Home OpenSSL for Dummies!
Post
Cancel

OpenSSL for Dummies!

Posted Apr 16, 2023
By Abdullah Irfan
4 min read

What is OpenSSL?

OpenSSL is an open-source tool for cryptography- mainly SSL and TLS. It is a powerful tool when and supports all kinds of functionalities- from key generation to client/server tests.

Use Cases

The wide range of use cases that OpenSSL covers is too wide to list here. But here are some of the top use cases. **

Assymetric key-pair generation

Assymetric encryption is an important part of today’s IT infrastructure, including websites. OpenSSL supports many public key encryption algorithms. I will be covering RSA and Eliptic Curves.

RSA

Generating an RSA private key:
openssl genpkey -algorithm RSA -out RSApriv.pem

Generating an RSA public key:
openssl rsa -pubout -in RSApriv.pem -out RSApub.pem

Here are what the public and private keys look like: image image

Eliptic Curve

Listing the support eliptic curves:
openssl ecparam -list_curves

We will be using the secp384r1 curve.

Generating the private key:
openssl ecparam -genkey -name secp384r1 -out ECpriv.pem

Generating the public key:
openssl ec -in ECpriv.pem -pubout -out ECpub.pem

Here are what the public and private keys look like: image image

Certificate Signing Request (CSR) and generation of certificates

Generating a signing request and the signing key:
While generating this, we will be asked for our region/organization information.
openssl req -new -newkey rsa:2048 -nodes -keyout CSRkey.pem -out CSR.pem

Generating an X509 certificate:
openssl x509 -req -days 365 -in CSR.pem -signkey CSRkey.pem -out CSRCert.pem

Here is what the X509 certificate looks like: image **

Certificate Revocation List (CRL) and revoking existing certificates

For creating and using CRLs, we first need to configure a CA (Certficate Authority).

Configuring a CA

  • Create a new directory for your CA and navigate into that directory.
  • Generate a symmetric key for the CA (we will be asked to set a key paraphrase in this step)
    openssl genpkey -algorithm RSA -out ca.key -aes256
  • Request an X509 certificate for the CA (we will be asked for region/organization information in this step)
    openssl req -x509 -new -nodes -key ca.key -sha256 -days 365 -out ca.crt
  • Create a configuration file ca.cnf for your CA and ensure its contents are as follows:
  • Replace /home/kali/Documents/Networks2/CA/ with the path to your CA directory
    image
  • Create necessary directories and files for your CA (in the CA directory)
    1
2
3

    mkdir -p {certs,newcerts}
touch index.txt
echo 01>serial

    Certificate Revocation List and revocation

    Revoking an existing certificate:
    openssl ca -config CA/ca.cnf -revoke CSRCert.pem

    Generating a CRL to add revoked certificates:
    openssl ca -config CA/ca.cnf -gencrl -keyfile CA/ca.key -cert CA/ca.crt -out CRL.crl

    Verifying a certificate against an existing CRL (this step should give you the output “Verification failed” for a revoked certificate):
    openssl verify -crl_check -CAfile CA/ca.crt -CRLfile CRL.crl CSRCert.pem

    **

    Message Digest (Hash) Calculation

    Listing supported message digest algorithms:
    openssl list -digest-algorithms

    Getting the message digest of a file:
    openssl <hash_algorithm> <file_name>

    Example MD5 calculation:
    image
    Example SHA1 calculation:
    image
    Example SHA256 calculation:
    image **

    Symmetric Encryption/Decryption

    Listing supported ciphers:
    openssl list -cipher-algorithms

    We can use AES-256-CBC as an example.

  • Create a text file:
    echo "THIS IS A TEST FILE" > plaintext.txt
  • Encrypt the text file:
    openssl enc -aes-256-cbc -in plaintext.txt -out ciphertext.enc

    Here is what the encrypted file looks like:
    image
  • Decrypt the encrypted file:
    openssl enc -aes-256-cbc -d -in ciphertext.enc -out plaintext2.txt

    **

    SSL/TLS Client/Server Testing

    Generating server key and certificate:
    openssl req -newkey rsa:2048 -nodes -keyout SERV.key -x509 -days 365 -out SERV.crt

    Generating client key and certificate:
    openssl req -newkey rsa:2048 -nodes -keyout CLIENT.key -x509 -days 365 -out CLIENT.crt

    Starting an SSL server on port 4433:
    openssl s_server -accept 4433 -key SERV.key -cert SERV.crt

    Using an SSL client to connect to the SSL server:
    openssl s_client -connect localhost:4433 -key CLIENT.key -cert CLIENT.crt

    Here is an example of a basic TLS client/server communication using OpenSSL: image image **

    Mail Encryption/Decryption using S/MIME

    Generating a key and certificate for the recipient:
    openssl req -newkey rsa:2048 -nodes -keyout KEY.pem -x509 -days 365 -out CERTIFICATE.pem

    Encrypting the mail with the recipient’s public key:
    openssl smime -encrypt -aes256 -in plaintext.txt -out ciphertext.enc -outform DER CERTIFICATE.pem

    Decrypting the mail with the recipient’s private key:
    openssl smime -decrypt -in ciphertext.enc -inform DER -out plaintext2.txt -inkey KEY.pem

    Here is an example output of what “THIS IS A VERY IMPORTANT MAIL” looks like when it is encrypted:
    image

Conclusion

After exploring just about 30% of the use cases of OpenSSL, we can see how comprehensive and powerful the tool is for cryptography tests and network security. All large organizations use OpenSSL for the testing and their security protocols and you should too. OpenSSL is a lifesaver and automates countless procedures that you would follow manually.

Blogs, Network Security
network security openssl ssl encryption decryption secure communication cryptography for dummies
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents