You won't remember the options for OpenSSL, so here's bash shortcuts for everything.
Save a bunch of time by pasting this into your .bash_profile
July 12, 2021
We're Expedited Security. We help SAAS applications prevent and recover from attack, overcome regulatory or integration security requirements or just stop "weird" traffic before it becomes a problem.
OpenSSL's various command line modes - officially called 'commands' - are named after a mix of:
- crypto & PKI standards (
x509
,pkcs12
) - actual tasks (
req
,verify
) - encryption and hashing algorithms (
aes-256-cbc
,sha256
)
Doing any crypto related task nearly always involves also both standards and algorithms, so, for most web developers, it's not entirely obvious which 'command' corresponds to a particular action.
Here's our list of the most common ones - add them to your .bash_profile
and let tab completion sort you out!
Add this to your .bash_profile
function openssl-view-certificate () {
openssl x509 -text -noout -in "${1}"
}
function openssl-view-csr () {
openssl req -text -noout -verify -in "${1}"
}
function openssl-view-key () {
openssl rsa -check -in "${1}"
}
function openssl-view-pkcs12 () {
openssl pkcs12 -info -in "${1}"
}
# Connecting to a server (Ctrl C exits)
function openssl-client () {
openssl s_client -status -connect "${1}":443
}
# Convert PEM private key, PEM certificate and PEM CA certificate (used by nginx, Apache, and other openssl apps) to a PKCS12 file (typically for use with Windows or Tomcat)
function openssl-convert-pem-to-p12 () {
openssl pkcs12 -export -inkey "${1}" -in "${2}" -certfile ${3} -out ${4}
}
# Convert a PKCS12 file to PEM
function openssl-convert-p12-to-pem () {
openssl pkcs12 -nodes -in "${1}" -out "${2}"
}
# Convert a crt to a pem file
function openssl-crt-to-pem() {
openssl x509 -in "${1}" -out "${1:0:-4}".pem -outform PEM
}
# Check the modulus of a certificate (to see if it matches a key)
function openssl-check-certificate-modulus {
openssl x509 -noout -modulus -in "${1}" | shasum -a 256
}
# Check the modulus of a key (to see if it matches a certificate)
function openssl-check-key-modulus {
openssl rsa -noout -modulus -in "${1}" | shasum -a 256
}
# Check the modulus of a certificate request
function openssl-check-key-modulus {
openssl req -noout -modulus -in "${1}" | shasum -a 256
}
# Encrypt a file (because zip crypto isn't secure)
function openssl-encrypt () {
openssl aes-256-cbc -in "${1}" -out "${2}"
}
# Decrypt a file
function openssl-decrypt () {
openssl aes-256-cbc -d -in "${1}" -out "${2}"
}
# For setting up public key pinning
function openssl-key-to-hpkp-pin() {
openssl rsa -in "${1}" -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64
}
# For setting up public key pinning (directly from the site)
function openssl-website-to-hpkp-pin() {
openssl s_client -connect "${1}":443 | openssl x509 -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
}
# Combines the key and the intermediate in a unified PEM file
# (eg, for nginx)
function openssl-key-and-intermediate-to-unified-pem() {
echo -e "$(cat "${1}")\n$(cat "${2}")" > "${1:0:-4}"_unified.pem
}
Got anything to add? Post it on the Hacker News thread and we'll give you a shout out!
- Thanks to @emazzotta for his many suggestions and improvements!