Openssl Operations: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
 
(55 intermediate revisions by the same user not shown)
Line 4: Line 4:


* [[openssl]]
* [[openssl]]
* [[Public Key Security#Overview|Public Key Security]]


=Generate a Public/Private Key Pair=
=Generate a Public/Private Key Pair=
Line 11: Line 12:
This is the procedure to generate a [[Public_Key_Security#Key_Pair|public/private key pair]]. The keys can be further used in the [[Public_Key_Security#Generate_the_Private_Key |procedure to generate digitally signed certificates]], or even to configure ssh, though ssh has [[Ssh_Configure_Public/Private_Key_Authentication#Create_the_OpenSSH_Private.2FPublic_Key_Pair|its own procedure to generate key pairs]], which produces equivalent keys in the same [[Public_Key_Security#PEM|PEM]] format.
This is the procedure to generate a [[Public_Key_Security#Key_Pair|public/private key pair]]. The keys can be further used in the [[Public_Key_Security#Generate_the_Private_Key |procedure to generate digitally signed certificates]], or even to configure ssh, though ssh has [[Ssh_Configure_Public/Private_Key_Authentication#Create_the_OpenSSH_Private.2FPublic_Key_Pair|its own procedure to generate key pairs]], which produces equivalent keys in the same [[Public_Key_Security#PEM|PEM]] format.


  openssl genrsa|gendsa -out <''keyfile-name''>.pem <''key-lenght''>
  openssl genrsa -out <''keyfile-name''>.pem <''key-lenght''>


  openssl genrsa -out test-pvtkey.pem 2048
  openssl genrsa -out ./server-private-key.pem 2048


The command generates a [[Public_Key_Security#RSA|RSA]] or [[Public_Key_Security#DSA|DSA]] key of specified length in [[Public_Key_Security#PEM|PEM]] format.
The command generates a [[Public_Key_Security#RSA|RSA]] or [[Public_Key_Security#DSA|DSA]] key of specified length in [[Public_Key_Security#PEM|PEM]] format.
Line 19: Line 20:
For more general considerations on private keys, see: {{Internal|Public_Key_Security#Private_Key|Private Keys}}
For more general considerations on private keys, see: {{Internal|Public_Key_Security#Private_Key|Private Keys}}


==Extract the Matching Public Key from a Private Key==
==<span id='Inspect_a_Private_Key'></span>Inspect an RSA Private Key==


The matching [[Public_Key_Security#Public_Key|public key]] can be always extracted from the private key.
openssl rsa -text -in ./server-private-key.pem


openssl rsa -pubout -in ./test-pvtkey.pem -out ./test-pubkey.pem
The output provides, between others, the [[Public_Key_Security#Private_Key|length of the key]].


Note that the private key is protected by a password, the tool will require password at stdin.
==<span id='Extract_the_Matching_Public_Key_from_a_Private_Key'></span>Extract the Matching Public RSA Key from a Private Key==


=Inspect a Private Key=
The matching [[Public_Key_Security#Public_Key|public key]] can be always extracted from the private key.
<syntaxhighlight lang='bash'>
openssl rsa -pubout -in ./server-private-key.pem -out ./server-public-key.pem
</syntaxhighlight>


openssl rsa -text -in test-pvtkey.pem
Note that the private key is protected by a password, the tool will require password at stdin. The key is written in a [[Public_Key_Security#PKCS.238|PKCS8 PEM]] format.  


