--- name: OpenSSL description: Expert guidance for OpenSSL operations including certificate generation, key management, CSR creation, certificate verification, encryption, and PKI operations. Use this when working with SSL/TLS certificates, cryptographic keys, or PKI infrastructure. --- # OpenSSL Expert assistance with OpenSSL cryptographic operations and PKI management. ## Key Generation ### RSA Keys ```bash # Generate RSA private key (2048-bit) openssl genrsa -out private.key 2048 # Generate RSA private key (4096-bit, more secure) openssl genrsa -out private.key 4096 # Generate encrypted RSA private key openssl genrsa -aes256 -out private.key 4096 # Extract public key from private key openssl rsa -in private.key -pubout -out public.key # Remove passphrase from encrypted key openssl rsa -in encrypted.key -out decrypted.key ``` ### EC (Elliptic Curve) Keys ```bash # List available curves openssl ecparam -list_curves # Generate EC private key (P-256) openssl ecparam -name prime256v1 -genkey -noout -out ec-private.key # Generate EC private key (P-384, more secure) openssl ecparam -name secp384r1 -genkey -noout -out ec-private.key # Extract public key openssl ec -in ec-private.key -pubout -out ec-public.key ``` ## Certificate Signing Requests (CSR) ### Create CSR ```bash # Create CSR from existing private key openssl req -new -key private.key -out request.csr # Create CSR with inline subject openssl req -new -key private.key -out request.csr \ -subj "/C=US/ST=State/L=City/O=Organization/CN=example.com" # Generate private key and CSR in one command openssl req -newkey rsa:2048 -nodes -keyout private.key -out request.csr # Create CSR with SAN (Subject Alternative Names) openssl req -new -key private.key -out request.csr -config san.cnf ``` ### SAN Configuration File (san.cnf) ```ini [req] distinguished_name = req_distinguished_name req_extensions = v3_req [req_distinguished_name] CN = example.com [v3_req] subjectAltName = @alt_names [alt_names] DNS.1 = example.com DNS.2 = www.example.com DNS.3 = api.example.com IP.1 = 192.168.1.1 ``` ### View CSR ```bash # Display CSR details openssl req -in request.csr -noout -text # Verify CSR signature openssl req -in request.csr -noout -verify ``` ## Self-Signed Certificates ### Create Self-Signed Certificate ```bash # Generate self-signed certificate (1 year validity) openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 # Generate self-signed certificate without passphrase openssl req -x509 -newkey rsa:4096 -nodes -keyout key.pem -out cert.pem -days 365 # From existing key openssl req -x509 -key private.key -out cert.pem -days 365 # With specific subject openssl req -x509 -newkey rsa:4096 -nodes -keyout key.pem -out cert.pem -days 365 \ -subj "/C=US/ST=State/L=City/O=Org/CN=example.com" ``` ## Certificate Authority (CA) Operations ### Create Root CA ```bash # Generate CA private key openssl genrsa -aes256 -out ca-key.pem 4096 # Create CA certificate openssl req -x509 -new -nodes -key ca-key.pem -sha256 -days 3650 \ -out ca-cert.pem -subj "/C=US/O=MyOrg/CN=MyOrg Root CA" ``` ### Sign Certificate with CA ```bash # Sign CSR with CA openssl x509 -req -in request.csr -CA ca-cert.pem -CAkey ca-key.pem \ -CAcreateserial -out cert.pem -days 365 -sha256 # Sign with extensions (SAN) openssl x509 -req -in request.csr -CA ca-cert.pem -CAkey ca-key.pem \ -CAcreateserial -out cert.pem -days 365 -sha256 -extensions v3_req -extfile san.cnf ``` ### Create Intermediate CA ```bash # Generate intermediate CA key openssl genrsa -aes256 -out intermediate-key.pem 4096 # Create intermediate CSR openssl req -new -key intermediate-key.pem -out intermediate.csr # Sign intermediate certificate with root CA openssl x509 -req -in intermediate.csr -CA ca-cert.pem -CAkey ca-key.pem \ -CAcreateserial -out intermediate-cert.pem -days 1825 -sha256 # Create certificate chain cat intermediate-cert.pem ca-cert.pem > chain.pem ``` ## Certificate Inspection & Verification ### View Certificate Details ```bash # Display certificate details openssl x509 -in cert.pem -noout -text # Show specific fields openssl x509 -in cert.pem -noout -subject openssl x509 -in cert.pem -noout -issuer openssl x509 -in cert.pem -noout -dates openssl x509 -in cert.pem -noout -serial openssl x509 -in cert.pem -noout -fingerprint # Check expiration openssl x509 -in cert.pem -noout -enddate # Show in human-readable format openssl x509 -in cert.pem -text -noout ``` ### Verify Certificates ```bash # Verify certificate against CA openssl verify -CAfile ca-cert.pem cert.pem # Verify certificate chain openssl verify -CAfile ca-cert.pem -untrusted intermediate-cert.pem cert.pem # Check if certificate and key match openssl x509 -noout -modulus -in cert.pem | openssl md5 openssl rsa -noout -modulus -in private.key | openssl md5 ``` ### Test SSL/TLS Connection ```bash # Connect to server and show certificate openssl s_client -connect example.com:443 -showcerts # Test specific protocol openssl s_client -connect example.com:443 -tls1_2 openssl s_client -connect example.com:443 -tls1_3 # Test with SNI openssl s_client -connect example.com:443 -servername example.com # Check certificate expiration remotely echo | openssl s_client -connect example.com:443 2>/dev/null | \ openssl x509 -noout -dates ``` ## Format Conversion ### PEM ↔ DER ```bash # PEM to DER openssl x509 -in cert.pem -outform DER -out cert.der # DER to PEM openssl x509 -in cert.der -inform DER -out cert.pem -outform PEM ``` ### PKCS#12 (PFX) ```bash # Create PKCS#12 bundle (certificate + private key) openssl pkcs12 -export -out cert.pfx -inkey private.key -in cert.pem # Include certificate chain openssl pkcs12 -export -out cert.pfx -inkey private.key -in cert.pem -certfile chain.pem # Extract from PKCS#12 openssl pkcs12 -in cert.pfx -out cert-and-key.pem -nodes # Extract only certificate openssl pkcs12 -in cert.pfx -clcerts -nokeys -out cert.pem # Extract only private key openssl pkcs12 -in cert.pfx -nocerts -nodes -out private.key ``` ### PKCS#7 ```bash # Convert PEM to PKCS#7 openssl crl2pkcs7 -nocrl -certfile cert.pem -out cert.p7b # Convert PKCS#7 to PEM openssl pkcs7 -print_certs -in cert.p7b -out cert.pem ``` ## Encryption & Decryption ### Symmetric Encryption ```bash # Encrypt file with AES-256 openssl enc -aes-256-cbc -salt -in file.txt -out file.enc # Decrypt file openssl enc -aes-256-cbc -d -in file.enc -out file.txt # Encrypt with password from file openssl enc -aes-256-cbc -salt -in file.txt -out file.enc -pass file:password.txt # Base64 encode encrypted output openssl enc -aes-256-cbc -salt -in file.txt -out file.enc -a ``` ### Asymmetric Encryption ```bash # Encrypt with public key openssl rsautl -encrypt -pubin -inkey public.key -in file.txt -out file.enc # Decrypt with private key openssl rsautl -decrypt -inkey private.key -in file.enc -out file.txt ``` ## Hashing & Digests ```bash # Generate hash openssl dgst -sha256 file.txt openssl dgst -sha512 file.txt openssl dgst -md5 file.txt # Create signature openssl dgst -sha256 -sign private.key -out signature.bin file.txt # Verify signature openssl dgst -sha256 -verify public.key -signature signature.bin file.txt # HMAC openssl dgst -sha256 -hmac "secret-key" file.txt ``` ## Certificate Revocation ### Create Certificate Revocation List (CRL) ```bash # Create CRL configuration (crl.cnf) # [ca section with database and crl settings needed] # Generate CRL openssl ca -gencrl -config crl.cnf -out crl.pem # View CRL openssl crl -in crl.pem -text -noout # Verify certificate against CRL openssl verify -crl_check -CRLfile crl.pem -CAfile ca-cert.pem cert.pem ``` ### OCSP (Online Certificate Status Protocol) ```bash # Start OCSP responder openssl ocsp -port 8080 -index index.txt -CA ca-cert.pem -rkey ca-key.pem -rsigner ca-cert.pem # Query OCSP responder openssl ocsp -issuer ca-cert.pem -cert cert.pem -url http://ocsp.example.com:8080 ``` ## Common PKI Workflows ### Complete Certificate Workflow ```bash # 1. Generate private key openssl genrsa -out server.key 4096 # 2. Create CSR openssl req -new -key server.key -out server.csr \ -subj "/C=US/ST=CA/L=SF/O=MyOrg/CN=example.com" # 3. Sign with CA openssl x509 -req -in server.csr -CA ca-cert.pem -CAkey ca-key.pem \ -CAcreateserial -out server.crt -days 365 -sha256 # 4. Verify openssl verify -CAfile ca-cert.pem server.crt # 5. Test locally openssl s_server -cert server.crt -key server.key -accept 8443 ``` ## Best Practices 1. **Key Size**: Use at least 2048-bit RSA or 256-bit EC keys 2. **Hash Algorithm**: Use SHA-256 or stronger (avoid MD5, SHA-1) 3. **Validity Period**: Certificates should be valid for ≤ 398 days (current CA/Browser Forum baseline) 4. **Private Key Protection**: Always encrypt private keys with strong passphrases 5. **SAN**: Always include Subject Alternative Names, even for single domain 6. **Key Backup**: Securely backup private keys and CA certificates 7. **Certificate Chain**: Always provide complete certificate chain 8. **Regular Rotation**: Rotate certificates before expiration ## Security Notes - **Never share private keys** - They should remain on the server - **Use strong passphrases** for encrypted keys (16+ characters) - **Protect CA keys** with HSM or secure key storage - **Monitor expiration** - Set up alerts 30 days before expiry - **Revoke compromised certificates** immediately - **Use Certificate Transparency** for public certificates