openssl command

The openssl command is available for use by all users. The intended audience for this page is system administrators who can submit requests which IST will recognize._

The openssl command is part of the openssl software package, and allows the user to manipulate components in various ways. It has a bewildering array of sub-commands and options, but if you learn a certain subset it will help you to become comfortable with the various components of SSL as used at the University of Waterloo.

openssl examples

You should be able to go to an empty directory and literally cut-and-paste the following Unix commands to get an idea of SSL key structure.

Generate a new private key

    mkdir private
    chmod 700 private
    openssl genrsa -out private/new2048.key 2048

View details of that private key

    openssl rsa < private/new2048.key -text

Show the public key corresponding to a private key

    openssl rsa -in private/new2048.key -pubout

View details of that public key (?)

    openssl rsa -in private/new2048.key -pubout -text

Actually, it seems -text applies to the input private key, and you need...

    openssl rsa -in private/new2048.key -pubout | openssl rsa -pubin -text

Generate a new Certificate Signing Request (CSR)

    openssl req -new -key private/new2048.key -out new.csr

(requires answering questions on standard input)

Or:

    openssl req -new -key private/new2048.key -out new.csr \<br> -subj '/C=CA/ST=Ontario/L=Waterloo/O=University of Waterloo/CN=test.cs.uwaterloo.ca/emailAddress=username@domainname' 

For username@domainname you will often use No permission to view CFPrivate.EMailAddressCscfCerts

(NEW!) Generate a new private key and use it for a new CSR in one command

    openssl req -new -newkey rsa:2048 -nodes -keyout private/new2048.key -out new.csr \<br> -subj '/C=CA/ST=Ontario/L=Waterloo/O=University of Waterloo/CN=test.cs.uwaterloo.ca/emailAddress=username@domainname' 

Note: noDES does not (now?) seem to work in place of -nodes

See Details of that CSR

    openssl req < new.csr -text

(You will see the public key in there in a different format).

(NEW!) Generate CSR from a config file

    openssl req -new -out cs-uwaterloo-ca.csr -nodes -key cs-uwaterloo-ca.key -config cs-uwaterloo-ca.cnf

This is easier to correctly extend than the commandline -subj syntax.

See the Public Key in a CSR in x509ish format

    openssl req < new.csr -pubkey -noout

Generate a self-signed Certificate

This is done like a CSR, but you add an option -x509.

    openssl req -new -key private/new2048.key -x509 -out new.pem \<br> -subj '/C=CA/ST=Ontario/L=Waterloo/O=University of Waterloo/CN=test.cs.uwaterloo.ca/emailAddress=username@domainname' 

Other options:

• -days number - change lifetime from default of 395 days
• think about what you want as a subject

Sample Certificate for Further Examples

You can cut-and-paste the following into a text file cert.pem for use in the next examples. (Or quite likely you could find another x509 certificate to use as an example; the self-signed Certificate from above works for most demonstrations, although it is a special case in some respects).

-----BEGIN CERTIFICATE-----
MIIDIDCCAggCAglVMA0GCSqGSIb3DQEBBAUAMEsxCzAJBgNVBAYTAkNBMRAwDgYD
VQQKDAdXYXRzaWduMRAwDgYDVQQLDAdSb290IENBMRgwFgYDVQQDDA9XYXRzaWdu
IFJvb3QgQ0EwHhcNMTEwMjI4MjAzOTQxWhcNMTIwMjI4MjAzOTQxWjBgMQswCQYD
VQQGEwJDQTEQMA4GA1UECAwHT250YXJpbzEfMB0GA1UECgwWVW5pdmVyc2l0eSBv
ZiBXYXRlcmxvbzEeMBwGA1UEAwwVdGVzdGEuY3MudXdhdGVybG9vLmNhMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArbnhpiXVI5AdC2BOQBugODKdl9Oq
EJLF7go3IERZa19F5ULhOu5JSJMnQaGm/IJR902DZTMEOeXCgkPalO1S7wwmvOEv
WgMFSi3FlcuEYMcAme4kBZLkxIUZzIWLeoRpaxqwvV46mQ6srwV09/txmEazbROr
xFfBPzOCntoMhruycbUMKWEc6lSvymun45pLZKphTnrR9BqshqocB8eLDnmzQEwi
RUgtsIcSPrCWGLtwOfEDaB6eXSp4FHKeuEqMZq6Wi7YLffNLCUj4p1Qmvp6v2ao4
Ku/PAjIOiiDuy4ByiHTh8+oRTBKMOeo+4X/Vt4XXrPdOzdU6ZNJk2f/CiwIDAQAB
MA0GCSqGSIb3DQEBBAUAA4IBAQBz325XpfHxtKV6xEduDkc3fchPx0QLEhryj8tc
phTk8qT8eTy6X/RAupifWJCTrHmyaYSYQmZFlepFqV9h38iMwjvgHBtiz3JgmyuV
emGjLsGk3ZzhimwX4R46M2cJ7RWba9X/Jbg3eo/YoATpakkYW/S8V0vB6Nes6QNh
mxOxa89caoFTsCRbVo3NEb4Mabd8ul4m67OKh9k0Dk73iRbVlx92F/P54JGW8GB0
yrmCdYMHaEUnexGSa6d+n997WJx7t2MnDqH76sIxfljff4QrzL0fXgIMQOkYij0d
Lu5lIrMTL6AcItvgx1goGlc0kLnGdj36kO44v8U+vIEUQKIk
-----END CERTIFICATE-----

See Details (Verbose Form) of a certificate

    openssl x509 < cert.pem -text

That is the easiest way to check the expiry date, for example.

Extract public key from a certificate

    openssl x509 < cert.pem -pubkey -noout

View multiple PEM certificates in one file as text

I have shameless stolen the following from https://serverfault.com/questions/590870/how-to-view-all-ssl-certificates-in-a-bundle

    openssl crl2pkcs7 -nocrl -certfile BUNDLE.pem | openssl pkcs7 -print_certs -text -noout

E.g. to get a characterization of the certificates actually in a multi-certifica te pem file...

    root@vpn:/etc/apache2/ssl# openssl crl2pkcs7 -nocrl -certfile vpn.cs.uwaterloo.ca.pem | openssl pkcs7 -print_certs -text -noout | egrep 'Subject:|Issuer:|After'
            Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2
                Not After : Feb 17 14:41:02 2020 GMT
            Subject: C=CA, ST=Ontario, L=Waterloo, O=University of Waterloo, CN=vpn.cs.uwaterloo.ca
            Issuer: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA
                Not After : Feb 20 10:00:00 2024 GMT
            Subject: C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2
    root@vpn:/etc/apache2/ssl# 

View a .der (binary) certificate

This example requires the base64 command. lynx is used to fetch a binary certificate from the web, and perl is used to add the BEGIN and END lines so that openssl will recognize it.

Unfortunately the indicated .der URL no longer works.

bash@ubuntu% lynx -source http://ist.uwaterloo.ca/security/IST-CA/cacert.der | \<br/>   base64 | perl -e 'print "-----BEGIN CERTIFICATE-----\n";
   while (<>) {print;}<br />   print "-----END CERTIFICATE-----\n" '| \<br />   openssl x509 -text

Using lynx like that is a bad habit of mine. I should really get used to using wget instead.

Furthermore, openssl can work with different formats. As in...

    lynx -source http://ist.uwaterloo.ca/security/IST-CA/cacert.der | \<br />     openssl x509 -inform der -text

A note.

    lynx -source http://ist.uwaterloo.ca/security/IST-CA/cacert.der | \<br />     base64

defaults to 76 character column wrap. But it seems to work in the manner we use it, and gets reformatted by openssl to the standard 64 characters on output.

So arguably we should give base64 the option --wrap=64. If we ever really need to convert a .der certificate that way.

Anyway, I think I have thoroughly demonstrated that PEM is the base64 encoding of the DER encoding with header and footer lines added.

Use openssl to test certificate installations

IncludeCertTestOpenssl

The openssl command has an s_client sub-command which can be a simple client for SSL smtp, imap, pop or ftp.

    arpepper@cscfpc20:~$ echo quit | openssl s_client -crlf -connect mail.cs.uwaterloo.ca:465

    arpepper@cscfpc20:~$ echo quit | openssl s_client -starttls smtp -crlf -connect mail.cs.uwaterloo.ca:25

    arpepper@cscfpc20:~$ echo 0 logout | openssl s_client -starttls imap -crlf -connect mail.cs.uwaterloo.ca:imap

    arpepper@cscfpc20:~$ echo 0 logout | openssl s_client -crlf -connect mail.cs.uwaterloo.ca:imaps

    arpepper@cscfpc20:~$ echo quit | openssl s_client -starttls pop3 -crlf -connect plg2.cs.uwaterloo.ca:110

    arpepper@cscfpc20:~$ echo quit | openssl s_client -crlf -connect plg2.cs.uwaterloo.ca:995

I had to hunt around for a pop3 example, because that is being shut down. The output from the above is lengthy, and includes the main server certificate. You can use the openssl command to view its details.

