Some OpenSSL hints & tricks

Compute a MD5 checksum

$ openssl dgst -md5 -out passwd.md5 /etc/passwd

Symetric encryption/decryption

Encrypt

$ openssl enc -bf -e -in /etc/passwd -out passwd.enc -k mypassword

Caveat: The password is provided on the command line!

Using a file content: 

$ openssl enc -bf -e -in /etc/passwd -out passwd.enc -pass file:$HOME/.mypassword

Decrypt

$ openssl enc -bf -d -in passwd.enc -out passwd.dec -k mypassword

or: 

$ openssl enc -bf -d -in passwd.enc -out passwd.dec -pass file:$HOME/.mypassword

Asymetric encryption/decryption

Generate a private key

$ openssl genrsa -out private.key.clr 1024

using des3 to password protect the key: 

$ openssl genrsa -out private.key.enc -passout file:$HOME/.mypassword -des3 1024

Extract a public key from a private key

$ openssl rsa -in private.key.clr -out public.key -outform PEM -pubout

Direct encryption/decryption

Warning: Only messages shorter than the key itself may be directly crypted/decrypted.

Encryption: 

$ echo hello > message.clr
$ openssl rsautl -encrypt -in message.clr -out message.enc -pubin -inkey public.key

Decryption: 

$ openssl rsautl -decrypt -in message.enc -out message.dec -inkey private.key.clr

A more realistic sample

# generate a random key
alice$ openssl rand 32 -out key.temp

# crypt a file using the random key
alice$ openssl des3 -e -pass file:key.temp -in /etc/passwd -out passwd.enc

# get the checksum of the file
alice$ openssl dgst -md5 -binary /etc/passwd > passwd.md5

# sign the md5 checksum with the private key to ensure sender identity
alice$ openssl rsautl -sign -in passwd.md5 -out md5.signed -inkey alice.private.key

# crypt the random key with the recipient public key
$ openssl rsautl -encrypt -in key.temp -out key.enc -pubin -inkey bob.public.key

(transfert of passwd.enc, key.enc and md5.signed from alice to bob) 

# decrypt the random key
bob$ openssl rsautl -decrypt -in key.enc -out key.dec -inkey bob.private.key

# decrypt the file with the random key
bob$ openssl des3 -d pass file:key.dec -in passwd.enc -out passwd.dec

# verify that the md5 checksum origin and store it
bob$ openssl rsautl -verify -in md5.signed -out md5.verified -pubin -inkey alice.public.key

# compute the received file checksum and verify equality
bob$ openssl dgst -md5 -binary passwd.dec > md5.dec
bob$ diff -s md5.dec md5.verified

SSL Private/Public Key-Pair Setup for Apache 2.0

To be able to accept 'https://' requests, a private/public key-pair for Apache2 w/ mod_ssl is created and stored in the proper location(s). Before proceeding - the location of executable 'openssl.exe' must be in the PATH, or the command line must be under the directory containing this file. Make sure that 'openssl.exe' can find its configuration file 'openssl.cnf'.

To create a self-signed private/public 1024 bit key-pair that will be valid for 365 days...

  1. Under our Apache and OpenSSL build Guides, openssl.exe/cnf can be under one of the following dirs...
    cd /d C:\www\Apache2\bin
cd /d C:\www\openssl\bin
  2. mkdir C:\www\Apache2\conf\ssl.crt
    the default location of public key (also know as the 'Certificate') file server.crt, specified under ssl.conf
  3. mkdir C:\www\Apache2\conf\ssl.key
    the default location of private key server.key, specified under ssl.conf
  4. openssl req -new -out server.csr
    while not required, openssl.cnf can be edited with the proper information; that will not be asked for if present creates a certificate signing request (server.csr) and private key (privkey.pem) if openssl.cnf is not fully configured, you will be asked several questions: 'common name' is the exact name of your website (ex: www.yourdomain.com)
  5. openssl rsa -in privkey.pem -out server.key
    removes pass-phrase from private key (privkey.pem), creating server.key
  6. openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365
    creates a self-signed certificate, server.crt(public key)
  7. move server.crt C:\www\Apache2\conf\ssl.crt
  8. move server.key C:\www\Apache2\conf\ssl.key
  9. del .rnd
    .rnd contains entropy information, could be used to re-create keys
  10. del privkey.pem
  11. del server.csr
    keep server.csr if you plan on self-signing more keys and you want the authority to match up exactly