SSL Notes

6 minute read

OpenSSL is a wonderful technology and the openssl toolset is truly a Swiss Armyknife. But I don’t use it on a daily basis and therefore I tend to forget how to use it. These notes show the common actions I need to perform with it, making it easy to simply copy and paste and move on with the more fun parts in life.

Generate a private key

$ openssl genrsa -out privkey.pem 2048
Generating RSA private key, 2048 bit long modulus
....+++
......................+++
e is 65537 (0x10001)

Generate a CSR

$ openssl req -new -key privkey.pem -out cert.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:BE
State or Province Name (full name) [Some-State]:Antwerp
Locality Name (eg, city) []:Baal
Organization Name (eg, company) [Internet Widgits Pty Ltd]:2Know BVBA
Organizational Unit Name (eg, section) []:Operations
Common Name (eg, YOUR name) []:Christophe VG
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Display CSR content

$ openssl req -text -noout -in cert.csr
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=BE, ST=Antwerp, L=Baal, O=2Know BVBA, OU=Operations, CN=Christophe VG/emailAddress=
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:ae:88:b4:44:44:4e:fe:48:84:65:a2:5d:0f:20:
										...
                    60:6c:9c:6e:ca:81:12:b0:15:97:f3:4a:5b:7b:3a:
                    7d:e3
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha1WithRSAEncryption
        22:f6:ca:35:fb:0c:ff:a5:7d:a0:5a:93:77:49:00:c6:b1:fc:
				...
        bd:b5:fb:71:77:3c:ef:6b:aa:dc:65:c8:5b:a5:12:a3:b9:19:
        ff:1d:bd:ae

(Self-)sign a certificate

$ openssl x509 -req -days 365 -in cert.csr -signkey privkey.pem -out server.crt
Signature ok
subject=/C=BE/ST=Antwerp/L=Baal/O=2Know BVBA/OU=Operations/CN=Christophe VG
Getting Private key

Display certificate content

$ openssl x509 -text -in server.cert
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            f0:f2:34:32:6f:cd:93:79
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=BE, ST=Antwerp, L=Baal, O=2Know BVBA, OU=Operations, CN=Christophe VG
        Validity
            Not Before: Mar 22 08:53:35 2011 GMT
            Not After : Mar 21 08:53:35 2012 GMT
        Subject: C=BE, ST=Antwerp, L=Baal, O=2Know BVBA, OU=Operations, CN=Christophe VG
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:bb:fa:bf:d4:fd:77:87:e1:b8:e0:ad:2c:48:a0:
                    25:80:c3:bc:c1:9f:84:57:af:34:3b:53:ba:fe:d5:
										...
                    82:0f:90:57:1c:0c:ca:dc:ea:93:39:b3:03:43:d4:
                    b2:c5
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
        56:9b:39:77:8b:94:0d:e7:7a:70:a8:c9:7c:a9:f3:83:83:b4:
        d4:51:8b:37:e0:a2:55:74:37:6a:fe:d9:ec:8d:84:06:83:fe:
				...
        41:ba:39:cd:cc:4c:39:be:bf:65:61:73:23:dc:26:8f:d4:1f:
        d5:0d:e0:30
-----BEGIN CERTIFICATE-----
MIIDYjCCAkoCCQDw8jQyb82TeTANBgkqhkiG9w0BAQUFADBzMQswCQYDVQQGEwJC
RTEQMA4GA1UECBMHQW50d2VycDEQMA4GA1UEBxMHU2NocmllazETMBEGA1UEChMK
...
QitnBMnEHpoIynoQOcmu0MQjED3kEfl/CfvTTUZmylFBujnNzEw5vr9lYXMj3CaP
1B/VDeAw
-----END CERTIFICATE-----

Verify a certificate

$ openssl verify server.crt 
server.crt: /C=BE/ST=Antwerp/L=Baal/O=2Know BVBA/OU=Operations/CN=Christophe VG
error 18 at 0 depth lookup:self signed certificate
OK

Convert a PEM private key to PKCS#8

$ openssl pkcs8 -in privkey.pem -topk8 -v2 des3 -nocrypt -outform DER -out privkey.p8c

$ cat privkey.p8c
??0?????X?|?T?f
 Z?4?wly???y????&
?x???}??=
  2~?]G??{Ư???1(o?)m??w?I????CM@?????E?*????@yP?@z b?2??"|U`g????v?WB*?
...

Base64 encode a file (e.g. a PKCS#8 private key)

$ openssl enc -base64 -in privkey.p8c -out privkey.p8c.base64

$ cat privkey.p8c.base64 
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCh/lg/fJVUk2YQ
Bg3uHwta3jSnd2x5orOjea+GxMkmCgX2eMJN35QUtcXUfb2fPQwyfpZdR7jpgXvG
...