The output provides, between others, the [[Public_Key_Security#Private_Key|length of the key]].
⚠️ The public key thus generated cannot be directed used with [[OpenSSH]], for example in an <code>authorized_key</code> file, it has to be converted to a compatible OpenSSH format with <code>ssh-keygen</code>:


=Key Format Conversions=
{{Internal|Ssh_Configure_Public/Private_Key_Authentication#Convert_a_OpenSSL_PEM_Public_Key_for_Use_with_OpenSSH|Convert an OpenSSL PEM Public Key for Use with OpenSSH}}


==PKCS#12 to PEM==
==Generate a DSA Private Key==


The following command will convert [[Public_Key_Security#PKCS.2312|PKCS#12]] keys to [[Public_Key_Security#PEM|PEM]].
[[Public Key Security#DSA|DSA]] key generation is a two-step process: the DSA parameters are created in the first step, and the key in the second:


  openssl pkcs12 -in ./test-pvtkey.p12 -out ./test-pvtkey.pem
  openssl dsaparam -genkey 2048 | openssl dsa -out test-pvtkey.pem -aes128
=Generate a Private Key=
<syntaxhighlight lang='bash'>
openssl genpkey -algorithm RSA
</syntaxhighlight>


=Generate a Self-Signed Certificate=
=Get a Certificate Signed by a CA=


==Create a Certificate Signing Request (CSR)==
==Create a Certificate Signing Request (CSR)==
Line 47: Line 55:
This procedure generates a [[Public_Key_Security#Certificate_Signing_Request_.28CSR.29|Certificate Signing Request (CSR)]] that should be sent to the [[Public_Key_Security#Certificate_Authority_.28CA.29|certificate authority]] for signature. This step is part of the [[Public_Key_Security#Create_the_Certificate_Signing_Request|procedure to generate digitally signed certificates]]. The CSR command (<tt>openssl req</tt>) may use an existing private key, previously generated with [[#Generate_the_Private_Key|openssl genrsa]], or it can create a new private key.
This procedure generates a [[Public_Key_Security#Certificate_Signing_Request_.28CSR.29|Certificate Signing Request (CSR)]] that should be sent to the [[Public_Key_Security#Certificate_Authority_.28CA.29|certificate authority]] for signature. This step is part of the [[Public_Key_Security#Create_the_Certificate_Signing_Request|procedure to generate digitally signed certificates]]. The CSR command (<tt>openssl req</tt>) may use an existing private key, previously generated with [[#Generate_the_Private_Key|openssl genrsa]], or it can create a new private key.


To use the existing private key:
If you want a field to be empty during the interactive phase, provide a single dot (.), rather then just hit Return. If you do the latter, OpenSSL will populate the corresponding field with the default value.


openssl req -key ./test-pk.pem -out ./test-csr.pem -new
The '''challenge password''' is an optional field that was intended for use during certificate revocation as a way of identifying the original entity that had requested the certificate. If entered, the password will be included verbatim in the CSR and communicated to the CA. It’s rare to find a CA that relies on this field, so it's best not to include it. Having a challenge password does not increase the security of the CSR in any way. Further, this field should not be confused with the key passphrase, which is a separate feature.


The new CSR will be generated in [[Public_Key_Security#PEM|PEM]] format as <tt>./test-csr.pem</tt>.
To use an '''existing private key''':
<syntaxhighlight lang='bash'>
openssl req -new -key ./test-pk.pem -out ./test-csr.pem  
</syntaxhighlight>


To create a new private key at the time of creation of the certificate signing request, use the following command. Note that the command will ask interactively for a private key password. The password can be provided in-line with the <tt>-passin</tt> option.
The new CSR will be generated in [[Public_Key_Security#PEM|PEM]] format as <code>./test-csr.pem</code>.


openssl req -keyout ./test-pk.pem -out ./test-csr.pem -new
To create a '''new private key''' at the time of creation of the certificate signing request, use the following command.  


