Master OpenSSL: A Complete Guide to Encryption, Keys, and Certificates

疑今者察之古，不知来者视之往。

Navigation

Introduction

Symmetric Encryption

Public‑Key Encryption

Message Digest

Digital Certificate

Miscellaneous

Introduction

Cryptographic standards, like PKCS# and X.509, define how keys and certificates are formatted; OpenSSL implements these standards and provides tools for symmetric encryption, asymmetric encryption, hashing, and certificate generation/signing.

$ openssl --help
// openssl all sub‑commands
Standard commands
asn1parse         ca                ciphers           cmp
cms               crl               crl2pkcs7         dgst
... (list truncated for brevity) ...
// digest algorithms
blake2b512        blake2s256        md4               md5
rmd160            sha1              sha224            sha256
sha3-224          sha3-256          sha3-384          sha3-512
sha384            sha512            sha512-224        sha512-256
shake128          shake256          sm3
// symmetric ciphers
aes-128-cbc       aes-128-ecb       aes-192-cbc       aes-192-ecb
aes-256-cbc       aes-256-ecb       aria-128-cbc      aria-128-cfb
... (list truncated) ...

Symmetric Encryption

Symmetric algorithms use the same key for encryption and decryption. List available ciphers with: openssl list -cipher-commands The enc sub‑command performs symmetric encryption/decryption.

$ openssl enc --help
Usage: enc [options]
General options:
 -help               Display this summary
 -list               List ciphers
 -e                  Encrypt
 -d                  Decrypt
 -p                  Print the iv/key
 -P                  Print the iv/key and exit
... (options truncated) ...

Example: encrypt a file with AES‑128‑CBC and then decrypt it.

// encrypt
openssl enc -e -aes-128-cbc -in test.txt -k pass -out test-aes-enc.txt -v
// decrypt
openssl enc -d -aes-128-cbc -in test-aes-enc.txt -k 123 -out test-aes-dec.txt -v

Example: base64‑encode a string.

echo -n "12345" | openssl enc -e -base64 -in -

Example: encrypt a file and output the ciphertext in base64.

openssl enc -aes-256-cbc -a -salt -in file.txt -out file.enc
openssl enc -d -aes-256-cbc -a -in file.enc

Public‑Key Encryption

Asymmetric algorithms use a key pair (public for encryption, private for decryption). OpenSSL supports RSA, DSA, DH, and EC. RSA is the most commonly used.

Generating RSA Private Keys

$ openssl genrsa --help
Usage: genrsa [options] numbits
General options:
 -help               Display this summary
 -engine val         Use engine, possibly a hardware device
... (options truncated) ...
Parameters:
 numbits             Size of key in bits

Example: generate an unencrypted 1024‑bit RSA private key.

openssl genrsa -out private.pem 1024 -verbose

Example: generate a password‑protected RSA key (PEM format).

openssl genrsa -aes-128-cbc -out pri.pem -verbose

RSA Key Management

$ openssl rsa --help
Usage: rsa [options]
General options:
 -help               Display this summary
 -check              Verify key consistency
... (options truncated) ...

Example: view the contents of a private key.

openssl rsa -in priv.pem -text

Example: add, remove, or change the password on an RSA key.

// add password protection
openssl rsa -in RSA.pem -des3 -passout pass:123456 -out E_RSA.pem
// remove password protection
openssl rsa -in E_RSA.pem -passin pass:123456 -out P_RSA.pem
// change encryption algorithm to aes128
openssl rsa -in RSA.pem -passin pass:123456 -aes128 -passout pass:123456 -out E_RSA.pem

Example: convert PEM to DER.

openssl rsa -in RSA.pem -passin pass:123456 -des -passout pass:123456 -outform der -out rsa.der

Example: extract the public key from a private key.

openssl rsa -in private.pem -pubout -out public.pem

RSA Encryption/Signing Utility

$ openssl rsautl --help
The command rsautl was deprecated in version 3.0. Use 'pkeyutl' instead.
Usage: rsautl [options]
General options:
 -help                Display this summary
 -sign                Sign with private key
 -verify              Verify with public key
 -encrypt             Encrypt with public key
 -decrypt             Decrypt with private key
... (options truncated) ...

Example: encrypt a file with a public key and decrypt with the private key.

// encrypt
openssl rsautl -encrypt -in plain.text -inkey public.pem -out encrypt.text
// decrypt
openssl rsautl -decrypt -in encrypt.text -inkey private.pem -out replain.text

Example: sign a file with a private key and verify with the public key.

// sign
openssl rsautl -sign -in plain.text -inkey private.pem -out signed.text
// verify
openssl rsautl -verify -in signed.text -pubin -inkey public.pem -out verify.text

Message Digest

Digest algorithms produce a fixed‑length hash of arbitrary data, useful for integrity checks.

$ openssl dgst --help
Usage: dgst [options] [file...]
General options:
 -help               Display this summary
 -list               List digests
... (options truncated) ...
Signing options:
 -sign val           Sign digest using private key
 -verify val         Verify a signature using public key
... (options truncated) ...

Example: compute the MD5 hash of a file.

openssl dgst -md5 test.txt

Example: sign a file and verify the signature.

// sign
openssl dgst -sign private.pem -out test.text plain.text
// verify
openssl dgst -verify public.pem -signature test.text plain.text

Digital Certificates

A digital certificate is a public key signed by a trusted authority (CA) to establish authenticity.

Certificate Request Generation

$ openssl req --help
Usage: req [options]
General options:
 -help                 Display this summary
 -new                  New request
 -config infile        Request template file
 -subj val             Set or modify subject of request or certificate
... (options truncated) ...

Example: generate a certificate signing request (CSR) using an existing private key.

openssl req -new -key private.pem -out request.csr

Example: generate a self‑signed root CA certificate.

// generate private key
openssl genrsa -out ca.pem 2048
// generate self‑signed certificate
openssl req -new -x509 -days 365 -key ca.pem -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=Acme Root CA" -out ca.cer

Example: sign a CSR with a self‑signed root CA.

openssl req -newkey rsa:2048 -nodes -keyout server.pem -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=localhost" -out server.csr
openssl x509 -sha256 -req -days 365 -in server.csr -CA ca.cer -CAkey ca.pem -CAcreateserial -out server.cer

Miscellaneous OpenSSL Commands

Generate random bytes:

openssl rand -hex 3

Generate a Linux password hash:

openssl passwd 12345
openssl passwd -salt 'z' 12345

Verify a certificate:

openssl verify cert.pem

Run a TLS server and client:

# server
openssl s_server -cert mycert.pem -www -accept 4433
# client
openssl s_client -connect remote.host:4433