Difference between revisions of "Command Line Utilities"

From OpenSSLWiki
Jump to navigationJump to search
Line 226: Line 226:
  
 
==== dsa ====
 
==== dsa ====
 +
 +
dsa is a less common Public/Private key scheme, but can be seen anyway, so ...
 +
 
OpenSSL> dsa help
 
OpenSSL> dsa help
 
unknown option help
 
unknown option help
Line 248: Line 251:
 
  -modulus        print the DSA public value
 
  -modulus        print the DSA public value
 
error in dsa
 
error in dsa
 
  
 
==== Certificates AKA x509  ====
 
==== Certificates AKA x509  ====

Revision as of 14:46, 23 March 2013

OpenSSL site command line tools

When installed on your system openssl binary is entry point for many functions.

  • launching openssl without any parameter will enter an interactive mode with an OpenSSL> prompt
    • to quit: quit
    • enter a command it will set a command context in which parameters depends on command.
  • to known what commands and parameters you can issue for openssl do :
    • openssl help
openssl:Error: 'help' is an invalid command.

Standard commands
asn1parse         ca                ciphers           cms               
crl               crl2pkcs7         dgst              dh                
dhparam           dsa               dsaparam          ec                
ecparam           enc               engine            errstr            
gendh             gendsa            genpkey           genrsa            
nseq              ocsp              passwd            pkcs12            
pkcs7             pkcs8             pkey              pkeyparam         
pkeyutl           prime             rand              req               
rsa               rsautl            s_client          s_server          
s_time            sess_id           smime             speed             
spkac             srp               ts                verify            
version           x509              

Message Digest commands (see the `dgst' command for more details)
md4               md5               rmd160            sha               
sha1              

Cipher commands (see the `enc' command for more details)
aes-128-cbc       aes-128-ecb       aes-192-cbc       aes-192-ecb       
aes-256-cbc       aes-256-ecb       base64            bf                
bf-cbc            bf-cfb            bf-ecb            bf-ofb            
camellia-128-cbc  camellia-128-ecb  camellia-192-cbc  camellia-192-ecb  
camellia-256-cbc  camellia-256-ecb  cast              cast-cbc          
cast5-cbc         cast5-cfb         cast5-ecb         cast5-ofb         
des               des-cbc           des-cfb           des-ecb           
des-ede           des-ede-cbc       des-ede-cfb       des-ede-ofb       
des-ede3          des-ede3-cbc      des-ede3-cfb      des-ede3-ofb      
des-ofb           des3              desx              rc2               
rc2-40-cbc        rc2-64-cbc        rc2-cbc           rc2-cfb           
rc2-ecb           rc2-ofb           rc4               rc4-40            
seed              seed-cbc          seed-cfb          seed-ecb          
seed-ofb          zlib              

commands

Get information about your openssl toolkit

version

OpenSSL> version OpenSSL 1.0.1e 11 Feb 2013

ciphers

returns SSL/TLS ciphers supported.

OpenSSL> ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5

engine

OpenSSL> engine (rsax) RSAX engine support (dynamic) Dynamic engine loading support

speed

returns informations of toolkit performance on cryptographic functions computations.

( Ex: on Linux 3.1.0-1-amd64 #1 SMP x86_64 GNU/Linux, HP dv7 i7 4Gb )

Doing md4 for 3s on 16 size blocks: 12430613 md4's in 3.00s
...
Doing md5 for 3s on 16 size blocks: 8943943 md5's in 2.99s
Doing md5 for 3s on 64 size blocks: 6560162 md5's in 3.00s
Doing md5 for 3s on 256 size blocks: 3674563 md5's in 3.00s
Doing md5 for 3s on 1024 size blocks: 1325803 md5's in 3.00s
Doing md5 for 3s on 8192 size blocks: 190271 md5's in 3.00s
Doing hmac(md5) for 3s on 16 size blocks: 7289025 hmac(md5)'s in 3.00s
Doing hmac(md5) for 3s on 64 size blocks: 5519732 hmac(md5)'s in 3.00s
Doing hmac(md5) for 3s on 256 size blocks: 3319123 hmac(md5)'s in 3.00s
Doing hmac(md5) for 3s on 1024 size blocks: 1275475 hmac(md5)'s in 3.00s
Doing hmac(md5) for 3s on 8192 size blocks: 187134 hmac(md5)'s in 3.00s
Doing sha1 for 3s on 16 size blocks: 10089842 sha1's in 2.99s
Doing sha1 for 3s on 64 size blocks: 7033355 sha1's in 3.00s
Doing sha1 for 3s on 256 size blocks: 3919372 sha1's in 3.00s
Doing sha1 for 3s on 1024 size blocks: 1374314 sha1's in 3.00s
Doing sha1 for 3s on 8192 size blocks: 198808 sha1's in 3.00s
Doing sha256 for 3s on 16 size blocks: 6462822 sha256's in 3.00s
Doing sha256 for 3s on 64 size blocks: 3504641 sha256's in 3.00s
Doing sha256 for 3s on 256 size blocks: 1486771 sha256's in 3.00s
Doing sha256 for 3s on 1024 size blocks: 440613 sha256's in 3.00s
Doing sha256 for 3s on 8192 size blocks: 58418 sha256's in 3.00s
Doing sha512 for 3s on 16 size blocks: 5040453 sha512's in 2.99s
Doing sha512 for 3s on 64 size blocks: 5089425 sha512's in 3.00s
Doing sha512 for 3s on 256 size blocks: 1865240 sha512's in 3.00s
Doing sha512 for 3s on 1024 size blocks: 643708 sha512's in 3.00s
Doing sha512 for 3s on 8192 size blocks: 90615 sha512's in 3.00s
...
Doing whirlpool for 3s on 8192 size blocks: 33204 whirlpool's in 3.00s
...
Doing rmd160 for 3s on 8192 size blocks: 66719 rmd160's in 3.00s
...
Doing rc4 for 3s on 8192 size blocks: 238972 rc4's in 3.00s
...
Doing des cbc for 3s on 8192 size blocks: 19837 des cbc's in 3.00s
...
Doing des ede3 for 3s on 8192 size blocks: 7706 des ede3's in 3.00s
...
Doing aes-128 cbc for 3s on 8192 size blocks: 35217 aes-128 cbc's in 3.00s
...
Doing aes-192 cbc for 3s on 8192 size blocks: 29225 aes-192 cbc's in 3.01s
...
Doing aes-256 cbc for 3s on 8192 size blocks: 24414 aes-256 cbc's in 3.00s
...
Doing aes-256 ige for 3s on 8192 size blocks: 23331 aes-256 ige's in 2.99s
...

Create / Handle Public Key Certificates

This requires you have a knowledge of what PKI is ( Certificate Authorities, Certificate Request, Certificate, Public Key, Private Key )

Classical use case is to obtain a valid Certificate for a Secured Web site ( https protocol ). First you create a Private Key ( will be created together with Public key ). Then create a Certificate Request for that private key with some informations for purpose of future Certificate. Then send that Certificate Request to a Certificate Authority ( CA ) that will issue a Certificate that CA signed. For well known CA you need to pay. Up to you to install your Private key together with the received Certificate on your system.

ca

OpenSSL> ca Using configuration from /usr/lib/ssl/openssl.cnf Error opening CA private key ./demoCA/private/cakey.pem 140492277311144:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('./demoCA/private/cakey.pem','r') 140492277311144:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400: unable to load CA private key error in ca

By default you don't have ca created...

Certificate Request / req

OpenSSL> req ? unknown option ? req [options] <infile >outfile where options are

-inform arg    input format - DER or PEM
-outform arg   output format - DER or PEM
-in arg        input file
-out arg       output file
-text          text form of request
-pubkey        output public key
-noout         do not output REQ
-verify        verify signature on REQ
-modulus       RSA modulus
-nodes         don't encrypt the output key
-engine e      use engine e, possibly a hardware device
-subject       output the request's subject
-passin        private key password source
-key file      use the private key contained in file
-keyform arg   key file format
-keyout arg    file to send the key to
-rand file:file:...
               load the file (or the files in the directory) into
               the random number generator
-newkey rsa:bits generate a new RSA key of 'bits' in size
-newkey dsa:file generate a new DSA key, parameters taken from CA in 'file'
-newkey ec:file generate a new EC key, parameters taken from CA in 'file'
-[digest]      Digest to sign with (md5, sha1, md2, mdc2, md4)
-config file   request template file.
-subj arg      set or modify request subject
-multivalue-rdn enable support for multivalued RDNs
-new           new request.
-batch         do not ask anything during request generation
-x509          output a x509 structure instead of a cert. req.
-days          number of days a certificate generated by -x509 is valid for.
-set_serial    serial number to use for a certificate generated by -x509.
-newhdr        output "NEW" in the header lines
-asn1-kludge   Output the 'request' in a format that is wrong but some CA's
               have been reported as requiring
-extensions .. specify certificate extension section (override value in config file)
-reqexts ..    specify request extension section (override value in config file)
-utf8          input characters are UTF8 (default ASCII)
-nameopt arg    - various certificate name options
-reqopt arg    - various request text options

error in req

rsa

RSA is the most common type of Public/Private Key. Private Key part should never de disclosed while public key part is ... public.

rsa help unknown option help rsa [options] <infile >outfile where options are

-inform arg     input format - one of DER NET PEM
-outform arg    output format - one of DER NET PEM
-in arg         input file
-sgckey         Use IIS SGC key format
-passin arg     input file pass phrase source
-out arg        output file
-passout arg    output file pass phrase source
-des            encrypt PEM output with cbc des
-des3           encrypt PEM output with ede cbc des using 168 bit key
-seed           encrypt PEM output with cbc seed
-aes128, -aes192, -aes256
                encrypt PEM output with cbc aes
-camellia128, -camellia192, -camellia256
                encrypt PEM output with cbc camellia
-text           print the key in text
-noout          don't print key out
-modulus        print the RSA key modulus
-check          verify key consistency
-pubin          expect a public key in input file
-pubout         output a public key
-engine e       use engine e, possibly a hardware device.

error in rsa

dsa

dsa is a less common Public/Private key scheme, but can be seen anyway, so ...

OpenSSL> dsa help unknown option help dsa [options] <infile >outfile where options are

-inform arg     input format - DER or PEM
-outform arg    output format - DER or PEM
-in arg         input file
-passin arg     input file pass phrase source
-out arg        output file
-passout arg    output file pass phrase source
-engine e       use engine e, possibly a hardware device.
-des            encrypt PEM output with cbc des
-des3           encrypt PEM output with ede cbc des using 168 bit key
-aes128, -aes192, -aes256
                encrypt PEM output with cbc aes
-camellia128, -camellia192, -camellia256
                encrypt PEM output with cbc camellia
-seed           encrypt PEM output with cbc seed
-text           print the key in text
-noout          don't print key out
-modulus        print the DSA public value

error in dsa

Certificates AKA x509

x509 command allows you to display content of a x509 certificate and to convert it from/to PEM, NET or DER formats.

OpenSSL> x509 help unknown option help usage: x509 args

-inform arg     - input format - default PEM (one of DER, NET or PEM)
-outform arg    - output format - default PEM (one of DER, NET or PEM)
-keyform arg    - private key format - default PEM
-CAform arg     - CA format - default PEM
-CAkeyform arg  - CA key format - default PEM
-in arg         - input file - default stdin
-out arg        - output file - default stdout
-passin arg     - private key password source
-serial         - print serial number value
-subject_hash   - print subject hash value
-subject_hash_old   - print old-style (MD5) subject hash value
-issuer_hash    - print issuer hash value
-issuer_hash_old    - print old-style (MD5) issuer hash value
-hash           - synonym for -subject_hash
-subject        - print subject DN
-issuer         - print issuer DN
-email          - print email address(es)
-startdate      - notBefore field
-enddate        - notAfter field
-purpose        - print out certificate purposes
-dates          - both Before and After dates
-modulus        - print the RSA key modulus
-pubkey         - output the public key
-fingerprint    - print the certificate fingerprint
-alias          - output certificate alias
-noout          - no certificate output
-ocspid         - print OCSP hash values for the subject name and public key
-ocsp_uri       - print OCSP Responder URL(s)
-trustout       - output a "trusted" certificate
-clrtrust       - clear all trusted purposes
-clrreject      - clear all rejected purposes
-addtrust arg   - trust certificate for a given purpose
-addreject arg  - reject certificate for a given purpose
-setalias arg   - set certificate alias
-days arg       - How long till expiry of a signed certificate - def 30 days
-checkend arg   - check whether the cert expires in the next arg seconds
                  exit 1 if so, 0 if not
-signkey arg    - self sign cert with arg
-x509toreq      - output a certification request object
-req            - input is a certificate request, sign and output.
-CA arg         - set the CA certificate, must be PEM format.
-CAkey arg      - set the CA key, must be PEM format
                  missing, it is assumed to be in the CA file.
-CAcreateserial - create serial number file if it does not exist
-CAserial arg   - serial file
-set_serial     - serial number to use
-text           - print the certificate in text form
-C              - print out C code forms
-md2/-md5/-sha1/-mdc2 - digest to use
-extfile        - configuration file with X509V3 extensions to add
-extensions     - section from config file with X509V3 extensions to add
-clrext         - delete extensions before signing and input certificate
-nameopt arg    - various certificate name options
-engine e       - use engine e, possibly a hardware device.
-certopt arg    - various certificate text options

Client Certificates AKA pkcs12

Client Certificate is a language abuse, but anyway it is knid of file you need to install on your system when SSL/TLS server require Client Authentication. Those kind of certificates credentials are known as pkcs12 or pfx files. They contains a x509 Certificate and the public/private key of client. Those files are then very sensible to handle with same security as a private key.

Usage: pkcs12 [options]
where options are
-export       output PKCS12 file
-chain        add certificate chain
-inkey file   private key if not infile
-certfile f   add all certs in f
-CApath arg   - PEM format directory of CA's
-CAfile arg   - PEM format file of CA's
-name "name"  use name as friendly name
-caname "nm"  use nm as CA friendly name (can be used more than once).
-in  infile   input filename
-out outfile  output filename
-noout        don't output anything, just verify.
-nomacver     don't verify MAC.
-nocerts      don't output certificates.
-clcerts      only output client certificates.
-cacerts      only output CA certificates.
-nokeys       don't output private keys.
-info         give info about PKCS#12 structure.
-des          encrypt private keys with DES
-des3         encrypt private keys with triple DES (default)
-seed         encrypt private keys with seed
-aes128, -aes192, -aes256
              encrypt PEM output with cbc aes
-camellia128, -camellia192, -camellia256
              encrypt PEM output with cbc camellia
-nodes        don't encrypt private keys
-noiter       don't use encryption iteration
-nomaciter    don't use MAC iteration
-maciter      use MAC iteration
-nomac        don't generate MAC
-twopass      separate MAC, encryption passwords
-descert      encrypt PKCS#12 certificates with triple DES (default RC2-40)
-certpbe alg  specify certificate PBE algorithm (default RC2-40)
-keypbe alg   specify private key PBE algorithm (default 3DES)
-macalg alg   digest algorithm used in MAC (default SHA1)
-keyex        set MS key exchange type
-keysig       set MS key signature type
-password p   set import/export password source
-passin p     input file pass phrase source
-passout p    output file pass phrase source
-engine e     use engine e, possibly a hardware device.
-rand file:file:...
              load the file (or the files in the directory) into
              the random number generator
-CSP name     Microsoft CSP name
-LMK          Add local machine keyset attribute to private key