openssl command

The openssl command is available for use by all users. The intended audience for this page is system administrators who can submit requests which IST will recognize._

The openssl command is part of the openssl software package, and allows the user to manipulate components in various ways. It has a bewildering array of sub-commands and options, but if you learn a certain subset it will help you to become comfortable with the various components of SSL as used at the University of Waterloo.

openssl examples

You should be able to go to an empty directory and literally cut-and-paste the following Unix commands to get an idea of SSL key structure.

Generate a new private key

    mkdir private
    chmod 700 private
    openssl genrsa -out private/new2048.key 2048

View details of that private key

    openssl rsa < private/new2048.key -text

Show the public key corresponding to a private key

    openssl rsa -in private/new2048.key -pubout

View details of that public key (?)

    openssl rsa -in private/new2048.key -pubout -text
Actually, it seems -text applies to the input private key, and you need...
    openssl rsa -in private/new2048.key -pubout | openssl rsa -pubin -text

Generate a new Certificate Signing Request (CSR)

    openssl req -new -key private/new2048.key -out new.csr
(requires answering questions on standard input)


    openssl req -new -key private/new2048.key -out new.csr \<br> -subj '/C=CA/ST=Ontario/L=Waterloo/O=University of Waterloo/' 

For username@domainname you will often use

No permission to view CFPrivate.EMailAddressCscfCerts

(NEW!) Generate a new private key and use it for a new CSR in one command

    openssl req -new -newkey rsa:2048 -nodes -keyout private/new2048.key -out new.csr \<br> -subj '/C=CA/ST=Ontario/L=Waterloo/O=University of Waterloo/' 
Note: noDES does not (now?) seem to work in place of -nodes

See Details of that CSR

    openssl req < new.csr -text
(You will see the public key in there in a different format).

(NEW!) Generate CSR from a config file

    openssl req -new -out cs-uwaterloo-ca.csr -nodes -key cs-uwaterloo-ca.key -config cs-uwaterloo-ca.cnf

This is easier to correctly extend than the commandline -subj syntax.

See the Public Key in a CSR in x509ish format

    openssl req < new.csr -pubkey -noout

Generate a self-signed Certificate

This is done like a CSR, but you add an option -x509.
    openssl req -new -key private/new2048.key -x509 -out new.pem \<br> -subj '/C=CA/ST=Ontario/L=Waterloo/O=University of Waterloo/' 

Other options:

  • -days number - change lifetime from default of 395 days
  • think about what you want as a subject

Sample Certificate for Further Examples

You can cut-and-paste the following into a text file cert.pem for use in the next examples. (Or quite likely you could find another x509 certificate to use as an example; the self-signed Certificate from above works for most demonstrations, although it is a special case in some respects).

See Details (Verbose Form) of a certificate

    openssl x509 < cert.pem -text
That is the easiest way to check the expiry date, for example.

Extract public key from a certificate

    openssl x509 < cert.pem -pubkey -noout

View multiple PEM certificates in one file as text

I have shameless stolen the following from

    openssl crl2pkcs7 -nocrl -certfile BUNDLE.pem | openssl pkcs7 -print_certs -text -noout

E.g. to get a characterization of the certificates actually in a multi-certifica te pem file...

    root@vpn:/etc/apache2/ssl# openssl crl2pkcs7 -nocrl -certfile | openssl pkcs7 -print_certs -text -noout | egrep 'Subject:|Issuer:|After'
            Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2
                Not After : Feb 17 14:41:02 2020 GMT
            Subject: C=CA, ST=Ontario, L=Waterloo, O=University of Waterloo,
            Issuer: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA
                Not After : Feb 20 10:00:00 2024 GMT
            Subject: C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2

View a .der (binary) certificate

This example requires the base64 command. lynx is used to fetch a binary certificate from the web, and perl is used to add the BEGIN and END lines so that openssl will recognize it.

Unfortunately the indicated .der URL no longer works.

bash@ubuntu% lynx -source | \<br/>   base64 | perl -e 'print "-----BEGIN CERTIFICATE-----\n";
   while (<>) {print;}<br />   print "-----END CERTIFICATE-----\n" '| \<br />   openssl x509 -text

Using lynx like that is a bad habit of mine. I should really get used to using wget instead.

Furthermore, openssl can work with different formats. As in...

    lynx -source | \<br />     openssl x509 -inform der -text

A note.

    lynx -source | \<br />     base64
defaults to 76 character column wrap. But it seems to work in the manner we use it, and gets reformatted by openssl to the standard 64 characters on output.

So arguably we should give base64 the option --wrap=64. If we ever really need to convert a .der certificate that way.

Anyway, I think I have thoroughly demonstrated that PEM is the base64 encoding of the DER encoding with header and footer lines added.

Use openssl to test certificate installations

The openssl command has an s_client sub-command which can be a simple client for SSL smtp, imap, pop or ftp.
    arpepper@cscfpc20:~$ echo quit | openssl s_client -crlf -connect
    arpepper@cscfpc20:~$ echo quit | openssl s_client -starttls smtp -crlf -connect
    arpepper@cscfpc20:~$ echo 0 logout | openssl s_client -starttls imap -crlf -connect
    arpepper@cscfpc20:~$ echo 0 logout | openssl s_client -crlf -connect
    arpepper@cscfpc20:~$ echo quit | openssl s_client -starttls pop3 -crlf -connect
    arpepper@cscfpc20:~$ echo quit | openssl s_client -crlf -connect

I had to hunt around for a pop3 example, because that is being shut down. The output from the above is lengthy, and includes the main server certificate. You can use the openssl command to view its details.

Other options can be given to the above. Most useful might be -showcerts which will show the entire certificate chain. Also -CAfile <file> or -CApath <dir>.

    arpepper@cscfpc20:~$ echo 0 logout | openssl s_client -showcerts -CApath /etc/ssl/certs -starttls imap -crlf -connect

-starttls http is not supported, since there is no such concept. But since https is a standard SSL protocol port, the following does work to view the certificate used by https:

   arpepper@cscfpc20:~$ cat /dev/null | openssl s_client -crlf -connect

Since openssl x509 -text does ignore information outside the recognized CERTIFICATE area, the above commands can all be piped directly into it.

    arpepper@cscfpc20:~$ echo 0 logout | openssl s_client -starttls imap -crlf -connect | openssl x509 -text

There might be a little untidy stderr output at the beginning, so...

    arpepper@cscfpc20:~$ echo 0 logout | 2>/dev/null openssl s_client -starttls imap -crlf -connect | openssl x509 -text

Personal dsa, rsa, ecdsa and ed25519 keys

In general, openssl is not used for manipulating ssh keys. But openssl is useful because it will show you in readable form things like the number of bits in the key.

Therefore (even though arguably the following doesn't belong in a page about the openssl command), we give the following which demonstrates how to take ssh keys and convert them to something useable by openssl.

Convert authorized_keys format to openssl recognizable

        ssh-keygen -f ~/.ssh/ -e -m pkcs8
        ssh-keygen -f ~/.ssh/ -e -m pkcs8 | openssl rsa -pubin -pubout -text
        ssh-keygen -f ~/.ssh/ -e -m pkcs8 | openssl pkey -pubin -pubout -text

Similarly for the deprecated id_dsa algorithm.

        ssh-keygen -f ~/.ssh/ -e -m pkcs8
        ssh-keygen -f ~/.ssh/ -e -m pkcs8 | openssl dsa -pubin -pubout -text
        ssh-keygen -f ~/.ssh/ -e -m pkcs8 | openssl pkey -pubin -pubout -text

Note how pkey can be used to avoid needing to specify whether you have dsa or rsa.

Note that the trending ed25519 keys are not implemented by the openssl command. Nor are they implemented by the pkcs8 converter.

And, the format recognized by openssl is called pkcs8/pkcs#8.

The following will convert a pkcs#8 (in key.pem ) to authorized_keys format.

        ssh-keygen -i -m pkcs8 -f key.pem

And therefore...

        ssh-keygen -f ~/.ssh/ -e -m pkcs8 | ssh-keygen -i -m pkcs8 -f /dev/stdin > /tmp/pub

Produces /tmp/pub which is more-or-less a copy of ~/.ssh/ (Actually, any trailing comment will get lost).

Similarly, although deprecated...

        ssh-keygen -f ~/.ssh/ -e -m pkcs8 | ssh-keygen -i -m pkcs8 -f /dev/stdin > /tmp/pub

Get Certificates from a Web Page using Firefox

If you are viewing an https page in FireFox then you can perform the following menu/button selections to save its certificates.

. => [Page Info]
... => [Security]
..... => [View Certificate]
........ => [Details]
........... => [Export]

You can choose to save the certificate and/or chain as PEM, DER, or PKCS#7. The files you save can then be manipulated using the appropriate openssl commands.

This was the case with the FireFox version I had available at the time of writing. YMMV.

-- AdrianPepper - 2013-07-08

Topic revision: r26 - 2019-01-09 - AdrianPepper
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback