Difference between revisions of "Linux openssl"
(→Encrypt a binary file with a public key) |
(→Create a server cert from CA) |
||
| (6 intermediate revisions by the same user not shown) | |||
| Line 25: | Line 25: | ||
Below will create a public cer file. | Below will create a public cer file. | ||
openssl req -new -x509 -key privatekey.pem -out publickey.cer -days 365 | openssl req -new -x509 -key privatekey.pem -out publickey.cer -days 365 | ||
| + | |||
| + | == Create a CA Cert == | ||
| + | openssl req -x509 -new -nodes -key private.pem -sha256 -days 1825 -out CA.pem | ||
| + | |||
| + | == Create a server cert from CA == | ||
| + | Once you have a CA created you can create a child cert from it for a server or other. | ||
| + | |||
| + | 1. Create a new private key your server. | ||
| + | |||
| + | 2. Create a certificate signing request. (CSR) | ||
| + | openssl req -new -key server_private.pem -out server.csr | ||
| + | |||
| + | 3. Create a new certificate using the Root CA and Root CA private key from the CSR. | ||
| + | openssl x509 -req -in server.csr -CA ca.pem -CAkey ca_private.pem -CAcreateserial -out server.crt -days 730 -sha256 | ||
| + | |||
| + | 4. Verify the new cert against the ca. | ||
| + | openssl verify -verbose -CAfile ca.pem server.crt | ||
| + | |||
| + | 5. View the new cert info | ||
| + | openssl x509 -in server.crt -text -noout | ||
| + | |||
| + | 6. Extra!! You might need to create pem containing both the private key and cert. | ||
| + | cat server_private.pem server.crt > server.pem | ||
== Encrypt a text file with a public key == | == Encrypt a text file with a public key == | ||
| Line 100: | Line 123: | ||
Decode | Decode | ||
openssl enc -aes-256-cbc -d -a -in file.txt.enc -out file.txt | openssl enc -aes-256-cbc -d -a -in file.txt.enc -out file.txt | ||
| + | |||
| + | == Start Server and Client == | ||
| + | I have not tried this, but it looked cool so I grabbed it. | ||
| + | |||
| + | Create a server | ||
| + | $> openssl s_server -accept portNum -cert myCert.pem -key myPKey.pem | ||
| + | |||
| + | |||
| + | Create a connection to the server | ||
| + | $> openssl s_client -showcerts -connect server:portNum | ||
| + | -showcert shows the server's certificate(s). | ||
| + | |||
| + | to connect with a client's certificate: | ||
| + | $> openssl s_client -connect server:portNum -cert myCert.pem -key myPKey.pem | ||
| + | |||
| + | to send some data: | ||
| + | $> openssl s_client -connect server:portNum | ||
| + | then type in console of client / server. | ||
| + | |||
| + | openssl also works as a pipe: | ||
| + | $> echo "some text!" | openssl s_client ... | ||
| + | |||
| + | == Sign and Verify == | ||
| + | To some a data file and create a sign file using a private key. | ||
| + | openssl dgst -sha256 -sign private-key.pem -out signature.sha256 data.txt | ||
| + | |||
| + | or | ||
| + | |||
| + | echo "data" | openssl dgst -sha256 -sign private-key.pem -out signature.sha256 | ||
| + | |||
| + | or, this will take in data "Test", and send the signature to base64. | ||
| + | |||
| + | echo "Test" | openssl dgst -sha256 -sign private-key.pem | base64 | ||
| + | |||
| + | To verify a data file by its signature using a public key. | ||
| + | |||
| + | openssl dgst -sha256 -verify public-key.pem -signature signature.sha256 data.txt | ||
| + | |||
| + | or | ||
| + | |||
| + | echo "Test" | openssl dgst -sha256 -verify public-key.pem -signature signature.sha256 | ||
Latest revision as of 08:39, 22 May 2021
Contents
- 1 Description
- 2 Example
- 3 Create a public & private key and or x.509 cert.
- 4 Create a CA Cert
- 5 Create a server cert from CA
- 6 Encrypt a text file with a public key
- 7 Decrypt a text file with a private key
- 8 Encrypt a binary file with a public key
- 9 Decrypt a binary file with a private key
- 10 Encrypt a file with a password
- 11 Decrypt a file with a password
- 12 Base 64 Encode and Decode
- 13 Start Server and Client
- 14 Sign and Verify
Description
The way public/private keys work, is a public key is used to encrypt data and only a private key is capable of decrypting it.
Public Key -> Encrypt.
Private Key -> Decrypt.
Example
This is a real example of public private key.
Create a public & private key and or x.509 cert.
Create a private key.
openssl genrsa -out mykey.pem 1024
Create a public key.
openssl rsa -in key.pem -pubout -out pubkey.pem
or
openssl rsa -in mykey.pem -pubout > mykey.pub
This will calculate the public key from the private key.
