OpenSSL Cheat Sheet

by Alberto González (albertx) via cheatography.com/122237/cs/22629/

BASICS SYMMETRIC ENCRYPTION (cont)

Checking version Encrypt a file using ARIA 256 in CBC block cipher mode using a specified
openssl version -a encryption key (K:256 bits) and initialization vector (iv:128 bits)
How fast it runs on the system using four CPU cores and openssl enc -aria-256-cbc -in cleartext.file -out ciphertext.file -K

testing RSA algorithm f92d2e986b7a2a01683b4c40d0cbcf6feaa669ef2bb5ec3a25ce85d9548291c1

openssl speed -multi 4 rsa -iv 470bc29762496046882b61ecee68e07c -nosalt

Get basic help Encrypt a file using Camellia 192 algorithm in COUNTER block cipher mode
openssl help with key and iv provided
openssl enc -camellia-192-ctr -in cleartext.file -out ciphertext.file -K
ENCODING / DECODING 6c7a1b3487d28d3bf444186d7c529b48d67dd6206c7a1b34 -iv
470bc29762496046882b61ecee68e07c
Encoding a file using Base64
openssl base64 -in file.d​ata
ASYMMETRIC ENCRYPTION
Encoding some text using Base64
List elliptic curves available
echo -n "some text" | openssl base64
openssl ecparam -list_​cur​ves
Base64 decode a file with output to another file
Create 4096 bits RSA public​-pr​ivate key pair
openssl base64 -d -in encode​d.data -out decode​d.d​ata
openssl genrsa -out pub_pr​iv.key 4096

WORKING WITH HASHES Display detailed private key information

openssl rsa -text -in pub_priv.key -noout
List digest algorithms available
Encrypt public-private key pair using AES-256 algorithm
openssl list -diges​t-a​lgo​rit​hms
openssl rsa -in pub_priv.key -out encrypted.key -aes256
Hash a file using SHA256
Remove keys file encryption and save them to another file
openssl dgst -sha256 file.d​ata
openssl rsa -in encrypted.key -out cleartext.key
Hash text using SHA3-512
Copy the public key of the public-private key pair file to another file
echo -n "some text" | openssl dgst -sha3-​512
openssl rsa -in pub_priv.key -RSAPublicKey_out -out pubkey.key
Create HMAC - SHA384 of a file using a specific key in
Encrypt a file using RSA public key
bytes
openssl rsautl -encrypt -inkey pubkey.key -pubin -in cleartext.file -out
openssl dgst -SHA384 -mac HMAC -macopt
ciphertext.file
hexkey:369bd7d655 file.data
Decrypt a file using RSA private key
Create HMAC - SHA512 of some text
openssl rsautl -decrypt -inkey pub_priv.key -in ciphertext.file -out
echo -n "some text" | openssl dgst -mac HMAC -
decrypted.file
macopt hexkey​:36​9bd​7d655 -sha512
Create private key using the P-224 elliptic curve
SYMMETRIC ENCRYPTION openssl ecparam -name secp224k1 -genkey -out ecpriv.key

List all supported symmetric encryption ciphers Encrypt private key using 3DES algorithm
openssl enc -list openssl ec -in ecP384priv.key -des3 -out ecP384priv_enc.key

Encrypt a file using an ASCII encoded password provided

and AES-128-ECB algorithm
openssl enc -aes-128-ecb -in cleartext.file -out
ciphertext.file -pass pass:thisisthepassword
Encrypt a file using a specific encryption key (K) provided
as hex digits
openssl enc -aes-128-ecb -in cleartext.file -out
ciphertext.file -K 1881807b2d1b3d22f14e9ec52563d981
-nosalt

By Alberto González (albertx) Published 25th May, 2020. Sponsored by Readable.com

cheatography.com/albertx/ Last updated 25th May, 2020. Measure your website readability!
albertx.mx/blog/ Page 1 of 3. https://readable.com
 OpenSSL Cheat Sheet
by Alberto González (albertx) via cheatography.com/122237/cs/22629/

DIGITAL SIGNATURES DIGITAL CERTIF​ICATES (cont)

Generate DSA parameters for the private key. 2048 bits length Display the public key contained in the CSR file
openssl dsaparam -out dsaparam.pem 2048 openssl req -pubkey -noout -in request.csr
Generate DSA public-private key for signing documents and protect Create a self-signed certificate, a new 2048 bits RSA key pair with
it using AES128 algorithm one year of validity
openssl gendsa -out dsaprivatekey.pem -aes-128-cbc openssl req -newkey rsa:2048 -nodes -keyout priv.key -x509 -
dsaparam.pem days 365 -out cert.crt
Copy the public key of the DSA public-private key file to another file Create and sign a new certificate using the CSR file and the private
openssl dsa -in dsaprivatekey.pem -pubout -out key for signing ( you must have a openssl.cnf file prepared )
dsapublickey.pem openssl ca -in request.csr -out certificate.crt -config
To print out the contents of a DSA key pair file ./CA/config/openssl.cnf
openssl dsa -in dsaprivatekey.pem -text -noout Display PEM format certif​icate information

Signing the sha-256 hash of a file using RSA private key openssl x509 -text -noout -in cert.crt
openssl dgst -sha256 -sign rsakey.key -out signature.data Extract the certif​icate's public key
document.pdf openssl x509 -pubkey -noout -in cert.crt
Signing the sha3-512 has of a file using DSA private key Extract the public key's modulus in the certificate
openssl pkeyutl -sign -pkeyopt digest:sha3-512 -in openssl x509 -modulus -noout -in cert.crt
document.docx -inkey dsaprivatekey.pem -out signature.data Convert a certificate from PEM to DER format
Verify DSA signature openssl x509 -inform PEM -outform DER -in cert.crt -out
openssl pkeyutl -verify -sigfile dsasignature.data -inkey cert.der
dsakey.pem -in document.docx Checking whether the certificate pubic key matches a private key
Create a private key using P-384 Elliptic Curve and request file. One step per file. Must match in the output hashes.
openssl ecparam -name secp384r1 -genkey -out ecP384priv.key openssl x509 -modulus -in certificate.crt -noout | openssl dgst -
Encrypt private key using 3DES algorithm sha256
openssl ec -in ecP384priv.key -des3 -out ecP384priv_enc.key openssl rsa -modulus -in private.key -noout | openssl dgst -
sha256
Sign a PDF file using Elliptic Curves with the generated key
openssl req -modulus -in request.csr -noout | openssl dgst -
openssl pkeyutl -sign -inkey ecP384priv_enc.key -pkeyopt
sha256
digest:sha3-512 -in document.pdf -out signature.data
Verify the file's signature. If it's ok you must receive "Signature
WORKING WITH TLS PROTOCOL
Verified Successfully"
List all cipher suites supported
openssl pkeyutl -verify -in document.pdf -sigfile signature.data
openssl ciphers -V 'ALL'
-inkey ecP384priv_enc.key
List all cipher suites supported with AES
DIGITAL CERTIF​ICATES openssl ciphers -V 'AES'

Generating a CSR file and a 4096 bits RSA key pair List all cipher suites supporting CAMELLIA & SHA256 algorithms.
openssl req -newkey rsa:4096 -keyout private.key -out openssl ciphers -V 'CAMELLIA+SHA256'
request.csr TLS connection to a server using port 443 (HTTPS)
Display Certificate Signing Request ( CSR ) content openssl s_client -connect domain.com:443
openssl req -text -noout -in request.csr

By Alberto González (albertx) Published 25th May, 2020. Sponsored by Readable.com

cheatography.com/albertx/ Last updated 25th May, 2020. Measure your website readability!
albertx.mx/blog/ Page 2 of 3. https://readable.com
 OpenSSL Cheat Sheet
by Alberto González (albertx) via cheatography.com/122237/cs/22629/

WORKING WITH TLS PROTOCOL (cont) SIMPLE CA CONFIG​URATION FILE ( openss​l.cnf ) (cont)

TLS connection to a server using v1.2 serial = $dir/s​erial

openssl s_client -tls1_2 -connect domain.com:443 rand_s​erial = yes
TLS connection & disable v1.0 privat​e_key = $dir/p​riv​ate​/ca​key.pem
openssl s_client -no_tls1 domain.com:443 RANDFILE = $dir/private/.rand

TLS connection using a specific cipher suite

defaul​t_days = 365
openssl s_client -cipher DHE-RSA-AES256-GCM-SHA384
defaul​t_c​rl_​days= 30
domain.com:443
default_md = SHA256
TLS connection displaying all certificates provided by server
openssl s_client -showcerts domain.com:443
policy = policy_any
Setting up a listening port to receive TLS connections using a email_​in_dn = no
certificate, the private key & supporting only TLS 1.2
openssl s_server -port 443 -cert cert.crt -key priv.key -tls1_2 name_opt = ca_default
cert_opt = ca_default
PERSONAL SECURITY ENVIRO​NMENTS ( PSE ) copy_e​xte​nsions = none
Convert a certif​icate from PEM (base64) to DER (binary) format
openssl x509 -in certif​ica​te.pem -outform DER -out certif​ica​te.d​‐ [ policy_any ]
er countr​yName = supplied
stateO​rPr​ovi​nceName = optional
Insert certificate & private key into PKCS #12 format file. These files
organi​zat​ionName = optional
can be imported in windows certificate manager
organi​zat​ion​alU​nitName = optional
openssl pkcs12 -export -out cert_key.p12 -inkey private.key -in
commonName = supplied
certificate.crt
emailA​ddress = optional
To show the contents of a PKCS #12 file
openssl pkcs12 -in cert_k​ey.p​12
FINAL NOTES
Convert PEM certificate to PKCS #7 format
- All commands were tested using OpenSSL version 1.1.1g.
openssl crl2pkcs7 -nocrl -certfile certificate.crt -out cert.p7b
- The default format for almost all operations in openssl is PEM,
Convert a PKCS #7 file from PEM to DER however you can always specify a DER format using arguments
openssl pkcs7 -in cert.p7b -outform DER -out p7.der or export to other formats with approp​riate comman​ds.

SIMPLE CA CONFIG​URATION FILE ( openss​l.cnf )

[ ca ]
default_ca = CA_default

[ CA_default ]
dir = ./pers​onalCA
database = $dir/i​nde​x.txt
new_ce​rts_dir = $dir/newcerts

certif​icate = $dir/c​ace​rt.pem

By Alberto González (albertx) Published 25th May, 2020. Sponsored by Readable.com

cheatography.com/albertx/ Last updated 25th May, 2020. Measure your website readability!
albertx.mx/blog/ Page 3 of 3. https://readable.com