The openssl application that ships with the OpenSSL libraries can perform a wide range of crypto operations. The openssl command-line binary that ships with the OpenSSL libraries can perform a wide range of cryptographic operations. It can come in handy in scripts or for accomplishing one-time command-line tasks.
Documentation for using the openssl application is somewhat scattered, however, so this article aims to provide some practical examples of its use. Just to be clear, this article is strictly practical; it does not concern cryptographic theory and concepts.
There are three built-in options for getting lists of available commands, but none of them provide what I consider useful output. The best thing to do is provide an invalid command help or -h will do nicely to get a readable answer.
Use the ciphers option. The ciphers 1 man page is quite helpful. The OpenSSL developers have built a benchmarking suite directly into the openssl binary. It tests how many operations it can perform in a given time, rather than how long it takes to perform a given number of operations. There are two sets of results. Here are the results on an 2.
The most simple invocation will run for 30 seconds, use any cipher, and use SSL handshaking to determine number of connections per second, using both new and reused sessions:.
Doing so means that the key is protected by a passphrase.
On the plus side, adding a passphrase to a key makes it more secure, so the key is less likely to be useful to someone who steals it. This example will produce a file called mycert. The certificate will be valid for days, and the key thanks to the -nodes option is unencrypted. This is very important.
Applying for a certificate signed by a recognized certificate authority like VeriSign is a complex bureaucratic process.
When dealing with an institution like VeriSign, you need to take special care to make sure that the information you provide during the creation of the certificate request is exactly correct. Save the key file in a secure location. First, launch the test server on the machine on which the certificate will be used.
By default, the server will listen on port ; you can alter that using the -accept option. If the server launches without complaint, then chances are good that the certificate is ready for production use. You can also point your web browser at the test server, e.
You should see a page listing the various ciphers available and some statistics about your connection. Most modern browsers allow you to examine the certificate as well.BUT, note in the above commands, the 'value' and 'key' are ascii strings. The above syntax is problematic if you want to specify a Binary value for the key, which does not correspond to printable characters. To demonstate the point, let's get the hex string equivalent of the three character acsii string 'key', so that we can use the same hashes as in the examples above.
To do this, I use utility ' xxd ' which does a hexdump. For further information on 'xdd' see my previous blog posts. Finally, I will just confirm some details of the system that gave the above output: rpm -qa grep openssl openssl You're a life saver Nigel! I've been struggling with this for ages, I was using the flags: -sha1 -macopt hexkey:FFFF -hmac '' I was triggering hmac with the "-hmac ''" flag, but obviously I needed to drop the empty-key hmac entry and use "-mac HMAC" instead My mistake was that openssl is no longer symbolically linking the files in homebrew and so I was using the system version of openssl instead of the newer 1.
When I explicitly reference the homebrew version your examples work great. Post a comment. If you want to do a quick command-line generation of a HMACthen the openssl command is useful.
Encrypt & Decrypt Files With Password Using OpenSSL
It only takes a minute to sign up. But where is the sha3sum command that can generate SHA-3 commands? There are a number of implementations, e. In Debian, install libdigest-sha3-perl ; in Fedora, install sha3sum ; both of these will provide a sha3sum command based on the Perl module, which behaves in the same way as the binaries you're used to.
RHash application could do it:. For what it's worth, Busybox has had code for it since If you have openssl installed you should have the hashalot command which says :. A recent enough version of OpenSSL 1. All platforms supported by Rust. For the others: Binary for some plateforms.
For more information's see: Bitbucket. Sign up to join this community. The best answers are voted up and rise to the top. How can I generate SHA3 if there is no sha3sum command in coreutils? Ask Question. Asked 3 years, 4 months ago.
Active 9 months ago. Viewed 9k times. I have sha1sum or shasum on an average Linux distro. Evan Carroll On a Debian-based Linux, it's apparently part of the libdigest-sha3-perl package not tested. Doing it with SSL unix. Active Oldest Votes. Stephen Kitt Stephen Kitt k 31 31 gold badges silver badges bronze badges. In Debian, libdigest-sha3-perl is available in jessie and newer which currently means stretch and sid.
No package sha3sum available.
Which version? Evan Carroll Evan Carroll Kiwy 7, 7 7 gold badges 43 43 silver badges 68 68 bronze badges. If you have openssl installed you should have the hashalot command which says : Supported values for HASHTYPE: ripemd rmd rmdcompat sha sha sha You can also use directly the sha command. Patrick Mevzek Patrick Mevzek 2, 1 1 gold badge 15 15 silver badges 26 26 bronze badges. While this is a useful answer, it would be better if you indicated that you are the author of this particular sha3sum implementation.
Sign up or log in Sign up using Google.OpenSSL is a powerful cryptography toolkit that can be used for encryption of files and messages. If you want to use the same password for both encryption of plaintext and decryption of ciphertext, then you have to use a method that is known as symmetric-key algorithm. Without the -salt option it is possible to perform efficient dictionary attacks on the password and to attack stream cipher encrypted data.
The reason for this is that without the salt the same password always generates the same encryption key. When the salt is being used the first eight bytes of the encrypted data are reserved for the salt: it is generated at random when encrypting a file and read from the encrypted file when it is decrypted.
