OpenSSL is the most used toolbox for SSL and TLS protocols. The openssl binary is very powerfull but because of the number of options, it's difficult to remember all the combinations. Here you will find the most common commands.


Private Key


Create an RSA private key
openssl genrsa -out private.key 2048

Note: it is recommended to change your private key each time you renew your certificate.


Create an RSA private key with a password
openssl genrsa -des3 -out private.key 2048

Note: Of course you need the passphrase of the private key.


Remove a passphrase from a private key
openssl rsa -in private.key -out newprivate.key

Note: it is recommended to change your private key each time you renew your certificate.


Check a private key
openssl rsa -in private.key -check

X509 Certificate


Create a Certificate Signed Request (CSR) with a new private key
openssl req -new -newkey rsa:2048 -nodes -keyout private.key -out certificate.csr

Note: you need to provide a CSR if you want your certificate signed by a certification authority (CA).


Create a Certificate Signed Request (CSR) with an existing private key
openssl req -new -key private.key -out certificate.csr

Note: you need to provide a CSR if you want your certificate signed by a certification authority (CA).


Create a certificat Signed Request (CSR) with SHA256/SHA512 (SHA2) because sha1 is weak !
openssl req -new -newkey rsa:2048 -nodes -sha256 -out certificate.sha256.csr -keyout private.key

Note: for SHA512, replace -sha256 by -sha512. Take care of the final certificate, you need to chose a Certificate Authority that supporting SHA256 ou SHA512 signing.

Note: in this example we create a new private key but you can combine this command with others examples.


Sign a Certificate Signed Request (CSR)
openssl x509 -req -days 365 -in certificate.csr -signkey private.key -out server.crt

Note: you need to provide a CSR if you want your certificate signed by a certification authority (CA).


Create a self-signed certificate
openssl req -newkey rsa:2048 -keyout private.key -out certificate.crt -x509 -nodes -days 365

Note: a self-signed certificate will cause errors with web browser until you add the certificate to your certificate storage. Self-signed certificates are juste as well secure than signed certificate except they aren't authentificate the owner of the website.


Create a Certificate Authority
openssl req -new -x509 -extensions v3_ca -keyout ca.key -out ca.crt -days 365

Note: you can use the ca.key to sign your certificate.


Verify a Certificate Signed Request
openssl req -in certificate.csr -text -noout

Verify a Certificate
openssl x509 -in certificate.csr -text -noout

Divers


Use OpenSSL to benchmark your CPU
openssl speed sha1

Note: this is the most basic way to test your CPU ...


Verify if a CSR, a private key and a certificate match
openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl req -noout -modulus -in certificate.csr | openssl md5
openssl rsa -noout -modulus -in private.key | openssl md5

Note: if the md5 match, certificate.csr was made with private.key and certificate.crt is the signed version of certificate.csr.