Other options can be given to the above. Most useful might be -showcerts which will show the entire certificate chain. Also -CAfile <file> or -CApath <dir>.

    arpepper@cscfpc20:~$ echo 0 logout | openssl s_client -showcerts -CApath /etc/ssl/certs -starttls imap -crlf -connect mail.cs.uwaterloo.ca:imap

-starttls http is not supported, since there is no such concept. But since https is a standard SSL protocol port, the following does work to view the certificate used by https:

   arpepper@cscfpc20:~$ cat /dev/null | openssl s_client -crlf -connect cs.uwaterloo.ca:443

Since openssl x509 -text does ignore information outside the recognized CERTIFICATE area, the above commands can all be piped directly into it.

    arpepper@cscfpc20:~$ echo 0 logout | openssl s_client -starttls imap -crlf -connect mail.cs.uwaterloo.ca:imap | openssl x509 -text

There might be a little untidy stderr output at the beginning, so...

    arpepper@cscfpc20:~$ echo 0 logout | 2>/dev/null openssl s_client -starttls imap -crlf -connect mail.cs.uwaterloo.ca:imap | openssl x509 -text

Personal dsa, rsa, ecdsa and ed25519 keys

In general, openssl is not used for manipulating ssh keys. But openssl is useful because it will show you in readable form things like the number of bits in the key.

Therefore (even though arguably the following doesn't belong in a page about the openssl command), we give the following which demonstrates how to take ssh keys and convert them to something useable by openssl.

Convert authorized_keys format to openssl recognizable

        ssh-keygen -f ~/.ssh/id_rsa.pub -e -m pkcs8
        ssh-keygen -f ~/.ssh/id_rsa.pub -e -m pkcs8 | openssl rsa -pubin -pubout -text
        ssh-keygen -f ~/.ssh/id_rsa.pub -e -m pkcs8 | openssl pkey -pubin -pubout -text

Similarly for the deprecated id_dsa algorithm.

        ssh-keygen -f ~/.ssh/id_dsa.pub -e -m pkcs8
        ssh-keygen -f ~/.ssh/id_dsa.pub -e -m pkcs8 | openssl dsa -pubin -pubout -text
        ssh-keygen -f ~/.ssh/id_dsa.pub -e -m pkcs8 | openssl pkey -pubin -pubout -text

Note how pkey can be used to avoid needing to specify whether you have dsa or rsa.

Note that the trending ed25519 keys are not implemented by the openssl command. Nor are they implemented by the pkcs8 converter.

And, the format recognized by openssl is called pkcs8/pkcs#8.

The following will convert a pkcs#8 (in key.pem ) to authorized_keys format.

        ssh-keygen -i -m pkcs8 -f key.pem

And therefore...

        ssh-keygen -f ~/.ssh/id_rsa.pub -e -m pkcs8 | ssh-keygen -i -m pkcs8 -f /dev/stdin > /tmp/pub

Produces /tmp/pub which is more-or-less a copy of ~/.ssh/id_rsa.pub. (Actually, any trailing comment will get lost).

Similarly, although deprecated...

        ssh-keygen -f ~/.ssh/id_dsa.pub -e -m pkcs8 | ssh-keygen -i -m pkcs8 -f /dev/stdin > /tmp/pub

Get Certificates from a Web Page using Firefox

IncludeCertGetFromFirefox

If you are viewing an https page in FireFox then you can perform the following menu/button selections to save its certificates.

[Tools]
. => [Page Info]
... => [Security]
..... => [View Certificate]
........ => [Details]
........... => [Export]

You can choose to save the certificate and/or chain as PEM, DER, or PKCS#7. The files you save can then be manipulated using the appropriate openssl commands.

This was the case with the FireFox version I had available at the time of writing. YMMV.

---

-- AdrianPepper - 2013-07-08