What is OpenSSL? How can I use it to generate and inspect certificates? — Hands-on Activity 😉 🏃
To start with, thanks for your time in checking out this article. I believe this article should help you to take more advanced approaches in the topic of SSL/TLS
certificates and secure communication. I have written this article in a form of more intuitive
and hands-on
approach so even a beginner or a person with no previous knowledge of OpenSSL
could understand and try it out.
If you’re new to this article on OpenSSL
and SSL/TLS
, I would recommend you to check my previous article covering on The Basics of SSL/TLS Certificates which should provide you with a kickstart on the OpenSSL
.
What is OpenSSL? Is it a tool? What can I do with it?
OpenSSL is a free
, open-source
cryptography library that provides a variety of cryptographic functions, including SSL/TLS protocols
, public key infrastructure (PKI)
operations, and secure
communication over the internet. It is widely used by web servers, web clients, and other applications that need to secure their data transmission and storage.
In this article, we will go through some of the basic commands of OpenSSL
, including how to generate a private key
, self-signed certificate
, certificate signing request (CSR)
, view certificate details
, and verify a certificate
. These commands are essential for anyone working with SSL/TLS certificates, PKI, and secure communication.
Before we dive into the commands, it’s essential to understand that OpenSSL
is a command-line tool and requires some basic understanding of how to use the command-line interface (CLI)
on your operating system. If you’re new to the CLI, it’s a good idea to familiarize yourself with some basic commands like “cd” (change directory)
, “ls” (list directory contents)
, and “pwd” (print working directory)
. You can also use the “man” command
to view the manual page for any OpenSSL command. For example, to view the manual page for the “genrsa”
command, you can use “man genrsa”
or you can check this open-source project that consists of almost 99.9% of “man” commands
.
[Assuming] Now that you have a basic understanding of the CLI, let’s go through some of the basic OpenSSL
commands and you can perform the same on your end in your Terminal
or Shell
.
Checklists 👇
[x] Prior to starting the activity, check whether have you installed
the OpenSSL tool based on your OS config.
[x] If not, for Windows — Check this website for the installation guide.
[x] For Linux distribution — Check this website for the installation guide.
[x] For macOS — Check this Medium blog for the brew
installation guide. It would take care of all the minor operations and you are good to go ahead.
[x] Ensure that the openssl
command is working without any errors/issues.
🏃 [Activity] 🏃
- Generating a private key:
#Command in Terminal
$ openssl genrsa -out private.key 2048
This command generates a private key using the RSA algorithm
with a key length of 2048
bits. The private key is stored in a file called private.key
. It’s essential to keep this key safe and secure, as it is used to decrypt and sign data transmitted over the internet.
2. Generating a self-signed certificate:
#Command in Terminal
$ openssl req -new -x509 -key private.key -out certificate.crt -days 365
This command generates a self-signed certificate
using the private key generated in the previous step. The certificate is stored in a file called certificate.crt
and is valid for 365 days. A self-signed certificate is useful for testing and development purposes, but it is not trusted by web browsers and other applications. To be trusted, a certificate must be signed by a trusted certificate authority (CA)
.
3. Generating a certificate signing request (CSR):
#Command in Terminal
$ openssl req -new -key private.key -out csr.pem
This command generates a certificate signing request (CSR)
using the private key
generated in the first step. The CSR is stored in a file called csr.pem
. A CSR is used to request a certificate from a certificate authority(CA)
. It contains information about the organization requesting the certificate and the domain(s)
it will be used for. To highlight, there are different formats in certificates, you can simultaneously use .pem
, .cer
, or .crt
by just renaming the generated file.
4. Viewing certificate details:
#Command in Terminal
$ openssl x509 -in certificate.crt -text -noout
This command displays the details of a certificate stored in the certificate.crt
file. The details include the subject
and issuer
names, validity period
, and the public key
used in the certificate. This command is useful for verifying the information contained in a certificate.
