OpenSSL Command-line Cookbook

Security software is usually really bloody complex, and OpenSSL is no different. In fact, it is the very exemplar of unbounded complexity and as a result it's sometimes impossible to find your way through the maze of it's bazillion commands and options (at least if you're new). So when you just need to generate a keypair or a cert, don't fear because this guide will light your way.

If you ever need to look anything else up, check out the online OpenSSL command docs on their site. On your own system, the manual pages may either be all put together (as on OpenBSD) or split apart for their subcommands (as on Ubuntu). So, for example, on OpenBSD you will always be searching around through the openssl(1) manpage, but on Ubuntu you can go right to x509(1SSL). It's handy that Ubuntu does this.

Generate an RSA Keypair

One of the simplest things to do. Well, the old method is dead-simple anyway. Here's the recipe you need:

openssl genrsa -out <KEY-FILE> \            ; where the key goes
               -des3           \            ; use DES3 to encrypt key
               4096                         ; a really freaking strong key

With newer versions of OpenSSL they changed the commands, condensing multiple algorithm-specific ones into a single operation. As a result you need to specify more things as arguments, but it theoretically scales well to other algorithms:

openssl genpkey -out <KEY-FILE> \           ; where the key goes
                -outform PEM    \           ; use PEM encoding
                -cipher des3    \           ; use DES3 to encrypt key
                -algorithm RSA  \           ; make very strong RSA key
                -pkeyopt rsa_keygen_bits:4096

Generating a Self-Signed Certificate

To create a cert we first need a keypair as generated above. Then we'll use the command that is normally used to generate a certificate request (which would then get sent off to a CA, and from which an actual certificate would be generated and signed by them).

openssl req -new             \              ; create a certificate
            -outform PEM     \              ; encode cert using PEM
            -out <CERT-FILE> \              ; where the cert goes
            -key <KEY-FILE>  \              ; location of private key
            -keyform PEM     \              ; encoding used by key
            -sha1            \              ; digest algorithm for cert
            -x509            \              ; make self-signed cert
            -days 365                       ; valid for 365 days

If you need your certificate in DER format, it's easy enough to convert them:

openssl x509 -in <CERT-FILE>    \           ; certificate in PEM format
             -inform PEM        \           ; reading PEM encoding
             -out <OUTPUT-FILE> \           ; location to write cert to
             -outform DER                   ; writing DER encoding

Creating a CMS / PKCS#7 / SMIME Signed Message

OpenSSL has a pkcs7 command. Ignore it. You want to use the smime command instead because it will actually do some things, whereas the pkcs7 command can only pull certificates out of the PKCS#7 file. Here's a basic template and the meaning of all the options.

openssl smime -sign               \         ; we're going to sign it first
              -nodetach           \         ; don't detach the signature
              -nocerts            \         ; don't store certs in message
              -in <MESSAGE-FILE>  \         ; message contents location
              -out <SIGNED-FILE>  \         ; where signed file goes
              -outform DER        \         ; generate DER-encoded PKCS#7
              -inkey <KEY-FILE>   \         ; key to use to sign
              -signer <CERT-FILE>           ; signer cert to include

Verifying a CMS / PKCS#7 / SMIME Signed Message

openssl smime -verify               \       ; verify signature
              -inform DER           \       ; DER encoded message
              -in <SIGNED-FILE>     \       ; input from here
              -certfile <CERT-FILE> \       ; checking with this certificate
              -CAfile <CERT-FILE>           ; certificate is self-signed

Making a PKCS#12 File

If you ever need to make a PKCS#12 file...
Some would argue that the PKCS#12 standard is one big bug :-)

— OpenSSL pkcs12 command manual

openssl pkcs12 -export            \         ; we're writing a file
               -out <OUTPUT-FILE> \         ; where the PKCS#12 file goes
               -inkey <KEY-FILE>  \         ; private key location
               -in <CERT-FILE>              ; certificate file path