What is OpenSSL? How can I use it to generate and inspect certificates? — Hands-on Activity 😉 🏃

What is OpenSSL?

To start with, thanks for your time in checking out this article. I believe this article should help you to take more advanced approaches in the topic of SSL/TLS certificates and secure communication. I have written this article in a form of more intuitive and hands-on approach so even a beginner or a person with no previous knowledge of OpenSSL could understand and try it out.

If you’re new to this article on OpenSSL and SSL/TLS, I would recommend you to check my previous article covering on The Basics of SSL/TLS Certificates which should provide you with a kickstart on the OpenSSL.

What is OpenSSL? Is it a tool? What can I do with it?

OpenSSL is a free, open-source cryptography library that provides a variety of cryptographic functions, including SSL/TLS protocols, public key infrastructure (PKI) operations, and secure communication over the internet. It is widely used by web servers, web clients, and other applications that need to secure their data transmission and storage.

In this article, we will go through some of the basic commands of OpenSSL, including how to generate a private key, self-signed certificate, certificate signing request (CSR), view certificate details, and verify a certificate. These commands are essential for anyone working with SSL/TLS certificates, PKI, and secure communication.

Before we dive into the commands, it’s essential to understand that OpenSSL is a command-line tool and requires some basic understanding of how to use the command-line interface (CLI) on your operating system. If you’re new to the CLI, it’s a good idea to familiarize yourself with some basic commands like “cd” (change directory), “ls” (list directory contents), and “pwd” (print working directory). You can also use the “man” command to view the manual page for any OpenSSL command. For example, to view the manual page for the “genrsa” command, you can use “man genrsa” or you can check this open-source project that consists of almost 99.9% of “man” commands.

[Assuming] Now that you have a basic understanding of the CLI, let’s go through some of the basic OpenSSL commands and you can perform the same on your end in your Terminal or Shell.

Checklists 👇

[x] Prior to starting the activity, check whether have you installed the OpenSSL tool based on your OS config.
[x] If not, for Windows — Check this website for the installation guide.
[x] For Linux distribution — Check this website for the installation guide.
[x] For macOS — Check this Medium blog for the brew installation guide. It would take care of all the minor operations and you are good to go ahead.
[x] Ensure that the openssl command is working without any errors/issues.

🏃 [Activity] 🏃

1. Generating a private key:

#Command in Terminal
$ openssl genrsa -out private.key 2048

This command generates a private key using the RSA algorithm with a key length of 2048 bits. The private key is stored in a file called private.key. It’s essential to keep this key safe and secure, as it is used to decrypt and sign data transmitted over the internet.

2. Generating a self-signed certificate:

#Command in Terminal
$ openssl req -new -x509 -key private.key -out certificate.crt -days 365

This command generates a self-signed certificate using the private key generated in the previous step. The certificate is stored in a file called certificate.crt and is valid for 365 days. A self-signed certificate is useful for testing and development purposes, but it is not trusted by web browsers and other applications. To be trusted, a certificate must be signed by a trusted certificate authority (CA).

3. Generating a certificate signing request (CSR):

#Command in Terminal
$ openssl req -new -key private.key -out csr.pem

This command generates a certificate signing request (CSR) using the private key generated in the first step. The CSR is stored in a file called csr.pem. A CSR is used to request a certificate from a certificate authority(CA). It contains information about the organization requesting the certificate and the domain(s) it will be used for. To highlight, there are different formats in certificates, you can simultaneously use .pem, .cer, or .crt by just renaming the generated file.

4. Viewing certificate details:

#Command in Terminal
$ openssl x509 -in certificate.crt -text -noout

This command displays the details of a certificate stored in the certificate.crt file. The details include the subject and issuer names, validity period, and the public key used in the certificate. This command is useful for verifying the information contained in a certificate.

