OpenSSL is an indispensable tool for security practitioners, offering a wide range of capabilities from creating private keys and certificate signing requests (CSRs) to verifying certificate chains and testing server security. Here, we share some fundamental OpenSSL commands that every security professional should be familiar with to ensure robust digital security management.

1. Generating Private Keys

Creating a strong private key is the first step in securing your digital communications. Use the following command to generate a new RSA private key of 2048 bits, which is the current industry standard for encryption:

bashCopy code

openssl genpkey -algorithm RSA -out private.key -pkeyopt rsa_keygen_bits:2048

2. Creating a Certificate Signing Request (CSR)

Once you have a private key, the next step is to create a CSR, which is required to obtain a certificate from a Certificate Authority (CA):

bashCopy code

openssl req -new -key private.key -out certificate.csr

This command will prompt you to enter information that will be included in your certificate, such as your country, organization, and common name (domain name).

3. Self-Signing Your Certificate for Testing

For testing purposes or internal use, you might want to self-sign your certificate instead of getting it signed by a CA:

bashCopy code

openssl req -x509 -days 365 -key private.key -in certificate.csr -out certificate.crt

This command creates a self-signed certificate valid for 365 days.

4. Verifying a Certificate

To ensure that a certificate is valid and has been signed by a trusted CA, use the following command:

bashCopy code

openssl verify -CAfile ca_bundle.crt certificate.crt

This command checks the certificate against the CA’s bundle to verify its authenticity.

5. Checking Certificate Information

To view the details of a certificate, such as its issuer, validity dates, and subject, use:

bashCopy code

openssl x509 -in certificate.crt -text -noout

6. Testing TLS/SSL Server Security

Use OpenSSL to connect to a server and analyze its security settings, including supported protocols and cipher suites:

bashCopy code

openssl s_client -connect hostname:port

Replace hostname:port with the actual domain name and port (typically 443 for HTTPS).

7. Encrypting Files

OpenSSL can also encrypt files using various algorithms. For example, to encrypt a file using AES-256-CBC:

bashCopy code

openssl enc -aes-256-cbc -salt -in plaintext.txt -out encrypted.dat -pass pass:YourPassword

To decrypt the file, use:

bashCopy code

openssl enc -d -aes-256-cbc -in encrypted.dat -out plaintext.txt -pass pass:YourPassword