Category Archives: openssl

Get certificate information with openssl

To display certificate information of a certificate issue the command below:

openssl x509 -in certificate -text

Information about the certificate is displayed. Some important items are:

Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA

The Issuer is a CA that signed this certificate.

            Not Before: Feb  6 00:00:00 2015 GMT
           Not After : Feb 26 23:59:59 2016 GMT

The validity period of the certificate. Remember to renew your certificate before it expires!

Subject: OU=Domain Control Validated, OU=PositiveSSL,

The subject for this certificate. This certificate can be used for a website for the given CN.


OpenSSL encrypt and decrypt files

cryptoWith the help of OpenSSL you can easily encrypt and decrypt files. This method of encryption is of course  also compatible with the openssl binaries you can download for the Windows platform. Use base64 encoding for better multi-plaform exchange.


Encrypt files with (a password is asked for encrypting):

openssl enc -aes-256-cbc -base64 -in <file to encrypt> -out <encrypted file>


Decrypt files with (a password is asked for decrypting):

openssl enc -aes-256-cbc -base64 -d -in <encrypted file> -out <decrypted file>

The commands above use base64 encoding for storing the encrypted data.


Public-key cryptography

cryptoYou give other people your public (encryption) key. Other people can encrypt data with your public key which you can only decrypt because you have the private (decryption) key for the public key that is used.

Generate a key pair (private / public) with 2048 bits length:

openssl genrsa 2048 > key.pem

Generate a password protected key pair (private / public) with 4096 bits length:

openssl genrsa -des3 -out key.pem 4096

Generate the public key from the private key:

openssl rsa -in key.pem -pubout > pub.key

Create a symmetric key (base 64 for convenience) and store in file:

openssl rand -base64 32 > symmetrickey.txt

Encrypt the symmetric key file with your public key:

openssl rsautl -in symmetrickey.txt -out symmetrickey.bin -pubin -inkey mypubkey.pem -encrypt

Decrypt the symmetric key with your private key:

openssl rsautl -in symmetrickey.bin -out symmetrickey.txt -inkey myprivkey.pem -decrypt

Public-key cryptography, also known as asymmetric cryptography, refers to a cryptographic algorithm which requires two separate keys, one of which is secret (or private) and one of which is public.

Although different, the two parts of this key pair are mathematically linked. The public key is used to encrypt plaintext or to verify a digital signature; whereas the private key is used to decrypt ciphertext or to create a digital signature.

The term “asymmetric” stems from the use of different keys to perform these opposite functions, each the inverse of the other – as contrasted with conventional (“symmetric”) cryptography which relies on the same key to perform both.

The strength lies in the fact that it is “impossible” (computationally unfeasible) for a properly generated private key to be determined from its corresponding public key.

Thus the public key may be published without compromising security, whereas the private key must not be revealed to anyone not authorized to read messages or perform digital signatures.

Public key algorithms, unlike symmetric key algorithms, do not require a secure initial exchange of one (or more) secret keys between the parties.

Each user has a pair of cryptographic keys – a public encryption key and a private decryption key. Similarly, a key pair used for digital signatures consists of a private signing key and a public verification key.

In symmetric-key encryption, each computer has a secret key (code) that it can use to encrypt a packet of information before it is sent over the network to another computer. Symmetric-key requires that you know which computers will be talking to each other so you can install the key on each one. Symmetric-key encryption is essentially the same as a secret code that each of the two computers must know in order to decode the information. The code provides the key to decoding the message.

The first major symmetric algorithm developed for computers in the United States was the Data Encryption Standard (DES), approved for use in the 1970s. The DES uses a 56-bit key.

DES has been replaced by the Advanced Encryption Standard (AES), which uses 128-, 192- or 256-bit keys. Most people believe that AES will be a sufficient encryption standard for a long time coming: A 128-bit key, for instance, can have more than 300,000,000,000,000,000,000,000,000,000,000,000 key combinations