codeaprendiz.github.io

DevOps Essentials

View on GitHub

openssl

NAME

openssl - OpenSSL command line tool

SYNOPSIS

openssl command [ command_opts ] [ command_args ]

openssl [ list-standard-commands list-message-digest-commands list-cipher-commands ]

openssl no-XXX [ arbitrary options ]

DESCRIPTION

OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) network protocols and related cryptography standards required by them.

The openssl program is a command line tool for using the various cryptography functions of OpenSSL’s crypto library from the shell. It can be used for

COMMAND SUMMARY

The openssl program provides a rich variety of commands (command in the SYNOPSIS above), each of which often has a wealth of options and arguments (command_opts and command_args in the SYNOPSIS).

The pseudo-commands list-standard-commands, list-message-digest-commands, and list-cipher-commands output a list (one entry per line) of the names of all standard commands, message digest commands, or cipher commands, respectively, that are available in the present openssl utility.

The pseudo-command no-XXX tests whether a command of the specified name is available. If no command named XXX exists, it returns 0 (success) and prints no-XXX; otherwise it returns 1 and prints XXX. In both cases, the output goes to stdout and nothing is printed to stderr. Additional command line arguments are always ignored. Since for each cipher there is a command of the same name, this provides an easy way for shell scripts to test for the availability of ciphers in the openssl program. (no-XXX is not able to detect pseudo-commands such as quit, list-…-commands, or no-XXX itself.)

PASS PHRASE ARGUMENTS

Several commands accept password arguments, typically using -passin and -passout for input and output passwords respectively. These allow the password to be obtained from a variety of sources. Both of these options take a single argument whose format is described below. If no password argument is given and a password is required then the user is prompted to enter one: this will typically be read from the current terminal with echoing turned off.

EXAMPLE

Consider the following example. Here ‘password’ is encrypted into ‘U2FsdGVkX1817zbt5MrD6zrTygx4dRgXUb6NHUmt6po=’ by using the password as ‘testapp’.

$ echo password | openssl enc -aes-128-cbc -a -salt -pass pass:testapp                                                          U2FsdGVkX1817zbt5MrD6zrTygx4dRgXUb6NHUmt6po=
$ echo U2FsdGVkX1817zbt5MrD6zrTygx4dRgXUb6NHUmt6po= | openssl enc -aes-128-cbc -a -d -salt -pass pass:testapp
password

COMMAND

enc

NAME

openssl-enc, enc - symmetric cipher routines

SYNOPSIS

openssl enc -cipher [-help] [-ciphers] [-in filename] [-out filename] [-pass arg] [-e] [-d] [-a] [-base64] [-A] [-k password] [-kfile filename] [-K key] [-iv IV] [-S salt] [-salt] [-nosalt] [-z] [-md digest] [-p] [-P] [-bufsize number] [-nopad] [-debug] [-none] [-rand file…] [-writerand file] [-engine id]

openssl [cipher] […]

DESCRIPTION

The symmetric cipher commands allow data to be encrypted or decrypted using various block and stream ciphers using keys based on passwords or explicitly provided. Base64 encoding or decoding can also be performed either by itself or in addition to the encryption or decryption.

OPTIONS
EXAMPLES

Just base64 encode a binary file:

$ openssl base64 -in file.bin -out file.b64

Decode the same file

$ openssl base64 -d -in file.b64 -out file.bin

pkcs12

NAME

pkcs12 - PKCS#12 file utility

SYNOPSIS

openssl pkcs12 [-export] [-chain] [-inkey filename] [-certfile filename] [-name name] [-caname name] [-in filename] [-out filename] [-noout] [-nomacver] [-nocerts] [-clcerts][-cacerts] [-nokeys] [-info] [-des] [-des3] [-idea] [-nodes] [-noiter] [-maciter] [-twopass] [-descert] [-certpbe] [-keypbe] [-keyex] [-keysig] [-password arg] [-passin arg][-passout arg] [-rand file(s)]

DESCRIPTION

The pkcs12 command allows PKCS#12 files (sometimes referred to as PFX files) to be created and parsed. PKCS#12 files are used by several programs including Netscape, MSIE and MS Outlook.