Encrypt/decrypt a (large) file

# Generate some data

$ echo "This is a secret" > info.txt
 
$ zip plainfile info.txt 
  adding: info.txt (stored 0%)
 
$ ls -l
total 16
-rw-r--r--  1 xtof  staff   17 Jan 22 12:29 info.txt
-rw-r--r--  1 xtof  staff  183 Jan 22 12:30 plainfile.zip
 
# One Time Setup of Key Infrastructure
# 1. generate private key
# 2. generate certificate for private key

$ openssl genrsa -aes256 -out private.pem 8912
Generating RSA private key, 8912 bit long modulus
......................................................................................++
..........................................................................................++
e is 65537 (0x10001)
Enter pass phrase for private.pem:
Verifying - Enter pass phrase for private.pem:
 
$ openssl req -x509 -new -days 100000 -key private_key.pem -out certificate.pem
Enter pass phrase for private_key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:BE
State or Province Name (full name) []:
Locality Name (eg, city) []:
Organization Name (eg, company) []:
Organizational Unit Name (eg, section) []:
Common Name (eg, fully qualified host name) []:
Email Address []:
 
# Encryption using certificate

$ openssl smime -encrypt -binary -aes-256-cbc -in plainfile.zip -out encrypted.zip.enc -outform DER certificate.pem
 
$ ls -l
total 72
-rw-r--r--  1 xtof  staff  3321 Jan 22 12:32 certificate.pem
-rw-r--r--  1 xtof  staff  1452 Jan 22 12:34 encrypted.zip.enc
-rw-r--r--  1 xtof  staff    17 Jan 22 12:29 info.txt
-rw-r--r--  1 xtof  staff   183 Jan 22 12:30 plainfile.zip
-rw-r--r--  1 xtof  staff  7011 Jan 22 12:30 private.pem
-rw-r--r--  1 xtof  staff  7078 Jan 22 12:32 private_key.pem
-rw-r--r--  1 xtof  staff  1612 Jan 22 12:30 public.pem
 
# Decryption using private key
 
$ openssl smime -decrypt -binary -in encrypted.zip.enc -inform DER -out decrypted.zip -inkey private_key.pem
Enter pass phrase for private_key.pem:
 
$ ls -l
total 80
-rw-r--r--  1 xtof  staff  3321 Jan 22 12:32 certificate.pem
-rw-r--r--  1 xtof  staff   183 Jan 22 12:35 decrypted.zip
-rw-r--r--  1 xtof  staff  1452 Jan 22 12:34 encrypted.zip.enc
-rw-r--r--  1 xtof  staff    17 Jan 22 12:29 info.txt
-rw-r--r--  1 xtof  staff   183 Jan 22 12:30 plainfile.zip
-rw-r--r--  1 xtof  staff  7011 Jan 22 12:30 private.pem
-rw-r--r--  1 xtof  staff  7078 Jan 22 12:32 private_key.pem
-rw-r--r--  1 xtof  staff  1612 Jan 22 12:30 public.pem
 
$ unzip decrypted.zip 
Archive:  decrypted.zip
replace info.txt? [y]es, [n]o, [A]ll, [N]one, [r]ename: r
new name: decrypted_info.txt
 extracting: decrypted_info.txt      
 
$ cat decrypted_info.txt 
This is a secret

Makefile

The following Makefile implements all steps to generate data, setup the key infrastructure and perform the encryption/decryption

all: data.decrypted.txt
	@echo "### content of $<"
	cat $<

data.txt:
	@echo "### generating $@"
	date > $@
	echo "big secret" >> $@
	@echo "generated data:"
	cat $@

data.zip: data.txt
	@echo "### zipping $<"
	zip data $<

private.pem:
	@echo "### creating private key: $@"
	openssl genrsa -aes256 -out $@ 8912

certificate.pem: private.pem
	@echo "### creating certificate: $@ from $<"
	openssl req -x509 -new -days 100000 -key $< -out $@

%.zip.enc: %.zip certificate.pem
	@echo "encrypting $< into $@"
	openssl smime -encrypt -binary -aes-256-cbc -in $< -out $@ -outform DER $(word 2,$^)

%.decrypted.zip: %.zip.enc private.pem
	@echo "### decrypting $< into $@"
	openssl smime -decrypt -binary -in $< -inform DER -out $@ -inkey $(word 2,$^)

%.decrypted.txt: %.decrypted.zip
	@echo "### unzipping $*.txt into $@"
	unzip -p $< $*.txt > $@

clean:
	@rm *.*

Running it and providing a pass phrase three time shows the entire process:

$ make
### generating data.txt
date > data.txt
echo "big secret" >> data.txt
generated data:
cat data.txt
Sat Jan 23 15:22:13 CET 2021
big secret
### zipping data.txt
zip data data.txt
  adding: data.txt (stored 0%)
### creating private key: private.pem
openssl genrsa -aes256 -out private.pem 8912
Generating RSA private key, 8912 bit long modulus
...................................................................................................................................................................................................++
................++
e is 65537 (0x10001)
Enter pass phrase for private.pem:
Verifying - Enter pass phrase for private.pem:
### creating certificate: certificate.pem from private.pem
openssl req -x509 -new -days 100000 -key private.pem -out certificate.pem
Enter pass phrase for private.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:BE
State or Province Name (full name) []:
Locality Name (eg, city) []:
Organization Name (eg, company) []:
Organizational Unit Name (eg, section) []:
Common Name (eg, fully qualified host name) []:
Email Address []:
encrypting data.zip into data.zip.enc
openssl smime -encrypt -binary -aes-256-cbc -in data.zip -out data.zip.enc -outform DER certificate.pem
### decrypting data.zip.enc into data.decrypted.zip
openssl smime -decrypt -binary -in data.zip.enc -inform DER -out data.decrypted.zip -inkey private.pem
Enter pass phrase for private.pem:
### unzipping data.txt into data.decrypted.txt
unzip -p data.decrypted.zip data.txt > data.decrypted.txt
### content of decrypted data.decrypted.txt
cat data.decrypted.txt
Sat Jan 23 15:22:13 CET 2021
big secret
rm data.decrypted.zip data.zip.enc

References