OpenSSL has been one of the most widely used certificate management and generation pieces of software for much of modern computing.
OpenSSL can also be seen as a complicated piece of software with many options that are often compounded by the myriad of ways to configure and provision SSL certificates.
OpenSSL is usually included in most Linux distributions. In the case of Ubuntu, simply running apt install OpenSSL will ensure that you have the binary available and at the newest version. OpenSSL on Windows is a bit trickier as you need to install a pre-compiled binary to get started.
One such source providing pre-compiled OpenSSL binaries is the following site by SLProWeb. Offering both executables and MSI installations, the recommended end-user version is the Light x64 MSI installation. The default options are the easiest to get started.
Verify that the installation works by running the following command. Note that this command was run in the PowerShell environment (hence the & preceding the command).
& "C:\\Program Files\\OpenSSL-Win64\\bin\\openssl.exe" version
To make running this command easier, you can modify the path within PowerShell to include the executable $Env:Path = $Env:Path + ";C:\\Program Files\\OpenSSL-Win64\\bin"
Provisioning a Certificate
There are many different ways to generate certificates, but the use cases that usually come up are the following.
- Self-Signed Certificates
- Certificate Signing Requests (CSR)
- Checking Certificate Information
A common server operation is to generate a self-signed certificate. There are many reasons for doing this such as testing or encrypting communications between internal servers. The command below generates a private key and certificate
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:4096 -keyout private.key -out certificate.crt
Let's break down the various parameters to understand what is happening.
- req - Command passed to OpenSSL intended for creating and processing certificate requests usually in the PKCS#10 format.
- -x509 - This multipurpose command allows OpenSSL to sign the certificate somewhat like a certificate authority. X.509 refers to a digitally signed document according to RFC 5280.
- -sha256 - This is the hash to use when encrypting the certificate.
- -nodes - This command is for no DES, which means that the private key will not be password protected.
- -days - The number of days that the certificate will be valid.
- -newkey - The format of the key, in this case an RSA key with 4096 bit encryption.
- -keyout - The location to output the private key of the self-signed certificate.
- -out - The location to output the certificate file itself.
Once the certificate has been generated, we should verify that it is correct according to the parameters that we have set.
openssl x509 -in certificate.crt -text -noout
The parameters here are for checking an x509 type certificate. The combination allows the certificate to be output in a format that is more easily readable by a person.
- x509 - This is a multipurpose command, and when combined with the other parameters here, it is for retrieving information about the passed in the certificate.
- -in - The certificate that we are verifying.
- -text - Strips the text headers from the output.
- -noout - Needed not to output the encoded version of the certificate
Certificate Signing Request
The next most common use case of OpenSSL is to create certificate signing requests for requesting a certificate from a certificate authority that is trusted.
openssl req -new -newkey rsa:2048 -nodes -out request.csr -keyout private.key
Similar to the previous command to generate a self-signed certificate, this command generates a CSR. You will notice that the -x509, -sha256, and -days parameters are missing. By leaving those off, we are telling OpenSSL that another certificate authority will issue the certificate. In this case, we are leaving the -nodes option on to not prompt for a password with the private key.
To verify that the CSR is correct, we once again run a similar command but with an added parameter, -verify. This command will validate that the generated CSR is correct. This is a prudent step to take before submitting to a certificate authority.
openssl req -in request.csr -text -noout -verify
OpenSSL is a complex and powerful program. Although this article just scratches the surface of what can be done, these are common and important operations that are generally performed by system administrators. There is much more to learn, but with this as a starting point, an IT professional will have a great foundation to build on!