OpenSSL for Hacker

January 10, 2025
Cybersecurity & HackingOpenSSLSecurityEncryptionPKI

πŸ›‘οΈ Mastering OpenSSL

OpenSSL is a robust, full featured open source toolkit for Transport Layer Security (TLS) and Secure Sockets Layer (SSL). This cheat sheet walks you through generating, inspecting, and converting cryptographic keys and certificates.

⚠️ Learn how to use OpenSSL for generating RSA, DSA, and EC keys, creating CSRs and self signed certificates, and converting between PEM, DER, and PFX formats.

πŸ”‘ Generate Public and Private Keys

πŸ” RSA Keys

Generate a 2048 bit RSA private key

1openssl genrsa -out KEY1.pem 2048

Generate a 4096 bit RSA private key encrypted with AES 128

1openssl genrsa -out KEY2.pem -aes128 4096

You can also use -aes192, -aes256, -des3, or -des for different encryption.

πŸ“ DSA Keys

Generate DSA parameter file

1openssl dsaparam -out DSA-PARAM.pem 1024

Generate DSA key using parameters

1openssl gendsa -out DSA-KEY.pem DSA-PARAM.p

Generate parameters and key in one step

1openssl dsaparam -genkey -out DSA-PARAM-KEY.pem 2048

πŸ” EC (Elliptic Curve) Keys

Generate EC parameters

1openssl genpkey -genparam -algorithm EC -pkeyopt ec_paramgen_curve:secp384r1 -out EC-PARAM.pem

Generate EC key using parameters

1openssl genpkey -paramfile EC-PARAM.pem -out EC-KEY.pem

Generate EC key directly

1openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-384 -out EC-KEY.pem

List all supported EC curves

1openssl ecparam -list_curves

πŸ“„ Generate Certificate Signing Requests (CSRs) and Self-Signed Certificates

πŸ“ Certificate Signing Requests (CSR)

Generate CSR from existing private key

1openssl req -new -key KEY.pem -out CSR.pem

Generate new private key and CSR

1openssl req -new -newkey rsa:2048 -nodes -keyout KEY.pem -out CSR.pem

🧾 Generate Self Signed Certificates

Generate Certificate with existing Private Key file

1openssl req -x509 -key KEY.pem -out CERT.pem

Generate Certificate and new Private Key file

1openssl req -x509 -newkey -nodes -out CERT.pem

πŸ” Inspect Keys

πŸ” RSA Keys

Convert an RSA Private Key into text

1openssl rsa -in KEY.pem -noout -text

Remove encryption from an RSA key file

1openssl rsa -in ENCRYPTED-KEY.pem -out KEY.pem

Encrypt an RSA Key File

1openssl rsa -in KEY.pem -aes128 -out ENCRYPTED-KEY.pem

πŸ“ DSA Keys

Inspect DSA Parameters file

1openssl dsaparam -in DSA-PARAM.pem -text -noout

Inspect DSA Private Key file

1openssl dsa -in DSA-KEY.pem -text -noout

πŸ” EC Keys

Inspect Elliptic Curve (EC) Parameters file

1openssl ecparam -in EC-PARAM.pem -text -noout

Inspect Elliptic Curve (EC) Private Key file

1openssl ec -in EC-KEY.pem -text -noout

πŸ“¦ Inspect any Key file using pkey utility

Convert any Private Key file into text (RSA, DSA, or EC)

1openssl pkey -in KEY.pem -noout -text

Extract only Public Key as text from any Key file

1openssl pkey -in KEY.pem -noout -text_pub

Extract only Public Key in PEM format

1openssl pkey -in KEY.pem -pubout

πŸ”„ Check if RSA Key matches a CSR or Cert

Compare Modulus values to see if files match each other

1openssl rsa -in KEY.pem -noout -modulus
2openssl req -in CSR.pem -noout -modulus
3openssl x509 -in CERT.pem -noout -modulus

πŸ”„ Check if EC Key matches a CSR or Cert

Compare Public Key values to see if files match each other

1openssl req -in EC-CSR.pem -noout -pubkey
2openssl x509 -in EC-CERT.pem -noout -pubkey
3openssl ec -in EC-KEY.pem -pubout

πŸ”Ž Inspect Certificate Signing Requests (CSRs) and Certificates

πŸ”„ View contents of Certs and CSRs

View x509 Certificate as human readable Text

1openssl x509 -in CERT.pem -noout -text

View Certificate Signing Request (CSR) contents as Text

1openssl req -in CSR.pem -noout -text

πŸ“† Extract Specific Info from Certificates

Extract specific pieces of information from x509 Certificates

1openssl x509 -in CERT.pem -noout -dates
2openssl x509 -in CERT.pem -noout -issuer –subject

πŸ“Œ Extract x509 Certificate Extensions

Extract specific Extension(s) from a certificate

1openssl x509 -in CERT.pem -noout -ext subjectAltName
2openssl x509 -in CERT.pem -noout -ext authorityInfoAccess,crlDistributionPoints

Extract all Extensions from a certificate

1openssl x509 -in CERT.pem -noout -text | sed '/X509v3 extensions/,/Signature Algorithm:/!d'

πŸ” File Formats and Converting between formats (PEM, DER, PFX)

πŸ“‚ Check if file is PEM, DER, or PFX

Check if file is PEM format

1openssl x509 -in FILE

Check if file is DER format

1openssl x509 -in FILE -inform DER

Check if file is PFX format

1openssl pkcs12 -in FILE -nodes

πŸ”„ Convert Between Formats

Convert PEM Certificate file to DER

1openssl x509 -in CERT.pem -outform DER -out CERT.der

Convert DER Certificate file to PEM

1openssl x509 -in CERT.der -inform der -out CERT.pem

Convert PEM Certificate(s) to PFX

1openssl pkcs12 -in CERTS.pem -nokeys -export -out CERTS.pfx

Extract everything within a PFX file as a PEM file

1openssl pkcs12 -in FILE.pfx -out EVERYTHING.pem -nodes

Extract only the Private Key from a PFX file as PEM

1openssl pkcs12 -in FILE.pfx -out KEY.pem -nodes -nocerts

🧩 Final Thoughts

OpenSSL is an indispensable tool in any security conscious developer or DevOps engineer's toolkit. Whether you’re issuing CSRs, managing certificates, or debugging TLS issues, this guide should have you covered.