Important OpenSSL Commands Every SysAdmin Should Know
OpenSSL Commands For SysAdmins
In this article, we are going to learn some most important OpenSSL commands which help us to implement SSL on the website without any trouble.
Implementation of SSL on the website is not a hard task but it is important to check received SSL certificate is valid and should not create any issue on the website after the installation.
When I first time configured the SSL on the website, I have faced lots of issues because of a lack of knowledge on the SSL part.
This guide will help you to understand each SSL commands which gives you the proper way while implementing an SSL certificate on any website.
To run the SSL commands, we required the OpenSSL package to be installed on the system. If you don’t have OpenSSL on your system then use the following command to install OpenSSL,
$ apt-get update
$ apt-get install openssl
Let’s start with the article on Important OpenSSL Commands,
1. Create SSL Key
Below OpenSSL command helps you to create SSL Key.
$ openssl genrsa -out www.crt.in.key 2048
Generating RSA private key, 2048 bit long modulus
e is 65537 (0x10001)
2. Create a CSR (Certificate Signing Request) Certificate
CSR file generally requires to request “.crt” file from any certificate provider.
CSR File contains information like Company Name, Location, Locality, Domain name, etc.
$ openssl req -new -key www.crt.in.key -out www.crt.in.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields, there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:MAHARASHTRA
Locality Name (eg, city) :MUM
Organization Name (eg, company) [Internet Widgits Pty Ltd]:LinuxGrow
Organizational Unit Name (eg, section) :TECH
Common Name (e.g. server FQDN or YOUR name) :linuxgrow.com
Email Address :[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password : Enter
An optional company name : Enter
You have new mail in /var/mail/root
Note: Keep Challenge password empty otherwise it will ask every time when you restarting the webserver.
3. Check SSL Key & CSR MD5
With this command, you can check the MD5 no. of the SSL Key and compare this Key no. with CSR. If MD5 no. does not match with the CSR then it is not properly created. Create it again and check.
$ openssl rsa -noout -modulus -in www.crt.in.key | openssl md5
$ openssl req -noout -modulus -in www.crt.in.csr | openssl md5
4. Create a Self-Signed SSL Certificate
This is the main file that we can use with apache or Nginx web server for implementing SSL on the website. This file created with a combination of the .key and .csr file.
$ openssl x509 -req -days 365 -in www.crt.in.csr -sign key www.crt.in.key -out www.crt.in.crt
Getting Private key
5. Check SSL CRT MD5
Now like above we checked .key and .csr MD5. You need to check .crt MD5 no. as well to make sure the .crt file generated properly.
$ openssl x509 -noout -modulus -in www.crt.in.crt | openssl md5
6. Check SSL Certificate Expiry Date
You can also check the expiry date of the CRT file with the below OpenSSL command.
$ openssl x509 -noout -in www.crt.in.crt -dates
notBefore=Dec 16 12:27:26 2020 GMT
notAfter=Dec 17 12:27:26 2021 GMT
7. Decrypt CSR Certificate
You can decrypt the CSR certificate with the below command. You can able to check the information inside the .csr file.
$ openssl req -in www.crt.in.csr -noout -text
Version: 0 (0x0)
Subject: C=IN, ST=MAHARASHATRA, L=MUM, O=LinuxGrow, OU=TECH, CN= linuxgrow.com/[email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
8. Verify The Signature
You can verify a signature on the .csr file using the below command. If you get the output ok which means the certificate verified successfully.
$ openssl req -in www.crt.in.csr -noout -verify
9. Check Certificate Issued
With this command, you can check who is the owner of the certificate.
$ openssl req -in www.crt.in.csr -noout -subject
10. Remove Passphrase Key
If you are using a passphrase for the private key and now you don’t want a passphrase on the key then use the below command to remove the passphrase from the key.
Copy .key file as a backup,
$ cp www.crt.in.key www.crt.in.key-orig
Then unencrypt the key with OpenSSL. You’ll need the passphrase for the removing passphrase.
$ openssl rsa -in www.crt.in.key -out new.www.crt.in.key
OpenSSL commands to convert certificate and key files to different extensions.
1. Convert PEM to DER
$ openssl x509 -outform der -in linux-certificate.pem -out linux-certificate.der
2. Convert PEM to P7B
$ openssl crl2pkcs7 -nocrl -certfile linux-certificate.cer -out linux-certificate.p7b -certfile CACert.cert
3. Convert PEM to PFX
$ openssl pkcs12 -export -out linux-certificate.pfx -inkey privateKey.key -in linux-certificate.crt -certfile CACert.crt
4. Convert DER to PEM
$ openssl x509 -inform DER -in linuxgrow.der -outform PEM -out linuxgrow.crt
5. To convert the private key file (DER to PEM)
$ openssl rsa -inform DER -in linuxgrow_key.der -outform PEM -out linuxgrow.key
6. Convert P7B to PEM
$ openssl pkcs7 -print_certs -in linux-certificate.p7b -out linux-certificate.cer
7. Convert P7B to PFX
$ openssl pkcs7 -print_certs -in linux-certificate.p7b -out linux-certificate.cer $ openssl pkcs12 -export -in linux-certificate.cer -inkey privateKey.key -out linux-certificate.pfx -certfile CACert.cer
We have tried our best to include almost all of ‘ Important OpenSSL Commands‘ with their examples in this article which are used by SysAdmins while working on OpenSSL.
If we have missed anything, please do let us know via comments, and don’t forget to share with your friends.
Thank You 🙂