Execute the following commands and copy/paste the output in this file after each of the commands. If the command does not output anything on the screen, use cat command to display the generated file. For example: cat privkey.pem
1. Generate a RSA key: openssl genrsa -des3 -out privkey.pem 2048
2. Output the public part of a private key: openssl rsa -in privkey.pem -pubout -out pubkey.pem
3. To remove the pass phrase on an RSA private key: openssl rsa -in privkey.pem -out keyout.pem
4. To convert a private key from PEM to DER format: openssl rsa -in privkey.pem -outform DER -out keyout.der
5. To print out the components of a private key to standard output: openssl rsa -in key.pem -text -noout
6. Generate a DSA key openssl dsaparam -out dsaparam.pem 2048 openssl gendsa -des3 -out dsa-privkey.pem dsaparam.pem
1. Create an MD5 or SHA1 digest of a file:
# MD5 digest
# SHA1 digest openssl dgst -md5 filename openssl dgst -sha1 filename
2. Sign a digest:
# signed digest will be filename.sha1
openssl dgst -sha1 -sign privkey.pem -out filename.sha1 filename
3. Verify a signed digest
To verify a signed digest you’ll need the file from which the digest was derived, the signed digest, and the signer’s public key. openssl dgst -sha1 -verify pubkey.pem -signature filename.sha1 filename
4. What other kinds of digests are available? openssl list-message-digest-commands o
1. Create a self-signed test certificate: openssl req -x509 -nodes -days 365 -newkey rsa:1024 \
-keyout mycert.pem -out mycert.pem
2. Extract information from the certificate: openssl x509 -text -in mycert.pem
# who issued the cert? openssl x509 -noout -in mycert.pem -issuer
# to whom was it issued? openssl x509 -noout -in mycert.pem -subject
# for what dates is it valid? openssl x509 -noout -in mycert.pem -dates
# the above, all at once openssl x509 -noout -in mycert.pem -issuer -subject -dates
# what is its hash value? openssl x509 -noout -in mycert.pem -hash
# what is its MD5 fingerprint? openssl x509 -noout -in mycert.pem -fingerprint
3. Verify the certificate openssl verify mycert.pem
If anything is amiss, you’ll see some error messages with short descriptions of the problem, e.g.
,
error 10 at 0 depth lookup:certificate has expired. Certificates are typically issued for a limited period of time—usually just one year—and openssl will complain if a certificate has expired.
error 18 at 0 depth lookup:self signed certificate. Unless you make an exception , OpenSSL won’t verify a self-signed certificate.
1. Get a list of encryption commands openssl list-cipher-commands
2. Sign some data using a private key: openssl rsautl -sign -in file -inkey privkey.pem -out sig
3. Recover the signed data openssl rsautl -verify -in sig -inkey key.pem
4. Examine the raw signed data: openssl rsautl -verify -in file -inkey key.pem -raw -hexdump
5. Encrypt a file test.txt with the public key: openssl rsautl -encrypt -in test.txt -out test.enc -inkey pubkey.pem – pubin
6. Decrypt a file test.enc with the private key: openssl rsautl -decrypt -in test.enc -inkey privkey.pem