Note that the command will require private key password, which must be longer than four characters. The password can be provided interactively, during the certificate request creation process, or it can be specified in a file (no newline) and then provided to the command with <code>-passout file:./password-file.txt</code>. Provide a long, random password, and then <code>chmod</code> the password file to make it readable only by you. When the certificate is used, the tools using is usually offer the option of reading the password from the file. The password can be provided in-line with the <code>-passin</code> option.
<syntaxhighlight lang='bash'>
openssl req -new -newkey rsa:2048 -sha256 -passout file:./password-file.txt -keyout ./test-pk.pem -out ./test-csr.pem
</syntaxhighlight>
The new CSR will be generated in [[Public_Key_Security#PEM|PEM]] format as <tt>./test-csr.pem</tt> and a new private key will be written, also in [[Public_Key_Security#PEM|PEM]] format as <tt>./test-pk.pem</tt>.
The new CSR will be generated in [[Public_Key_Security#PEM|PEM]] format as <tt>./test-csr.pem</tt> and a new private key will be written, also in [[Public_Key_Security#PEM|PEM]] format as <tt>./test-pk.pem</tt>.


==Inspect a Certificate Signing Request (CSR)==
==Inspect a Certificate Signing Request (CSR)==
 
<syntaxhighlight lang='bash'>
openssl req -in ./test-csr.pem -noout -text
openssl req -in ./test-csr.pem -noout -text
 
</syntaxhighlight>
==Generate the Digitally-Signed Certificate==
==<span id='Generate_the_Digitally-Signed_Certificate'></span>Generate the Digitally-Signed Certificate from CSR==


The CSR submitted by the user will be used to generate a digitally-signed certificate. The Certificate Authority's private key will be used to sign the certificate. This operation can be used to generate a self-signed certificate, as part of the [[Public_Key_Security#Send_the_Certificate_Signing_Request_to_CA|procedure to generate digitally signed certificates]].
The CSR submitted by the user will be used to generate a digitally-signed certificate. The Certificate Authority's private key will be used to sign the certificate. This operation can be used to generate a self-signed certificate, as part of the [[Public_Key_Security#Send_the_Certificate_Signing_Request_to_CA|procedure to generate digitally signed certificates]].
<syntaxhighlight lang='bash'>
openssl x509 -req -days 365 -in ./test-csr.pem -signkey ./ca-private-key.pem -out ./test-certificate.pem
</syntaxhighlight>
==Self-Signed Certificates==


openssl x509 -req -days 365 -in ./test-csr.pem -signkey ./ca-private-key.pem -out ./test-certificate.pem
Note that there is no need to create a CSR if all that is needed is a [[Public_Key_Security#Self-Signed_Certificate|self-signed certificate]]. The procedure to create a self-signed certificate, based on the private key, as part of the [[Public_Key_Security#Send_the_Certificate_Signing_Request_to_CA|procedure to generate digitally signed certificates]].
<syntaxhighlight lang='bash'>
openssl req -new -x509 -days 365 -key ./server-private-key.pem -out ./self-signed-server-certificate.pem -subj "/C=US/L=Menlo Park/O=Nova Ordis LLC/CN=www.novaordis.com"
</syntaxhighlight>
Note that -subj is optional, if omitted, the data will be provided at stdin.


=Inspect the Certificate=
=Inspect the Certificate=


[[Public Key Security#Certificate|Certificates]] can be displayed with the following command:
[[Public Key Security#Certificate|Certificates]] can be displayed with the openssl 'x509' command:


openssl x509 -noout -text -in ./test-certificate.pem
<syntaxhighlight lang='bash'>
openssl x509 -noout -text -in ./server-certificate.pem
</syntaxhighlight>
==Options==
====<tt>-noout</tt>====
Skip displaying the certificate in base64 format.