Below will create a public cer file.
openssl req -new -x509 -key privatekey.pem -out publickey.cer -days 365
Create a CA Cert
openssl req -x509 -new -nodes -key private.pem -sha256 -days 1825 -out CA.pem
Create a server cert from CA
Once you have a CA created you can create a child cert from it for a server or other.
1. Create a new private key your server.
2. Create a certificate signing request. (CSR)
openssl req -new -key server_private.pem -out server.csr
3. Create a new certificate using the Root CA and Root CA private key from the CSR.
openssl x509 -req -in server.csr -CA ca.pem -CAkey ca_private.pem -CAcreateserial -out server.crt -days 730 -sha256
4. Verify the new cert against the ca.
openssl verify -verbose -CAfile ca.pem server.crt
5. View the new cert info
openssl x509 -in server.crt -text -noout
6. Extra!! You might need to create pem containing both the private key and cert.
cat server_private.pem server.crt > server.pem
Encrypt a text file with a public key
cat plain.txt | openssl rsautl -encrypt -pubin -inkey ./is_rsa.pub.pem > cipher.txt
Decrypt a text file with a private key
cat cipher.txt | openssl rsautl -decrypt -inkey ~/id_rsa.private.pem
Encrypt a binary file with a public key
This should encrypt a binary file with a public key.
openssl smime -encrypt -binary -aes256 -in plainfile.zip -out encrypted.zip.enc -outform DER yourSslCertificate.cer
The options mean:
- smime - ssl command for S/MIME utility (smime(1)) - encrypt - chosen method for file process - binary - use safe file process. Normally the input message is converted to "canonical" format as required by the S/MIME specification, this switch disable it. It is necessary for all binary files (like a images, sounds, ZIP archives). - aes-256-cbc - chosen cipher AES in 256 bit for encryption (strong). If not specified 40 bit RC2 is used (very weak). (Supported ciphers) - in plainfile.zip - input file name - out encrypted.zip.enc - output file name - outform DER - encode output file as binary. If is not specified, file is encoded by base64 and file size will be increased by 30%. - yourSslCertificate.pem - file name of your certificate's. That should be in PEM format.
Known issue with files over 600MB, you need to split them.
Decrypt a binary file with a private key
openssl smime -decrypt -binary -in encrypted.zip.enc -inform DER -out decrypted.zip -inkey private.key -passin pass:your_password
The options mean: -inform DER - same as -outform above -inkey private.key - file name of your private key. That should be in PEM format and can be encrypted by password. -passin pass:your_password - your password for private key encrypt.
Encrypt a file with a password
The -salt option should ALWAYS be used if the key is being derived from a password.
Without the -salt option it is possible to perform efficient dictionary attacks on the password and to attack stream cipher encrypted data. The reason for this is that without the salt the same password always generates the same encryption key.
When the salt is being used the first eight bytes of the encrypted data are reserved for the salt: it is generated at random when encrypting a file and read from the encrypted file when it is decrypted.
This way will prompt you for a password
openssl enc -aes-256-cbc -salt -in file.txt -out file.txt.enc
This way will not
openssl enc -aes-256-cbc -salt -in file.txt -out file.txt.enc
Decrypt a file with a password
This way will prompt you for a password
openssl enc -aes-256-cbc -d -in file.txt.enc -out file.txt
This way will not
openssl enc -aes-256-cbc -d -in file.txt.enc -out file.txt -k PASS
Base 64 Encode and Decode
Base64 encoding will converting 8-bit binary information into a ASCII characters.
This is nice for sending something by email, IRC, etc. you have to save encrypted file in Base64-encode.
To encrypt file in Base64-encode, you should add -a option :
Encode:
openssl enc -aes-256-cbc -salt -a -in file.txt -out file.txt.enc
Decode
openssl enc -aes-256-cbc -d -a -in file.txt.enc -out file.txt
Start Server and Client
I have not tried this, but it looked cool so I grabbed it.
Create a server
$> openssl s_server -accept portNum -cert myCert.pem -key myPKey.pem
Create a connection to the server
$> openssl s_client -showcerts -connect server:portNum
-showcert shows the server's certificate(s).
to connect with a client's certificate:
$> openssl s_client -connect server:portNum -cert myCert.pem -key myPKey.pem
to send some data:
$> openssl s_client -connect server:portNum
then type in console of client / server.
openssl also works as a pipe:
$> echo "some text!" | openssl s_client ...
Sign and Verify
To some a data file and create a sign file using a private key.
openssl dgst -sha256 -sign private-key.pem -out signature.sha256 data.txt
or
echo "data" | openssl dgst -sha256 -sign private-key.pem -out signature.sha256
or, this will take in data "Test", and send the signature to base64.
echo "Test" | openssl dgst -sha256 -sign private-key.pem | base64
To verify a data file by its signature using a public key.
openssl dgst -sha256 -verify public-key.pem -signature signature.sha256 data.txt
or
echo "Test" | openssl dgst -sha256 -verify public-key.pem -signature signature.sha256