OPTIONS
$ openssl pkcs12 -in asda-gr-int.company.com.pfx -out asda-gr-text.int.company.com.pem

rsa

NAME

openssl-rsa, rsa - RSA key processing tool

SYNOPSIS
openssl rsa [-help] [-inform PEM NET DER] [-outform PEM NET DER] [-in filename] [-passin arg] [-out filename] [-passout arg] [-aes128] [-aes192] [-aes256] [-aria128] [-aria192] [-aria256] [-camellia128] [-camellia192] [-camellia256] [-des] [-des3] [-idea] [-text] [-noout] [-modulus] [-check] [-pubin] [-pubout] [-RSAPublicKey_in] [-RSAPublicKey_out] [-engine id]
DESCRIPTION

The rsa command processes RSA keys. They can be converted between various forms and their components printed out. Note this command uses the traditional SSLeay compatible format for private key encryption: newer applications should use the more secure PKCS#8 format using the pkcs8 utility. OPTIONS

EXAMPLES

Consider a certificate “certificate.pem” containing encrypted private key. You can decrypt it using the following command

$ openssl rsa -in certificate.pem -out decryptedKeyFile.crt

s_client

NAME

s_client - SSL/TLS client program

SYNOPSIS
openssl s_client [-connect host:port] [-verify depth] [-cert filename] [-certform DER PEM] [-key filename] [-keyform DER PEM] [-pass arg] [-CApath directory] [-CAfile filename][-attime timestamp] [-check_ss_sig] [-crl_check] [-crl_check_all] [-explicit_policy] [-ignore_critical] [-inhibit_any] [-inhibit_map] [-issuer_checks] [-policy arg] [-policy_check] [-policy_print] [-purpose purpose] [-use_deltas] [-verify_depth num] [-x509_strict] [-reconnect] [-pause] [-showcerts] [-debug] [-msg] [-nbio_test] [-state][-nbio] [-crlf] [-ign_eof] [-quiet] [-ssl2] [-ssl3] [-tls1] [-no_ssl2] [-no_ssl3] [-no_tls1] [-fallback_scsv] [-bugs] [-cipher cipherlist] [-starttls protocol] [-xmpphost hostname] [-engine id] [-tlsextdebug] [-no_ticket] [-sess_out filename] [-sess_in filename] [-rand file(s)]
DESCRIPTION

The s_client command implements a generic SSL/TLS client which connects to a remote host using SSL/TLS. It is a very useful diagnostic tool for SSL servers.

OPTIONS
$ openssl s_client -connect www.feistyduck.com:443
CONNECTED(00000003)
depth=3 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=www.feistyduck.com
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
 3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=www.feistyduck.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 6361 bytes and written 456 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES128-SHA
    Session-ID: E9C40EAFA4BB7A521E940355E619401BA22DBB7AD915C4A23717335AC41974C4
    Session-ID-ctx: 
    Master-Key: 72044D05FF62C4E075A47DB35FA6C7F3AF77022368A73C82964ACF2BFCA8A857259F134453F4B4FD45D6421B35465796
    Key-Arg   : None
    Start Time: 1521986055
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
HEAD / HTTP/1.0
Host: www.feistyduck.com
HTTP/1.1 400 Bad Request
Date: Sun, 25 Mar 2018 13:57:33 GMT
Server: Apache
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Content-Length: 226
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
</body></html>
read:errno=0

USEFUL IMPLEMENTATION

To download the certificate directly we use the following command

$ echo | openssl s_client -connect qa.iam.platform.prod.company.com:443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/iam_cert.pem;

x509

NAME

x509 - Certificate display and signing utility

SYNOPSIS
openssl x509 [-inform DER PEM NET] [-outform DER PEM NET] [-keyform DER PEM] [-CAform DER PEM] [-CAkeyform DER PEM] [-in filename] [-out filename] [-serial] [-hash] [-subject_hash] [-issuer_hash] [-ocspid] [-subject] [-issuer] [-nameopt option] [-email] [-startdate] [-enddate] [-purpose] [-dates] [-checkend num] [-modulus] [-fingerprint][-alias] [-noout] [-trustout] [-clrtrust] [-clrreject] [-addtrust arg] [-addreject arg] [-setalias arg] [-days arg] [-set_serial n] [-signkey filename] [-passin arg][-x509toreq] [-req] [-CA filename] [-CAkey filename] [-CAcreateserial] [-CAserial filename] [-text] [-certopt option] [-C] [-md2 -md5 -sha1 -mdc2] [-clrext] [-extfile filename][-extensions section] [-engine id]
DESCRIPTION

The x509 command is a multi purpose certificate utility. It can be used to display certificate information, convert certificates to various forms, sign certificate requests like a “mini CA” or edit certificate trust settings.

OPTIONS
EXAMPLES

To get the certificate expiry dates

$ openssl s_client -connect 10.57.148.133:443 2>/dev/null | openssl x509 -noout -dates
notBefore=Nov  8 23:47:37 2017 GMT
notAfter=Nov  9 23:47:37 2019 GMT

To get detailed information

$ openssl x509 -in georgebackend.oms.prod.company.com.pem -text -noout                                                                                                             ``