=Obtain a Server Certificate=
=Obtain a Server Certificate=
Line 96: Line 124:
[...]
[...]
</pre>
</pre>
=Key Format Conversions=
==PKCS#12 to PEM==
The following command will convert [[Public_Key_Security#PKCS.2312|PKCS#12]] keys to [[Public_Key_Security#PEM|PEM]].
openssl pkcs12 -in ./test-pvtkey.p12 -out ./test-pvtkey.pem
=Generate a HMAC=
{{External|http://nwsmith.blogspot.com/2012/07/using-openssl-to-generate-hmac-using.html}}
Generates a [[Cryptography#HMAC|HMAC]] using an [[Cryptography#MD5|MD5]] digest algorithm:
echo -n "some value to be hashed and encrypted" | openssl dgst -md5 -hmac 'some-secret-key'
=Generate an MD5 Hash=
Generates the [[MD5#OpenSSL|MD5]] hash in hexadecimal format (default)
echo -n "some value to be hashed" | openssl dgst -md5 [-hex]
{{Warn|When using echo, make sure '''not''' to send the automatically generated "\n" to OpenSSL.}}
Generate the [[MD5#OpenSSL|MD5]] hash in binary format, which can optionally be base64 encoded:
echo -n "some value to be hashed" | openssl dgst -md5 -binary
echo -n "some value to be hashed" | openssl dgst -md5 -binary | openssl base64
=Encrypt/Decrypt=
To encrypt:
openssl aes-256-cbc -pbkdf2 -in cleartext.txt | base64 > ciphertext-base64.txt
The password will be requested at the console.
-pbkdf2 triggers using PBKDF2 ([https://en.wikipedia.org/wiki/PBKDF2 Password-Based Key Derivation Function 2]) algorithm.
To decrypt:
cat ciphertext-base64.txt | base64 -D | openssl aes-256-cbc -pbkdf2 -d > cleartext.txt

Latest revision as of 02:03, 28 February 2024

External

Internal

Generate a Public/Private Key Pair

Generate an RSA Private Key

This is the procedure to generate a public/private key pair. The keys can be further used in the procedure to generate digitally signed certificates, or even to configure ssh, though ssh has its own procedure to generate key pairs, which produces equivalent keys in the same PEM format.

openssl genrsa -out <keyfile-name>.pem <key-lenght>
openssl genrsa -out ./server-private-key.pem 2048

The command generates a RSA or DSA key of specified length in PEM format.

For more general considerations on private keys, see:

Private Keys

Inspect an RSA Private Key

openssl rsa -text -in ./server-private-key.pem

The output provides, between others, the length of the key.

Extract the Matching Public RSA Key from a Private Key

The matching public key can be always extracted from the private key.

openssl rsa -pubout -in ./server-private-key.pem -out ./server-public-key.pem

Note that the private key is protected by a password, the tool will require password at stdin. The key is written in a PKCS8 PEM format.

⚠️ The public key thus generated cannot be directed used with OpenSSH, for example in an authorized_key file, it has to be converted to a compatible OpenSSH format with ssh-keygen:

Convert an OpenSSL PEM Public Key for Use with OpenSSH

Generate a DSA Private Key

DSA key generation is a two-step process: the DSA parameters are created in the first step, and the key in the second:

openssl dsaparam -genkey 2048 | openssl dsa -out test-pvtkey.pem -aes128

Generate a Private Key

openssl genpkey -algorithm RSA

Get a Certificate Signed by a CA

Create a Certificate Signing Request (CSR)

This procedure generates a Certificate Signing Request (CSR) that should be sent to the certificate authority for signature. This step is part of the procedure to generate digitally signed certificates. The CSR command (openssl req) may use an existing private key, previously generated with openssl genrsa, or it can create a new private key.

If you want a field to be empty during the interactive phase, provide a single dot (.), rather then just hit Return. If you do the latter, OpenSSL will populate the corresponding field with the default value.

The challenge password is an optional field that was intended for use during certificate revocation as a way of identifying the original entity that had requested the certificate. If entered, the password will be included verbatim in the CSR and communicated to the CA. It’s rare to find a CA that relies on this field, so it's best not to include it. Having a challenge password does not increase the security of the CSR in any way. Further, this field should not be confused with the key passphrase, which is a separate feature.

To use an existing private key:

openssl req -new -key ./test-pk.pem -out ./test-csr.pem

The new CSR will be generated in PEM format as ./test-csr.pem.

