Tuesday, December 26, 2006

OpenSSL Usage

List available Ciphers:
openssl ciphers -v
openssl ciphers -v tls1 #only TLS 1 ciphers
openssl ciphers -v tls1.2 #only TLS 1.2 ciphers
openssl list-cypher-commands
openssl ciphers -v 'HIGH' #only good ciphers

Test OpenSSL Speed:
openssl speed
openssl speed rsa #test only rsa

Generate self-signed cert:
openssl req \
-x509 -nodes -days 365 \
-newkey rsa:1024 -keyout mycert.pem -out mycert.pem
OR
openssl req \
-x509 -nodes -days 365 \
-subj '/C=US/ST=Oregon/L=Portland/CN=www.madboa.com' \
-newkey rsa:1024 -keyout mycert.pem -out mycert.pem

MD5 or SHA1 digest of file:
openssl dgst -md5 filename
openssl dgst -sha1 filename

Base64 encode / decode a file:
openssl enc -base64 -in infile.txt #encode to stdout
openssl enc -base64 -in infile.txt -out outfile.txt #encode to a file
echo "encode me" | openssl enc -base64 #encode through a pipe
echo "Zw5jb2RlIGllCg==" | openssl enc -base64 -d #decode through a pipe

Encrypt a file using 256-bit AES in CBC mode
openssl enc -aes-256-cbc -salt -in file.txt -out file.enc
openssl enc -aes-256-cbc -salt -in file.txt \
-out file.enc -pass pass:password
openssl enc -aes-256-cbc -salt -in file.txt \
-out file.enc -pass file:/path/to/passwd.txt
openssl enc -aes-256-cbc -a -salt -in file.txt -out file.enc #base64 for email

Decrypt binary / base64 AES CBC file
openssl enc -d -aes-256-cbc -in file.enc
openssl enc -d -aes-256-cbc -a -in file.enc  # decode with base64

Encrypt a file using Triple DES with base64 "ASCII Armor"
openssl enc -e -a -salt -des3 -in file.txt -out file.des3

Decrypt a file encoded with Triple DES and base64 encoded
openssl enc -d -a -in file.des3 -out file.txt

Encrypt a file using Blowfish and base64 encode
openssl enc -e -a -salt -bf -in file.txt -out file.blowfish

Decrypt a file encoded with Blowfish and base64 encoded
openssl enc -d -a -bf -in file.blowfish -out file.txt

Generate an RSA key:
openssl genrsa
openssl genrsa -out mykep.pem 1024
openssl genrsa -des3 -out mykey.pem 1024

Generate a public RSA key:
openssl rsa -in mykey.pem -pubout

Generate a DES key:
openssl dsaparam -noout -out dsakey.pem -genkey 1024

Generate a shadow-style password hash:
openssl passwd -1 MySecret
openssl passwd -1 -salt sXiKzkus MySecret #specific salt

Test for prime number:
openssl prime 11905475924560753

Generate random number:
openssl rand -base64 128 #128 random base64 bits
openssl rand -out random_data.bin 1024 #1024 random binary bits
head -c 32 /dev/urandom | openssl enc -base64 #better entropy


Create an SSL certificate:
openssl genrsa -des3 -out server.key 1024            # create keys
openssl req -new -key server.key -out server.csr   # create cert request

cp server.key server.key.org                                  # remove passphrase
openssl rsa -in server.key.org -out server.key
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt  # create cert

Decode an SSL Cert:
openssl x509 -in certificate.crt -text -noout
http://www.sslshopper.com/certificate-decoder.html

Encrypt from STDIN to STDOUT with a simple AES password
echo "Plain Text" | openssl enc -aes-256-cbc -a

Decrypt from STDIN to STDOUT with a simple AES password 
echo "Cyphertext from above" | openssl enc -aes-256-cbc -d -a


http://www.akadia.com/services/ssh_test_certificate.html
http://www.yatblog.com/2007/02/27/how-to-create-a-ssl-certificate/
http://www.vanemery.com/Linux/Apache/openSSL.html
http://www.madboa.com/geek/openssl/

No comments: