BestHub
Sign in
Information Security 24 min read

Master OpenSSL: From Symmetric Encryption to Digital Certificates

This comprehensive guide explains OpenSSL’s role in cryptography, covering symmetric and asymmetric encryption, hashing, key generation, certificate creation, and practical command‑line examples for encrypting files, managing keys, signing data, and configuring TLS servers, empowering readers to master secure communications.

Raymond Ops
Raymond Ops
Raymond Ops
Master OpenSSL: From Symmetric Encryption to Digital Certificates

Cryptographic standards like PKCS# define how RSA keys are generated, formats of public/private keys, and X.509 certificates. OpenSSL implements these standards, providing command‑line tools for symmetric ciphers, asymmetric algorithms, hashing, and certificate handling.

$ openssl --help
# List of subcommands, e.g., asn1parse, ca, ciphers, cmp, cms, crl, ...
$ openssl list -digest-commands
# List of digest algorithms, e.g., md5, sha1, sha256, ...

Symmetric Encryption

Symmetric key algorithms use the same key for encryption and decryption. List available ciphers with openssl list -cipher-commands. The enc subcommand performs encryption/decryption.

$ openssl enc --help
Usage: enc [options]
  -e            Encrypt
  -d            Decrypt
  -aes-128-cbc  Cipher name
  -in <file>    Input file
  -out <file>   Output file
  -k <pass>     Passphrase
  -a            Base64 encode/decode
  ...

Example: encrypt a file with AES‑128‑CBC:

openssl enc -e -aes-128-cbc -in test.txt -k pass -out test-aes-enc.txt -v

Decrypt:

openssl enc -d -aes-128-cbc -in test-aes-enc.txt -k pass -out test-dec.txt -v

Base64 encoding example:

echo -n "12345" | openssl enc -e -base64 -in -

echo "MTIzNDU=" | openssl enc -d -base64 -in -

Public‑Key Encryption

Public‑key algorithms (RSA, DSA, EC, DH) use separate keys for encryption and decryption. The genrsa, rsa, and rsautl subcommands manage RSA keys and signatures.

$ openssl genrsa --help
Usage: genrsa [options] numbits
  -out <file>   Output private key
  -aes128       Encrypt private key with AES‑128‑CBC
  ...

Generate an unencrypted 1024‑bit private key: openssl genrsa -out private.pem 1024 -verbose Generate a password‑protected key with AES‑128‑CBC:

openssl genrsa -aes128 -cbc -out pri.pem -verbose

Extract a public key from a private key:

openssl rsa -in private.pem -pubout -out public.pem

Sign a file with a private key and verify with the public key:

openssl rsautl -sign -in plain.txt -inkey private.pem -out signed.text
openssl rsautl -verify -in signed.text -pubin -inkey public.pem -out verify.txt

Message Digest

Digest algorithms produce a fixed‑size hash from arbitrary data, useful for integrity checks. List supported digests with openssl list -digest-commands. The dgst subcommand computes hashes, signs, and verifies.

$ openssl dgst --help
Usage: dgst [options] [file...]
  -md5          Compute MD5 hash
  -sha256       Compute SHA‑256 hash
  -sign <key>   Sign digest with private key
  -verify <key> Verify signature with public key
  ...

Compute MD5 of a file: openssl dgst -md5 test.txt Sign a file’s hash with a private key and verify with the corresponding public key:

openssl dgst -sign private.pem -out test.text plain.txt
openssl dgst -verify public.pem -signature test.text plain.txt

Digital Certificates

Certificates bind a public key to an identity, signed by a trusted authority (CA). OpenSSL’s req, x509, and related subcommands create certificate requests, self‑signed certificates, and manage extensions.

$ openssl req --help
Usage: req [options]
  -new          Create a new certificate request
  -key <file>    Private key for signing
  -out <file>   Output request
  -subj <dn>    Subject distinguished name
  ...

Generate a certificate signing request (CSR) using an existing private key:

openssl req -new -key private.pem -out request.csr

Create a self‑signed root CA certificate:

openssl genrsa -out ca.pem 2048
openssl req -new -x509 -days 365 -key ca.pem -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=Acme Root CA" -out ca.cer

Sign a CSR with the root CA:

openssl x509 -sha256 -req -days 365 -in server.csr -CA ca.cer -CAkey ca.pem -CAcreateserial -out server.cer
Certificate diagram
Certificate diagram

Miscellaneous

The rand subcommand generates random bytes, and passwd creates Unix password hashes.

openssl rand -hex 3
openssl passwd 12345
openssl passwd -salt 'z' 12345

Verify a certificate chain with openssl verify and test TLS connections using s_server and s_client:

openssl verify cert.pem
openssl s_server -cert mycert.pem -www -accept 4433
openssl s_client -connect remote.host:4433
Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

command-lineencryptioninformation securityOpenSSLcryptographydigital certificates
Raymond Ops
Written by

Raymond Ops

Linux ops automation, cloud-native, Kubernetes, SRE, DevOps, Python, Golang and related tech discussions.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment