Openssl utility helps in following:
- Create Keys and key parameters
- Create X.509 certificates, CSRs and CRLs
- Calculate message digests
- Encryption and decryption
- SSL/TLS client and server tests
- Handling of S/MIME signed or encrypted mail
Install openssl client on you machine to perform the operations.
How to connect to secure server
Connect to server having SNI
Server Name Indication (SNI) is a TLS extension, defined in RFC 6066. It enables TLS connections to virtual servers, in which multiple servers for different network names are hosted at a single underlying network address.
openssl s_client -servername api.google.com -connect api.google.com:443
Store the public cert for any website locally
openssl s_client -connect google.com:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > public.crt
openssl s_client -connect google.com:443 < NUL | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > public.crt (info) The command above will only be executed if you have Sed for Windowsas well as OpenSSL installed on your environment.
Base64 encode using openssl
Encrypt a file and base64 code it
How to secure web server via https
Use following commands to generate private key and CSR.
In order to enable SSL/TLS protocol on the server, it needs a private key and a certificate. The certificate contains the public key that matches the server’s private key.
Following Steps needs to be taken to set up your web server as https.
- The CSR is shared with CA (certificate authority) to request the issuance of a CA-signed SSL certificate.
- Combine your private key and CA signed SSL certificate
- Modify your web server to point you private keys / csr.
Generate a Self-Signed Certificate (Usually for internal apps)
View CSR (Certificate Signing Request)
Verify a Certificate was Signed by a CA
Verify a Private Key Matches a Certificate and CSR
How to generate an RSA key?
The SSL protocol relies heavily on a variety of different cryptographic algorithms, including message digest algorithms, symmetric ciphers, and public key cryptography.
Computes an SHA1 hash for the file named *.zip and write it to stdout in hexadecimal form.
openssl dgst -sha1 openssl-1.0.1p-x64_86-win64.zip
Computes an SHA1 hash for the file named *.zip and write it in hexadecimal form to the file named digest.txt.
openssl sha1 -out digest.txt openssl-1.0.1p-x64_86-win64.zip
Signs the SHA1 (DSS1) hash of the file named file.txt using the DSA private key in the file dsakey.pem and write the signature out to the file dsasign.bin
Encrypts the contents of the file plaintext.doc using DES3 in CBC mode and places the resulting ciphertext into ciphertext.bin.
openssl enc -des3 -salt -in sample.txt -out sampledes3.bin
Since no password is mentioned, command line will prompt for password.
Encrypts the contents of the file plaintext.doc using Blowfish cipher in CFB mode and places the resulting ciphertext into ciphertext.bin.
openssl bf-cfb -salt -in sample.txt -out samplebf-cfb.bin
Encodes the contents of the file ciphertext.bin in base64 and writes the result to the file base64.txt.
openssl base64 -in samplebf-cfb.bin -out samplebf-cfb-base64.txt
Diffie-Hellman is used for key agreement. In simple terms, key agreement is the exchange of information over an insecure medium that allows each of the two parties in a conversation to compute a value that is typically used as the key for a symmetric cipher
Digital Signature Algorithm (DSA) is used for creating and verifying digital signatures.
Generates a new set of DSA parameters
openssl dsaparam -out dsaparam.pem 1024
Generates a new DSA private key using the parameters from the file dsaparam.pem
openssl gendsa -out dsaprivatekey.pem -des3 dsaparam.pem
Computes the public key that corresponds to the private key contained in the file dsaprivatekey.pem and writes the public key out to the file dsapublickey.pem.
|Date | Description
:——————-| :—————————– 2015-12-20 | Initial Version