5. Viewing private key details:
#Command in Terminal
$ openssl rsa -in private.key -text -noout
This command displays the details of a private key
stored in the private.key
file. The details include the key size
, algorithm
, and the public
and private
components of the key. It’s essential to keep the private key secure and not share it with anyone. The server/client will decrypt the transmitted data with the private keys.
6. Generating a certificate from a CSR and a private key:
#Command in Terminal
$ openssl x509 -req -in csr.pem -signkey private.key -out certificate.crt
This command generates a certificate from a CSR
and a private key
. The CSR is stored in the csr.pem
file, and the private key
is stored in the private.key
file. The resulting certificate is stored in the certificate.crt
file. This command is useful when a CA has signed a CSR and returned a certificate that needs to be installed on a server.
7. Generating a public key from a private key:
#Command in Terminal
$ openssl rsa -in private.key -pubout -out public.key
This command generates a public key
from a private key
. The private key is stored in the private.key
file, and the resulting public key
is stored in the public.key
file. Public keys are used to encrypt data that can be decrypted using the corresponding private key.
Once this is done, you can add the certificates to the keychain
access or registry
of your machine so that it can be imported to the client i.e. web browser when required.
**[You can implement the below steps if you obtain a certificate from a recognized CA like Digicert, Let’s Encrypt, i.e. the root CA]**
8. Verifying a certificate:
#Command in Terminal
$ openssl verify -CAfile ca_certificate.crt certificate.crt
This command verifies the authenticity
of a certificate by checking it against a trusted certificate authority (CA)
certificate. The CA certificate is stored in the ca_certificate.crt
file, and the certificate to be verified is stored in the certificate.crt
file. This command is useful for ensuring that a certificate has been signed by a trusted CA and is not a self-signed certificate
.
9. To verify the chain of certificates:
#Command in Terminal
openssl verify -CAfile ca_certificate.crt -untrusted intermediate_certificates.pem certificate.crt
In this command, the ca_certificate.crt
file is the trusted root certificate of the certificate authority (CA)
. The intermediate_certificates.pem
file is a bundle of all the intermediate certificates in the chain, starting from the intermediate certificate closest to the root
certificate and ending with the intermediate certificate closest to the certificate being verified. The certificate.crt
file is the certificate being verified. Usually, you could see only one intermediate certificate but in organization validation
types, you could see more.
The verify
command checks the certificate chain starting from the certificate being verified and working its way up to the root
certificate. It checks that each certificate in the chain is signed by the next certificate in the chain, and that the root
certificate is trusted by the OpenSSL
library. If the chain is valid
, the command will output OK
and the certificate is considered valid. If the chain is invalid
, the command will output an error
message indicating the problem.
**[Important, you can perform the above two steps by pulling a certificate from a remote server like medium.com]**
10. View the certificate chain being presented by a server
#Command in Terminal
openssl s_client -showcerts -servername www.domain.com -connect www.example.com:<port> </dev/null
#Example
openssl s_client -showcerts -servername www.medium.com -connect www.medium.com:443 </dev/null
In this command, you can pull all the certs from a server including the public key. For example, you can use the certificates of the medium
server and try to understand them. You can check the root CA
, and the intermediate CA
who had signed and issued the certificate to www.medium.com
. To cross-verify, you can follow this Activity
from my previous article. This should put you in a better position to understand the nuances of the OpenSSL
tool and its robustness.
NOTE: In the above command, the remote server
will present you with the chain of certificates, so you should understand the properties like subject(s)
and issuer(i)
to extract the public keys
of those CAs. Based on this, you can perform the Command 8
and commmand 9
. I’d like you to take this additional approach so you’ll understand how to extract the keys when required.
To conclude, I certainly believe you must have explored, understood, and would have taken something back from this article. Please use this knowledge of working with SSL/TLS certificates for educational and professional purposes.
For now, thanks for reading!! If you enjoyed this article, please follow and subscribe for the latest updates. Looking for more? Check out the other articles below: