YouTip LogoYouTip

Linux Comm Openssl

[![Image 1: Linux Command Encyclopaedia](#) Linux Command Encyclopaedia](#)\n\n* * *\n\nOpenSSL is a powerful open-source cryptography toolkit that provides various encryption algorithms, certificate management functions, and SSL/TLS protocol implementation. It is the de facto standard tool for handling encryption tasks in Linux systems.\n\nMain functions of OpenSSL include:\n\n* Create and manage SSL certificates\n* Encrypt/decrypt files\n* Generate key pairs\n* Test SSL connections\n* Calculate hash values\n* Digital signature verification\n\n* * *\n\n## Basic Syntax\n\nThe basic syntax format of the openssl command is:\n\nopenssl command \nWhere:\n\n* `command`: The OpenSSL subcommand to execute (such as genrsa, req, x509, etc.)\n* `command_options`: Options for the subcommand\n* `command_args`: Arguments for the subcommand\n\n* * *\n\n## Common Subcommands and Examples\n\n### 1. Generate RSA Key Pair\n\nGenerate a 2048-bit RSA private key:\n\nopenssl genrsa -out private.key 2048\nExtract the public key from the private key:\n\nopenssl rsa -in private.key -pubout -out public.key\nParameter description:\n\n* `-out`: Specify the output file\n* `2048`: Key length (in bits)\n* `-pubout`: Output public key\n\n### 2. Create Self-Signed Certificate\n\nGenerate a CSR (Certificate Signing Request):\n\nopenssl req -new -key private.key -out cert.csr\nGenerate a self-signed certificate (valid for 365 days):\n\nopenssl req -x509 -new -key private.key -days 365 -out cert.crt\nParameter description:\n\n* `-new`: Create a new request\n* `-key`: Specify the private key file\n* `-days`: Certificate validity period (in days)\n* `-x509`: Output X.509 format certificate\n\n### 3. File Encryption and Decryption\n\nEncrypt a file using AES-256-CBC:\n\nopenssl enc -aes-256-cbc -salt -in plaintext.txt -out encrypted.enc\nDecrypt the file:\n\nopenssl enc -d -aes-256-cbc -in encrypted.enc -out decrypted.txt\nParameter description:\n\n* `-aes-256-cbc`: Use AES-256-CBC algorithm\n* `-salt`: Add random salt value for enhanced security\n* `-in`: Input file\n* `-out`: Output file\n* `-d`: Decryption mode\n\n### 4. Calculate File Hash Value\n\nCalculate SHA-256 hash:\n\nopenssl dgst -sha256 filename.txt\nCalculate MD5 hash:\n\nopenssl dgst -md5 filename.txt\n### 5. Test SSL Connection\n\nTest SSL certificate of a remote server:\n\nopenssl s_client -connect example.com:443 -showcerts\nParameter description:\n\n* `-connect`: Specify host and port\n* `-showcerts`: Display server certificate chain\n\n* * *\n\n## Advanced Usage\n\n### 1. Create PKCS#12 Format Certificate\n\nPackage certificate and private key into a PKCS#12 file:\n\nopenssl pkcs12 -export -in cert.crt -inkey private.key -out cert.p12\n### 2. View Certificate Information\n\nView detailed certificate information:\n\nopenssl x509 -in cert.crt -text -noout\n### 3. Verify Certificate Chain\n\nVerify certificate chain integrity:\n\nopenssl verify -CAfile ca.crt cert.crt\n\n* * *\n\n## Security Considerations\n\n1. **Key Protection**: Private key files should have appropriate permissions (such as 600) to prevent leakage\n2. **Algorithm Selection**: Avoid using insecure algorithms (such as MD5, SHA1)\n3. **Password Strength**: Use strong passwords when encrypting\n4. **Certificate Validity**: Regularly update expired certificates\n5. **Random Number Generation**: Ensure the system has sufficient entropy for encryption operations\n\n* * *\n\n## Frequently Asked Questions\n\n### Q1: How to check the OpenSSL version?\n\nopenssl version\n### Q2: How to generate a more secure ECC key?\n\nopenssl ecparam -genkey -name secp384r1 -out ecc.key\n### Q3: How to convert certificate format?\n\nConvert from PEM to DER:\n\nopenssl x509 -in cert.pem -outform der -out cert.der\n\n* * *\n\n## Practical Exercises\n\n1. Generate a 4096-bit RSA key pair\n2. Create a self-signed certificate with a validity period of 2 years\n3. Encrypt a text file and decrypt it using the same password\n4. Check the SSL certificate information of websites you frequently use\n\nBy mastering the openssl command, you will be able to handle various encryption and security-related tasks, building a solid foundation for system security and administration work.\n\n* * Linux Command Encyclopaedia](#)
← Linux Comm AuditdLinux Comm Perf β†’