To create a new private key at the time of creation of the certificate signing request, use the following command.

Note that the command will require private key password, which must be longer than four characters. The password can be provided interactively, during the certificate request creation process, or it can be specified in a file (no newline) and then provided to the command with -passout file:./password-file.txt. Provide a long, random password, and then chmod the password file to make it readable only by you. When the certificate is used, the tools using is usually offer the option of reading the password from the file. The password can be provided in-line with the -passin option.

openssl req -new -newkey rsa:2048 -sha256 -passout file:./password-file.txt -keyout ./test-pk.pem -out ./test-csr.pem

The new CSR will be generated in PEM format as ./test-csr.pem and a new private key will be written, also in PEM format as ./test-pk.pem.

Inspect a Certificate Signing Request (CSR)

openssl req -in ./test-csr.pem -noout -text

Generate the Digitally-Signed Certificate from CSR

The CSR submitted by the user will be used to generate a digitally-signed certificate. The Certificate Authority's private key will be used to sign the certificate. This operation can be used to generate a self-signed certificate, as part of the procedure to generate digitally signed certificates.

openssl x509 -req -days 365 -in ./test-csr.pem -signkey ./ca-private-key.pem -out ./test-certificate.pem

Self-Signed Certificates

Note that there is no need to create a CSR if all that is needed is a self-signed certificate. The procedure to create a self-signed certificate, based on the private key, as part of the procedure to generate digitally signed certificates.

openssl req -new -x509 -days 365 -key ./server-private-key.pem -out ./self-signed-server-certificate.pem -subj "/C=US/L=Menlo Park/O=Nova Ordis LLC/CN=www.novaordis.com"

Note that -subj is optional, if omitted, the data will be provided at stdin.

Inspect the Certificate

Certificates can be displayed with the openssl 'x509' command:

openssl x509 -noout -text -in ./server-certificate.pem

Options

-noout

Skip displaying the certificate in base64 format.

Obtain a Server Certificate

openssl s_client -connect nexus-cicd.apps.openshift.novaordis.io:443

The response includes the server's certificate:

[...]
Certificate chain
 0 s:/CN=*.apps.openshift.novaordis.io
[...]
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDRTCCAi2gAwIBAgIBEjANBgkqhkiG9w0BAQsFADAmMSQwIgYDVQQDDBtvcGVu
[...]
65vqsz8NTtde1vJ5qW31Af0pO9YehiSRfA==
-----END CERTIFICATE-----
subject=/CN=*.apps.openshift.novaordis.io
[...]

Key Format Conversions

PKCS#12 to PEM

The following command will convert PKCS#12 keys to PEM.

openssl pkcs12 -in ./test-pvtkey.p12 -out ./test-pvtkey.pem

Generate a HMAC

http://nwsmith.blogspot.com/2012/07/using-openssl-to-generate-hmac-using.html

Generates a HMAC using an MD5 digest algorithm:

echo -n "some value to be hashed and encrypted" | openssl dgst -md5 -hmac 'some-secret-key'

Generate an MD5 Hash

Generates the MD5 hash in hexadecimal format (default)

echo -n "some value to be hashed" | openssl dgst -md5 [-hex]

When using echo, make sure not to send the automatically generated "\n" to OpenSSL.

Generate the MD5 hash in binary format, which can optionally be base64 encoded:

echo -n "some value to be hashed" | openssl dgst -md5 -binary 
echo -n "some value to be hashed" | openssl dgst -md5 -binary | openssl base64

Encrypt/Decrypt

To encrypt:

openssl aes-256-cbc -pbkdf2 -in cleartext.txt | base64 > ciphertext-base64.txt

The password will be requested at the console.

-pbkdf2 triggers using PBKDF2 (Password-Based Key Derivation Function 2) algorithm.

To decrypt:

cat ciphertext-base64.txt | base64 -D | openssl aes-256-cbc -pbkdf2 -d > cleartext.txt