OpenSSL CLI-Cheat-Sheet [en]

The OpenSSL library is utilized by a wide range of other open-source projects, like web-servers, mail-servers, VPN-servers, etc. When dealing with such software and SSL, it often proves useful to be familiar with the openssl command-line tools.

Of course, OpenSSL does have great man-pages, and a quick web-search reveals plenty of usage examples. However, OpenSSL is packed with features, and I often struggle to find just the information I need. Hence this cheat-sheet of openssl calls that I personally find useful…

Displaying Certificate Information

Once you have a certificate file (e.g. downloaded from a HTTPS website or created with the commands described below) you’ll likely want to check what it says. You can display it in human-friendly form and check its fingerprints with the following commands:

openssl x509 -noout -text -in meeque.crt
openssl x509 -noout -fingerprint -sha1 -in meeque.crt
openssl x509 -noout -fingerprint -md5 -in meeque.crt

This corresponds to the certificate information displayed by popular web-browsers, when you ask them to display details of an SSL-connection.

Likewise you can display the contents of a certificate-signing-request (CSR):

openssl req -noout -text -in meeque.csr

Creating a Certificate Signing Request

To obtain an SSL-Certificate you first need a certificate-signing-request (CSR), which you can then submit to a certification authority, like CAcert. Create a new CSR and a matching private-key like so:

openssl req -newkey rsa:4096 -keyout meeque.key.enc -out meeque.csr

By default, this command asks for all the information you want to include into the certificate along the way. (E.g. it asks for stuff like domain-name or distinguished-name, orgaisation-name, etc.)

It also asks for a passphrase to protect the private-key with. You can later remove such a passphrase with the following command:

openssl rsa -in meeque.key.enc -out meeque.key

(Depending on one’s security needs, this can be useful, since it facilitates server-restarts without user-interaction. However, keep non-encrypted private-keys extra safe!)

Creating a Self-Signed Certificate

When you need a certificate for test-purposes only, you probably don’t want to involve a certification authority. Instead, you want to sign the certificate yourself. Based on above CSR and private-key it works like this:

openssl x509 -req -days 365 -extensions v3_req -in meeque.csr -signkey meeque.key -out meeuqe.self.crt

Tackling Multi-Domain-Certificates

One aspect, which cannot be handled on the command-line easily, is creation of a multi-domain certificate. More precisely the creation of a respective CSR. Here, you’ll need to create a custom OpenSSL configuration file, with an subjectAltName entry for all additional domains. Just start with one of the sample config-files, and add the following lines:

[ v3_req ]
subjectAltName = DNS:meeque.de,DNS:meeque.org,DNS:foo.example.net

When creating your CSR, you pass your config-file to the command described above:

openssl req -config meeque.openssl.cnf -newkey rsa:4096 -keyout meeque.key.enc -out meeque.csr

Dealing with Ciphers

Once certificates are in place, you might want to tweak other properties of your SSL connections, e.g. enable or disable certain ciphers. The OpenSSL library provides a rather peculiar cipher list format, which is also utilized in the config-files of various SSL-enabled servers. (E.g. Apache’s mod_ssl.) Luckily the openssl command helps you to test such cipher lists. The following command takes a textual cipher list, and tells you to which actual ciphers it resolves:

openssl ciphers '!ADH:!AECDH:!MD5:HIGH'

Testing SSL-Connections

Which leaves us with my new personal favorite: the SSL client command that comes with OpenSSL. It lets you initiate an SSL connection to a given server and port, and dumps plenty of info regarding certificate validation, SSL-handshake, SSL-session, etc. Usage is as simple as this:

openssl s_client -connect meeque.de:443

OpenSSL is also used by the small SSLScan tool. It provides a quick way to check, which ciphers a given server supports:

sslscan --no-failed meeque.de:443

Leave a comment