BestHub
Sign in
Information Security 8 min read

Master OpenSSL on CentOS: Install, Upgrade, and Generate RSA/SM2 Keys

This article explains OpenSSL’s origins, its role in encryption on CentOS, common use cases such as web servers and database security, provides step‑by‑step installation and upgrade commands, and demonstrates how to generate RSA, SM2, AES, and SM4 keys via the OpenSSL command line and Java alternatives.

Lin is Dream
Lin is Dream
Lin is Dream
Master OpenSSL on CentOS: Install, Upgrade, and Generate RSA/SM2 Keys

During development you often encounter cryptographic algorithms and OpenSSL. This article explains OpenSSL’s origin and usage.

OpenSSL is an open‑source project originally developed by Eric Young and Tim Hudson in 1998, written in C. It implements many encryption algorithms and the SSL/TLS protocol stack, including symmetric, asymmetric, and hash algorithms, and since recent versions also supports the Chinese SM2 standard.

OpenSSL usage scenarios

OpenSSL is used in CentOS for various purposes, such as:

Web server e.g., Nginx, Apache use OpenSSL to enable SSL/TLS for HTTPS.

Database encryption Databases like MySQL, PostgreSQL use OpenSSL to encrypt connections via SSL/TLS.

Command‑line tools Use the openssl command to generate certificates, keys, CSR, etc.

Thus OpenSSL is a fundamental tool in CentOS for network security and encrypted communication.

OpenSSL installation and upgrade

OpenSSL is usually pre‑installed on the system; if not, install it with:

# View OpenSSL version (1.1.1 is not the latest, current is 3.x
openssl version

# CentOS 7 install
sudo yum install openssl

# CentOS 7 upgrade
sudo yum update openssl

# Install development package
sudo yum install openssl-devel

List supported algorithms

# List all cipher algorithms supported by OpenSSL
openssl list -cipher-algorithms

Generate keys with the OpenSSL command line

1. Generate RSA public‑private key pair

# Generate RSA private key
openssl genpkey -algorithm RSA -out rsa_private_key.pem -aes256
# Generate RSA public key
openssl rsa -pubout -in rsa_private_key.pem -out rsa_public_key.pem

2. Generate RSA public certificate

# Create certificate signing request (CSR)
openssl req -new -key rsa_private_key.pem -out rsa_request.csr
# Create public certificate, valid for 365 days
openssl x509 -req -in rsa_request.csr -signkey rsa_private_key.pem -out rsa_certificate.crt -days 365

3. Generate SM2 public‑private key pair

# Use GMSSL (or OpenSSL 3.x) to generate SM2 keys
gmssl genpkey -algorithm SM2 -out sm2_private_key.pem
gmssl pkey -in sm2_private_key.pem -pubout -out sm2_public_key.pem

4. Generate AES key

# Generate a 256‑bit AES key
openssl rand -out aes_key.bin 32
# Output as Base64
openssl base64 -in aes_key.bin -out aes_key_base64.txt
# Output as hex
xxd -p aes_key.bin > aes_key_hex.txt

5. Generate SM4 key

# Generate a 128‑bit SM4 key (16 bytes)
openssl rand -out sm4_key.bin 16
# Output as hex
xxd -p sm4_key.bin > sm4_key_hex.txt
# Output as Base64
openssl base64 -in sm4_key.bin -out sm4_key_base64.txt

Is there a Java version of OpenSSL?

Although OpenSSL is written in C, Java developers can use libraries that provide similar functionality.

1. Bouncy Castle

Bouncy Castle is a widely used Java cryptography library that supports RSA, ECC, AES, SM2, SM3, SM4 and many other algorithms, offering a Java‑native implementation of many OpenSSL operations.

Advantages

Rich set of algorithms including symmetric, asymmetric, hash, and signatures.

Pure Java implementation, compatible with all Java platforms.

Supports Chinese national standards SM2, SM3, SM4.

import org.bouncycastle.jce.provider.BouncyCastleProvider;
import java.security.*;
import javax.crypto.*;

public class Example {
    public static void main(String[] args) throws Exception {
        Security.addProvider(new BouncyCastleProvider());
        KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA", "BC");
        keyGen.initialize(2048);
        KeyPair keyPair = keyGen.generateKeyPair();
        Cipher cipher = Cipher.getInstance("RSA", "BC");
        cipher.init(Cipher.ENCRYPT_MODE, keyPair.getPublic());
        byte[] encryptedData = cipher.doFinal("Hello OpenSSL".getBytes());
        System.out.println(new String(encryptedData));
    }
}

2. Java Cryptography Extension (JCE)

JCE is part of the Java standard library and provides strong cryptographic capabilities, though it does not include some specialized algorithms (e.g., SM2, SM3, SM4) without additional providers.

import java.security.*;
import javax.crypto.Cipher;

public class JCEExample {
    public static void main(String[] args) throws Exception {
        KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
        keyGen.initialize(2048);
        KeyPair keyPair = keyGen.generateKeyPair();
        Cipher cipher = Cipher.getInstance("RSA");
        cipher.init(Cipher.ENCRYPT_MODE, keyPair.getPublic());
        byte[] encryptedData = cipher.doFinal("Hello OpenSSL".getBytes());
        System.out.println(new String(encryptedData));
    }
}
JavaRSAEncryptionOpenSSLSM2CentOSkey generation
Lin is Dream
Written by

Lin is Dream

Sharing Java developer knowledge, practical articles, and continuous insights into computer engineering.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment