BestHub
Sign in
Information Security 24 min read

Master OpenSSL: From Symmetric Encryption to Digital Certificates

This comprehensive guide explains OpenSSL’s role in cryptography, covering symmetric and asymmetric encryption, hashing, key generation, certificate creation, and practical command‑line examples for encrypting files, managing keys, signing data, and configuring TLS servers, empowering readers to master secure communications.

Raymond Ops
Raymond Ops
Raymond Ops
Master OpenSSL: From Symmetric Encryption to Digital Certificates

Cryptographic standards like PKCS# define how RSA keys are generated, formats of public/private keys, and X.509 certificates. OpenSSL implements these standards, providing command‑line tools for symmetric ciphers, asymmetric algorithms, hashing, and certificate handling.

<code>$ openssl --help
# List of subcommands, e.g., asn1parse, ca, ciphers, cmp, cms, crl, ...
$ openssl list -digest-commands
# List of digest algorithms, e.g., md5, sha1, sha256, ...</code>

Symmetric Encryption

Symmetric key algorithms use the same key for encryption and decryption. List available ciphers with

openssl list -cipher-commands

. The

enc

subcommand performs encryption/decryption.

<code>$ openssl enc --help
Usage: enc [options]
  -e            Encrypt
  -d            Decrypt
  -aes-128-cbc  Cipher name
  -in <file>    Input file
  -out <file>   Output file
  -k <pass>     Passphrase
  -a            Base64 encode/decode
  ...</code>

Example: encrypt a file with AES‑128‑CBC:

<code>openssl enc -e -aes-128-cbc -in test.txt -k pass -out test-aes-enc.txt -v</code>

Decrypt:

<code>openssl enc -d -aes-128-cbc -in test-aes-enc.txt -k pass -out test-dec.txt -v</code>

Base64 encoding example:

<code>echo -n "12345" | openssl enc -e -base64 -in -

echo "MTIzNDU=" | openssl enc -d -base64 -in -</code>

Public‑Key Encryption

Public‑key algorithms (RSA, DSA, EC, DH) use separate keys for encryption and decryption. The

genrsa

,

rsa

, and

rsautl

subcommands manage RSA keys and signatures.

<code>$ openssl genrsa --help
Usage: genrsa [options] numbits
  -out <file>   Output private key
  -aes128       Encrypt private key with AES‑128‑CBC
  ...</code>

Generate an unencrypted 1024‑bit private key:

<code>openssl genrsa -out private.pem 1024 -verbose</code>

Generate a password‑protected key with AES‑128‑CBC:

<code>openssl genrsa -aes128 -cbc -out pri.pem -verbose</code>

Extract a public key from a private key:

<code>openssl rsa -in private.pem -pubout -out public.pem</code>

Sign a file with a private key and verify with the public key:

<code>openssl rsautl -sign -in plain.txt -inkey private.pem -out signed.text
openssl rsautl -verify -in signed.text -pubin -inkey public.pem -out verify.txt</code>

Message Digest

Digest algorithms produce a fixed‑size hash from arbitrary data, useful for integrity checks. List supported digests with

openssl list -digest-commands

. The

dgst

subcommand computes hashes, signs, and verifies.

<code>$ openssl dgst --help
Usage: dgst [options] [file...]
  -md5          Compute MD5 hash
  -sha256       Compute SHA‑256 hash
  -sign <key>   Sign digest with private key
  -verify <key> Verify signature with public key
  ...</code>

Compute MD5 of a file:

<code>openssl dgst -md5 test.txt</code>

Sign a file’s hash with a private key and verify with the corresponding public key:

<code>openssl dgst -sign private.pem -out test.text plain.txt
openssl dgst -verify public.pem -signature test.text plain.txt</code>

Digital Certificates

Certificates bind a public key to an identity, signed by a trusted authority (CA). OpenSSL’s

req

,

x509

, and related subcommands create certificate requests, self‑signed certificates, and manage extensions.

<code>$ openssl req --help
Usage: req [options]
  -new          Create a new certificate request
  -key <file>    Private key for signing
  -out <file>   Output request
  -subj <dn>    Subject distinguished name
  ...</code>

Generate a certificate signing request (CSR) using an existing private key:

<code>openssl req -new -key private.pem -out request.csr</code>

Create a self‑signed root CA certificate:

<code>openssl genrsa -out ca.pem 2048
openssl req -new -x509 -days 365 -key ca.pem -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=Acme Root CA" -out ca.cer</code>

Sign a CSR with the root CA:

<code>openssl x509 -sha256 -req -days 365 -in server.csr -CA ca.cer -CAkey ca.pem -CAcreateserial -out server.cer</code>
Certificate diagram
Certificate diagram

Miscellaneous

The

rand

subcommand generates random bytes, and

passwd

creates Unix password hashes.

<code>openssl rand -hex 3
openssl passwd 12345
openssl passwd -salt 'z' 12345</code>

Verify a certificate chain with

openssl verify

and test TLS connections using

s_server

and

s_client

:

<code>openssl verify cert.pem
openssl s_server -cert mycert.pem -www -accept 4433
openssl s_client -connect remote.host:4433</code>
command lineEncryptioninformation securityOpenSSLcryptographyDigital Certificates
Raymond Ops
Written by

Raymond Ops

Linux ops automation, cloud-native, Kubernetes, SRE, DevOps, Python, Golang and related tech discussions.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment