OpenSSL Commands
You can run OpenSSL commands to execute different actions, such as creating, updating or extracting keys, or updating their format. See a list of possible commands below.
Create an RSA certificate signing request with a new private key
openssl req -x509 -nodes -days 36500 -newkey rsa:2048 -sha256 -keyout rsa_priv_key.key -out rsa_pub_key.crt -subj "/C=AR/ST=Capital Federal/L=Capital Federal/O=Veritran/OU=Veritran TI/CN=rsa-cert" openssl pkcs12 -export -out rsa-keystore.p12 -inkey rsa_priv_key.key -in rsa_pub_key.crt -name rsa_key
Create an RSA key with a self-signed certificate
openssl req -x509 -new -nodes -key rsa_priv_key.key -days 3650 -out selfSignedCert.pem
Create an RSA key of 2048 bits
openssl genrsa -out privkey.pem -des3 2048
Get the pub key of a previous RSA key
openssl rsa -in privkey.pem -pubout -out pubkey.pem
Sign a certificate request with a custom CA
openssl ca -config ./openssl.cnf -in req.pem -out cert.pem
Note
The ./openssl.cnf file contains the custom CA parameters.
Creating a self signed certificate with an existing RSA private key
openssl req -new -x509 -key privateKey.pem -out signedCertificate.cer
Create a pkcs12 keystore with a previous key and certificate pair
openssl pkcs12 -export -inkey privkey.pem -in cert.pem -out keystore.p12 -name "Keystore Name"
Show a pkcs12 keystore's contents
openssl pkcs12 -in keystore.p12
Decrypt an encrypted private key
openssl rsa -in privkey.pem -out privkey_plain.pem
Validate a public and private key pair
openssl rsa -noout -modulus -in file.key openssl x509 -noout -modulus -in file.cer
Note
Both modulus parameters should be the same.
Generate private key
openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048
Note
This command creates a private key and a public key.
Generate public key from private key
openssl rsa -pubout -in private_key.pem -out public_key.pem
Extract only the private key
openssl rsa -in private_key.pem -out private_unencrypted.key -outform PEM
Show the private key's content
openssl rsa -text -in private_key.pem
Encrypt with a public key
openssl rsautl -in test.txt -out test.txt.encrypted -pubin -inkey public_key.pem -encrypt
Decrypt with a public key
openssl rsautl -in test.txt.encrypted -out test.txt.decrypted -inkey private_key.pem -decrypt
Show certificate info
openssl x509 -outform PEM -in certificate.pem -text -out MyCertificate.info
Create a custom CA
Create a folder for storing CA certificates and then set the dir= property to point to it in openssl.cnf. See the related commands below.
Create a CA certificate using openssl
openssl req -new -x509 -days 3650 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem
Create a certificate request
openssl req -new -nodes -out provider-req.pem -keyout private/provider-key.pem
Use the CA to generate the signed certificate using the request
openssl ca -out provider-cert.pem -infiles provider-req.pem
Convert the signed certificate to pkcs12
openssl pkcs12 -export -in provider-cert.pem -inkey private/provider-key.pem > provider.p12
Import a pkcs12 keystore into a JKS keystore
keytool -importkeystore -srckeystore provider.p12 -destkeystore /path/to/somekeystore.jks -srcstoretype pkcs12
In this section: