Monday, March 5, 2012

Quick introduction to OpenSSL

OpenSSL is an open source Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) implementation. I exclusively use this for handling SSL related tasks, and diagnostics. I will explain the OpenSSL commands I frequently use in this blog post. Before we go to the commands, let's do a quick explanation of the terminology used in SSL:
  • Certificate Signing Request (CSR): a message format for a certificate signing request for a Certificate Authority. This message is required for generating/requesting certificates.
  • Public/Private key: a private key should be kept secret by the owner, and can be used to sign data, or decrypt messages encrypted with the public key. The public key is used to encrypt message which are only to be read by the owner of the private key. The encryption/decryption process tends to be slow compared to using a symmetric encryption key.
  • Symmetric key: one key for encrypting and decrypting. This process is fast. When we use SSL in our browser, the public/private key is only used to negotiate a symmetric key encryption method. The actual data transfer encryption is therefore symmetric (fast).
  • (Root) Certificate: a certificate contains identification information, a public key that can be used to encrypt messages, and a signature of a Certificate Authority. The signature tells us that the identification information is trusted/verified by the Certificate Authority. If we trust the Certificate Authority, then we also trust the identity of the owner of the certificate (authentication).
  • Certificate Authority (CA): an organization we consider to be trusted. A CA will sign and issue certificates. Using the root certificate of a CA, we can verify if other certificates are indeed signed by this particular CA. Your browser has a standard set of root certificates of commonly recognized CA's.

Common commands

To generate a CSR for a certificate with a 2048-bit private key:
openssl req -out certificate.csr -new
  -newkey rsa:2048 -nodes -keyout private.key
Generate a self-signed certificate (we are our own CA):
openssl req -x509 -nodes -days 365 -newkey rsa:2048
  -keyout private.key -out certificate.crt
Print out the information contained in a certificate, such as identification, and the public key:
openssl x509 -in certificate.crt -text -noout
To check a web server for its SSL-certificates:
openssl s_client -showcerts -connect </dev/null