Base64 encoding is a standard method for converting 8-bit binary information into a limited subset of ASCII characters. It is needed for safe transport through e-mail systems, and other systems that are not 8-bit safe. If you are going to send it by email, IRC, etc. Cool Tip: Want to keep safe your private data? Create a password protected ZIP file from the Linux command line. Really easy! Warning: Since the password is visible, this form should only be used where security is not important.
If you are creating a BASH script, you may want to set the password in non interactive way, using -k option.
Cool Tip: Need to improve security of the Linux system? I have used the last command line to decrypt a file but my lecturer hinted that I need to use a parameter related to encoding. What is it? The code is base I encrypted a. Some folks say it could not be done, but it seemed to have worked for me. Note: If I use the same code, but change the output name, it can decrypt just fine.
My issue was that I encrypted the file using the same output name as the input, which has made it impossible for me to decrypt it. When I tried to decrypt it, I received the folllowing messages: enter aescbc decryption password: error reading input file.So, today we are going to list some of the most popular and widely used OpenSSL commands.
These examples will probably include those ones which you are looking for. This will generate a self-signed SSL certificate valid for 1 year. Instead of performing the operations such as generating and removing keys and certificates, you could easily check the information using the OpenSSL commands. Here are few examples. In such situations, the following commands will be helpful. The OpenSSL commands are also available for benchmarking needs. You could benchmark your server performance and connection stability using the commands.
To convert the SSL certificates or keys from one format to another, you could utilize the following commands. You can change the format from one to another to make the certificates compatible with the server.
Convert a PKCS 12 file. You can add -nocerts to only output the private key or add -nokeys to only output the certificates. To do this, the best option is inputting an invalid command to the command line.
For example, you could use this command. There you can find out all the possible commands recognized by your command line. In addition, you could also find out a list of the sub commands by using an incorrect subcommand like this.
Now you know a bunch of useful commands for the OpenSSL. Go and try them yourself. By the way, he likes to read a lot and acquire knowledge from various sources online. Email Address. Email Address Subscribe. Follow Us Facebook Twitter Pinterest.This post is my personal collection of openssl command snippets and examples, grouped by use case.
For example, I skip encryption and decryption, or using openssl for CA management. You never know where it ends. In the commands below, replace [bits] with the key size For example, Print public key or modulus only: openssl rsa -in example. Print textual representation of RSA key: openssl rsa -in example. Check your private key. Encrypt existing private key with a pass phrase: openssl rsa -des3 -in example. In the commands below, replace [digest] with the name of the supported hash function: md5sha1shashasha or shaetc.
Create a CSR from existing private key. Create a CSR and a private key without a pass phrase in a single command: openssl req -nodes -newkey rsa:[bits] -keyout example.
Provide CSR subject info on a command line, rather than through interactive prompt. Create a CSR from existing certificate and private key: openssl x -xtoreq -in cert. Create self-signed certificate and new private key from scratch: openssl req -nodes -newkey rsa -keyout example.
Create a self signed certificate using existing CSR and private key: openssl x -req -in example. If you were a CA company, this shows a very naive example of how you could issue new certificates. Print textual representation of the certificate openssl x -in example. Verify that private key matches a certificate and CSR: openssl rsa -noout -modulus -in example.
Verify certificate, provided that you have root and any intemediate certificates configured as trusted on your machine: openssl verify example.
Verify certificate, when you have intermediate certificate chain. Root certificate is not a part of bundle, and should be configured as a trusted on your machine.
Verify certificate, when you have intermediate certificate chain and root certificate, that is not configured as a trusted one. Verify that certificate served by a remote server covers given host name. Useful to check your mutlidomain certificate properly covers all the host names.Asymmetric encryption - Simply explained
Test TLS connection by forcibly using specific cipher suite, e. Useful to check if a server can properly talk via different configured cipher suites, not one it prefers. Measure speed of various security algorithms: openssl speed rsa openssl speed ecdsap Also, you can add a chain of certificates to PKCS12 file. Convert a PKCS 12 file. List available TLS cipher suites, openssl client is capable of: openssl ciphers -v. Enumerate all individual cipher suites, which are described by a short-hand OpenSSL cipher list string.
Use -showcerts flag to show full certificate chain, and manually save all intermediate certificates to chain. If this article was helpful, tweet it.
OpenSSL Commands Examples
Don't ask why Unfortunately, my version at least doesn't do bcrypt. If your C library does, it should and the manpage gives a -R option to set the strength. If you need to generate bcrypt passwords, you can do it fairly simply with the Crypt::Eksblowfish::Bcrypt Perl module. NOTE: The command mkpasswd is actually part of the expect package, and should probably be avoided.
You can find out what package it belongs to with either of these commands. To work around this you can use the following Python or Perl one-liners to generate SHA passwords. Take note that these are salted:. Support for this method of specifying the algorithm is dependent on support in OS level crypt 3 library function usually in libcrypt.
It is not dependent on python version. In these examples the password is the string "password" and the salt is "saltsalt". You can use the doveadm utility, which is included in the dovecot package.
The text isn't masked while you're typing, but it won't show up in your bash history. You could also start the command with a leading space, but I always forget to do that. It supports sha1, sha, sha and md5. Sign up to join this community.
The best answers are voted up and rise to the top.