
  • Generating Certificate Signing Request (CSRs)
  • Performing encryption/decryption
  • Manage and control encrypted file

 

General OpenSSL commands

  1. Generating  RSA , CSRs, CRT

Create a new private key and Certificate Signing Request (CSRs)

#openssl req -out Casesup.csr -new -newkey rsa:2048 -nodes -keyout Casesup.key

Generate a self-signed certificate (CRT)

#openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout Casesup.key -out Casesup.crt

Create a Certificate  Signing  Request  with  existing  PEM file

#openssl req -out casesup.csr -key casesup.key -new

Generate  a  Certificate  Signing  Request  with  an existing  Certificate (CSRs)

#openssl x509 -x509toreq -in casesup.crt -out casesup.csr -signkey casesup.key

  1. Check RSA , CSRs, CRT

Check  an existing CSR file

#openssl req -text -noout -verify -in casesup.csr

Check Private key

#openssl rsa -in casesup.key -check

Check  Signed Certificate

#openssl x509 -in casesup.crt -text -noout

Check PKCS#12 file (.pfx and .p12)

#openssl pkcs12 -info -in casesup.p12

  1. OpenSSL Debugging Commands

Use MD5 to check  if  certificate, private key  and certificate request are  matched

#openssl x509 -noout -modulus -in casesup.crt| openssl md5
#openssl rsa -noout -modulus -in casesup.key | openssl md5
#openssl req -noout -modulus -in casesup.csr | openssl md5

Check SSL  connection  certificate  information

#openssl s_client -connect casesup.com:443

  1. Converting File  Format

Convert  DER  format  (.cer .crt .der) to PEM

#openssl x509 -inform der -in casesup.cer -out casesup.pem

Convert  PEM to  DER

#openssl x509 -outform der -in casesup.pem -out casesup.der

Convert  PKCS#12(.pfx or  .p12) to PEM

#openssl pkcs12 -in casesup.pfx -out casesup.pem -nodes

Convert  PKCS#12(.pfx or  .p12) to PEM (only  export PEM)

#openssl pkcs12 -in casesup.pfx -out casesup.pem -nodes -nocerts

Convert  PKCS#12(.pfx or  .p12) to CRT (only  export Certificate)

#openssl pkcs12 -in casesup.pfx -out casesup.crt -nodes -nokeys

Convert  PEM and  CRT to  PKCS#12(.pfx, .p12)

#openssl pkcs12 -export -out casesup.pfx -inkey casesup.key -in casesup.crt -certfile CAcasesup.crt

Check  this link for  more!

Follow me

Abdurrahim

I'm a System Engineer with extensive experience and administration skills and works for Interbank Card Center Of Turkey.I provide hardware and software support for the following Unix/Linux and Windows platforms.(Oracle Solaris,HP-UX, Linux, IBM-AIX, Windows Servers)
Follow me
facebooktwittergoogle_pluslinkedinby feather

Trackbacks/Pingbacks

You must be logged in to post a comment.