5. Viewing private key details:

#Command in Terminal
$ openssl rsa -in private.key -text -noout

This command displays the details of a private key stored in the private.key file. The details include the key size, algorithm, and the public and private components of the key. It’s essential to keep the private key secure and not share it with anyone. The server/client will decrypt the transmitted data with the private keys.

6. Generating a certificate from a CSR and a private key:

#Command in Terminal
$ openssl x509 -req -in csr.pem -signkey private.key -out certificate.crt

This command generates a certificate from a CSR and a private key. The CSR is stored in the csr.pem file, and the private key is stored in the private.key file. The resulting certificate is stored in the certificate.crt file. This command is useful when a CA has signed a CSR and returned a certificate that needs to be installed on a server.

7. Generating a public key from a private key:

#Command in Terminal
$ openssl rsa -in private.key -pubout -out public.key

This command generates a public key from a private key. The private key is stored in the private.key file, and the resulting public key is stored in the public.key file. Public keys are used to encrypt data that can be decrypted using the corresponding private key.

Once this is done, you can add the certificates to the keychain access or registry of your machine so that it can be imported to the client i.e. web browser when required.

**[You can implement the below steps if you obtain a certificate from a recognized CA like Digicert, Let’s Encrypt, i.e. the root CA]**

8. Verifying a certificate:

#Command in Terminal
$ openssl verify -CAfile ca_certificate.crt certificate.crt

This command verifies the authenticity of a certificate by checking it against a trusted certificate authority (CA) certificate. The CA certificate is stored in the ca_certificate.crt file, and the certificate to be verified is stored in the certificate.crt file. This command is useful for ensuring that a certificate has been signed by a trusted CA and is not a self-signed certificate.

9. To verify the chain of certificates:

#Command in Terminal
openssl verify -CAfile ca_certificate.crt -untrusted  intermediate_certificates.pem certificate.crt

In this command, the ca_certificate.crt file is the trusted root certificate of the certificate authority (CA). The intermediate_certificates.pem file is a bundle of all the intermediate certificates in the chain, starting from the intermediate certificate closest to the root certificate and ending with the intermediate certificate closest to the certificate being verified. The certificate.crt file is the certificate being verified. Usually, you could see only one intermediate certificate but in organization validation types, you could see more.

The verify command checks the certificate chain starting from the certificate being verified and working its way up to the root certificate. It checks that each certificate in the chain is signed by the next certificate in the chain, and that the root certificate is trusted by the OpenSSL library. If the chain is valid, the command will output OK and the certificate is considered valid. If the chain is invalid, the command will output an error message indicating the problem.

**[Important, you can perform the above two steps by pulling a certificate from a remote server like medium.com]**

10. View the certificate chain being presented by a server

#Command in Terminal
openssl s_client -showcerts -servername www.domain.com -connect www.example.com:<port> </dev/null

#Example
openssl s_client -showcerts -servername www.medium.com -connect www.medium.com:443 </dev/null

In this command, you can pull all the certs from a server including the public key. For example, you can use the certificates of the medium server and try to understand them. You can check the root CA, and the intermediate CA who had signed and issued the certificate to www.medium.com. To cross-verify, you can follow this Activity from my previous article. This should put you in a better position to understand the nuances of the OpenSSL tool and its robustness.

NOTE: In the above command, the remote server will present you with the chain of certificates, so you should understand the properties like subject(s) and issuer(i) to extract the public keys of those CAs. Based on this, you can perform the Command 8 and commmand 9. I’d like you to take this additional approach so you’ll understand how to extract the keys when required.

To conclude, I certainly believe you must have explored, understood, and would have taken something back from this article. Please use this knowledge of working with SSL/TLS certificates for educational and professional purposes.

For now, thanks for reading!! If you enjoyed this article, please follow and subscribe for the latest updates. Looking for more? Check out the other articles below:

What the h*** is SSL/TLS Certificate? How does it work? It’s so confusing!!! — Hands-on Activity 😉

How to create daemons in Linux with a simple “Hello World” — bash example!