Using OpenSSL

OpenSSL is a library that provide s cryptographic protocols to applications . The o penssl command line utility e nable s us ing the cryptographic functions from the s he ll. It include s an inte ractive mode .

The o penssl command line utility has a numbe r of ps e udo-commands to provide information on the commands that the ve rs ion of o penssl ins talle d on the s ys te m s upports . The ps e udo-commands list-standard-commands, list-message-digest-commands, and list-cipher-commands output a lis t of all s tandard commands , me s s age dige s t commands , or ciphe r commands , re s pe ctive ly, that are available in the pre s e nt o penssl utility.

The ps e udo-commands list-cipher-algorithms and message-digest-algorithms lis t all ciphe r and me s s age dige s t name s . The ps e udo-command list-public-key-algorithms lis ts all s upporte d public ke y algorithms . For e xample , to lis t the s upporte d public ke y algorithms , is s ue the following command:

~]$ openssl list-public-key-algorithms

The ps e udo-command no-command-name te s ts whe the r a command-name of the s pe cifie d name is available . Inte nde d for us e in s he ll s cripts . Se e man openssl(1) for more

information.

4.8.1. Creat ing and Managing Encrypt ion Keys

With OpenSSL, public ke ys are de rive d from the corre s ponding private ke y. The re fore the firs t s te p, once having de cide d on the algorithm, is to ge ne rate the private ke y. In the s e e xample s the private ke y is re fe rre d to as privkey.pem. For e xample , to cre ate an RSA private ke y us ing de fault parame te rs , is s ue the following command:

~]$ openssl genpkey -algorithm RSA -out privkey.pem The RSA algorithm s upports the following options :

rsa_keygen_bits:numbits — The numbe r of bits in the ge ne rate d ke y. If not s pe cifie d 1024 is us e d.

rsa_keygen_pubexp:value — The RSA public e xpone nt value . This can be a large de cimal value , or a he xade cimal value if pre ce de d by 0x. The de fault value is 65537.

For e xample , to cre ate a 2048 bit RSA private ke y us ing us ing 3 as the public e xpone nt, is s ue the following command:

~]$ openssl genpkey -algorithm RSA -out privkey.pem -pkeyopt rsa_keygen_bits:2048 \ -pkeyopt rsa_keygen_pubexp:3

To e ncrypt the private ke y, as it is output, us ing 128 bit AES and the pas s phras e “he llo”, is s ue the following command:

~]$ openssl genpkey -algorithm RSA -out privkey.pem -aes-128-cbc -pass pass:hello

Se e man genpkey(1) for more information on ge ne rating private ke ys .

4.8.2. Generat ing Cert ificat es

To ge ne rate a ce rtificate us ing OpenSSL, it is ne ce s s ary to have a private ke y available . In the s e e xample s the private ke y is re fe rre d to as privkey.pem. If you have not ye t ge ne rate d a private ke y, s e e Se ction 4.8.1, “Cre ating and Managing Encryption Ke ys ” To have a ce rtificate s igne d by a certificate authority (CA), it is ne ce s s ary to ge ne rate a ce rtificate and the n s e nd it to a CA for s igning. This is re fe rre d to as a ce rtificate s igning re que s t. Se e Se ction 4.8.2.1, “Cre ating a Ce rtificate Signing Re que s t” for more information.

The alte rnative is to cre ate a s e s igne d ce rtificate . Se e Se ction 4.8.2.2, “Cre ating a Se lf-s igne d Ce rtificate ” for more information.

4.8.2.1. Creating a Certif icate Signing Request

To cre ate a ce rtificate for s ubmis s ion to a CA, is s ue a command in the following format:

~]$ openssl req -new -key privkey.pem -out cert.csr

This will cre ate an X.509 ce rtificate calle d cert.csr e ncode d in the de fault privacy-enhanced electronic mail (PEM) format. The name PEM is de rive d from “Privacy

Enhance me nt for Inte rne t Ele ctronic Mail” de s cribe d in RFC 1424. To ge ne rate a ce rtificate file in the alte rnative DER format, us e the -outform DER command option.

Afte r is s uing the above command, you will be prompte d for information about you and the organization in orde r to cre ate a distinguished name ( DN) for the ce rtificate . You will ne e d the following information:

The two le tte r country code for your country The full name of your s tate or province City or Town

The name of your organization

The name of the unit within your organization Your name or the hos t name of the s ys te m Your e mail addre s s

The req(1) man page de s cribe s the PKCS# 10 ce rtificate re que s t and ge ne rating utility.

De fault s e ttings us e d in the ce rtificate cre ating proce s s are containe d within the /etc/pki/tls/openssl.cnf file . Se e man openssl.cnf(5) for more information.

4.8.2.2. Creating a Self -signed Certif icate

To ge ne rate a s e lf-s igne d ce rtificate , valid for 366 days , is s ue a command in the following format:

~]$ openssl req -new -x509 -key privkey.pem -out selfcert.pem -days 366

4.8.2.3. Creating a Certif icate Using a Makef ile

The /etc/pki/tls/certs dire ctory contains a Makefile which can be us e d to cre ate ce rtificate s us ing the make command. To vie w the us age ins tructions , is s ue a command as follows :

~]$ make -f /etc/pki/tls/certs/Makefile

Alte rnative ly, change to the dire ctory and is s ue the make command as follows :

~]$ cd /etc/pki/tls/certs/

~]$ make

Se e the make(1) man page for more information.

4.8.3. Verifying Cert ificat es

A ce rtificate s igne d by a CA is re fe rre d to as a trus te d ce rtificate . A s e lf-s igne d ce rtificate is the re fore an untrus te d ce rtificate . The ve rify utility us e s the s ame SSL and S/MIME functions to ve rify a ce rtificate as is us e d by OpenSSL in normal ope ration. If an e rror is found it is re porte d and the n an atte mpt is made to continue te s ting in orde r to re port any othe r e rrors .

To ve rify multiple individual X.509 ce rtificate s in PEM format, is s ue a command in the following format:

~]$ openssl verify cert1.pem cert2.pem

To ve rify a ce rtificate chain the le af ce rtificate mus t be in cert.pem and the inte rme diate ce rtificate s which you do not trus t mus t be dire ctly concate nate d in untrusted.pem. The trus te d root CA ce rtificate mus t be e ithe r among the de fault CA lis te d in

/etc/pki/tls/certs/ca-bundle.crt or in a cacert.pem file . The n, to ve ry the chain, is s ue a command in the following format:

~]$ openssl verify -untrusted untrusted.pem -CAfile cacert.pem cert.pem Se e man verify(1) for more information.

4.8.4. Encrypt ing and Decrypt ing a File

To e ncrypt a file plaintext, is s ue a command as follows :

~]$ openssl pkeyutl -in plaintext -out cyphertext -inkey privkey.pem The de fault format for ke ys and ce rtificate s is PEM. If re quire d, us e the -keyform DER command to s pe cify the DER ke y format.

To s pe cify a cryptographic e ngine , us e the -engine command as follows :

~]$ openssl pkeyutl in plaintext out cyphertext inkey privkey.pem -engine id

Whe re id is the ID of the cryptographic graphic e ngine . To che ck the availability of an e ngine , is s ue the following command:

~]$ openssl engine -t

To s ign a data file , plaintext, is s ue a command as follows :

~]$ openssl pkeyutl -sign -in plaintext -out sigtext -inkey privkey.pem

To ve rify a s igne d data file and to e xtract the data, is s ue a command as follows :

~]$ openssl pkeyutl -verifyrecover -in sig -inkey key.pem

To ve rify the s ignature , for e xample us ing a DSA ke y, is s ue a command as follows :

~]$ openssl pkeyutl -verify -in file -sigfile sig -inkey key.pem The pkeyutl(1) man page de s cribe s the public ke y algorithm utility.

4.8.5. Generat ing Message Digest s

The dgst command produce s the me s s age dige s t of a s upplie d file or file s in

he xade cimal form. The command can als o be us e d for digital s igning and ve rification. The me s s age dige s t command take s the following form:

openssl dgst algorithm -out filename -sign private-key

Whe re algorithm is one of md5|md4|md2|sha1|sha|mdc2|ripemd160|dss1. At time of writing, the SHA1 algorithm is pre fe rre d. If you ne e d to s ign or ve rify us ing DSA, the n the dss1 option mus t be us e d toge the r with a file containing random data s pe cifie d by the -rand option.

To produce a me s s age dige s t in the de fault He x format us ing the s ha1 algorithm, is s ue the following command:

~]$ openssl dgst sha1 -out digest-file

To digitally s ign the dige s t, us ing a private ke y privekey.pem, is s ue the following command:

~]$ openssl dgst sha1 -out digest-file -sign privkey.pem Se e man dgst(1) for more information.

4.8.6. Generat ing Password Hashes

The passwd command compute s the has h of a pas s word. To compute the has h of a pas s word on the command line , is s ue a command as follows :

~]$ openssl passwd password

The -crypt algorithm is us e d by de fault.

To compute the has h of a pas s word from s tandard input, us ing the MD5 bas e d BSD algorithm 1, is s ue a command as follows :

~]$ openssl passwd -1 password

The -apr1 option s pe cifie s the Apache variant of the BSD algorithm.

To compute the has h of a pas s word s tore d in a file , and us ing a s alt xx, is s ue a command as follows :

~]$ openssl passwd -salt xx -in password-file

The pas s word is s e nt to s tandard output and the re is no -out option to s pe cify an output file . The -table will ge ne rate a table of pas s word has he s with the ir corre s ponding cle ar te xt pas s word.

Se e man sslpasswd(1) for more information and e xample s .

4.8.7. Generat ing Random Dat a

To ge ne rate a file containing random data, us ing a s e e d file , is s ue the following command:

~]$ openssl rand -out rand-file -rand seed-file

Multiple file s for s e e ding the random data proce s s can be s pe cifie d us ing the colon, :, as a lis t s e parator.

Se e man rand(1) for more information.

4.8.8. Benchmarking Your Syst em

To te s t the computational s pe e d of a s ys te m for a give n algorithm, is s ue a command in the following format:

~]$ openssl speed algorithm

whe re algorithm is one of the s upporte d algorithms you inte nde d to us e . To lis t the available algorithms , type openssl speed and the n pre s s tab.

4.8.9. Configuring OpenSSL

Ope nSSL has a configuration file /etc/pki/tls/openssl.cnf, re fe rre d to as the mas te r configuration file , which is re ad by the Ope nSSL library. It is als o pos s ible to have

individual configuration file s for e ach application. The configuration file contains a numbe r of s e ctions with s e ction name s as follows : [ section_name ]. Note the firs t part of the file , up until the firs t [ section_name ], is re fe rre d to as the de fault s e ction. Whe n

Ope nSSL is s e arching for name s in the configuration file the name d s e ctions are

s e arche d firs t. All Ope nSSL commands us e the mas te r Ope nSSL configuration file unle s s an option is us e d in the command to s pe cify an alte rnative configuration file . The

configuration file is e xplaine d in de tail in the config(5) man page . Two RFCs e xplain the conte nts of a ce rtificate file . The y are :

Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile

Updates to the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile

Dans le document Red Hat Enterprise Linux 7 Security Guide (Page 115-120)