Here's my notes of openssl
commands for remembering (my own copy-pasting). There are other crypto/ssl/tls tools available (e.g., step, cfssl, certstrap etc) but openssl
are the most widely used, at least that I know of.
If you don't know what SSL/TLS/HTTPS is, or just want to learn more about it make sure to check out Julia Evans: What's TLS and DNSimple's comic: How HTTPS works. Both awesome resources!
When creating keys to test and dev environments. Size can be 1024
, 2048
, 4096
NOTE: Private key in PKCS1
and public key in SPKI
format
openssl genrsa -out private.pem 2048 && openssl rsa -in private.pem -outform PEM -pubout -out public.pem
Creates a base64 encoded signature. The default algorithm used is RSASSA-PKCS1-v1_5
and we're setting SHA-256
as hash.
NOTE: -n
option is easy to miss (it removes a trailing newline)
echo -n "hello world" | openssl dgst -sha256 -sign private.pem | base64
# Example with newlines in message
echo -n "hello\\\\nworld" | openssl dgst -sha256 -sign private.pem | base64
# Example with data from file.
# BEWARE: Removes trailing newline from `data.txt`
printf %s "$(cat data.txt)" | openssl dgst -sha256 -sign private.pem | base64
# Do not remove trailing newline
cat data.txt | openssl dgst -sha256 -sign private.pem | base64
# From file / to file
openssl dgst -sha256 -sign private.pem -out data.txt.sha256 data.txt
openssl dgst -sha256 -verify public.pem -signature data.txt.sha256 data.txt
To get rid of newlines and type header. This gives you a base64 key on one line
openssl rsa -pubin -inform PEM -in public.pem -outform DER | base64
Web browser crypto supports PKCS8 and openssl
is using PKCS1 as default
openssl pkcs8 -topk8 -inform PEM -outform PEM -in private-pkcs1.pem -out private-pkcs8.pem -nocrypt
Outputs a HEX digest of the binary DER key