Holistic usage guide for OpenSSL

  •        0

We aggregate and tag open source projects. We have collections of more than one million projects. Check out the projects section.

OpenSSL is a general purpose cryptographty toolkit that provides an open source implementation of Transport Layer Security(TLS) and Secure Socket Layer(SSL) protocols. It is written in C,assembly and Perl language but wrappers are available in all languages. This article explains about OpenSSL commands.


For the 3.0.0 release, and later releases derived from that, the Apache License v2 applies. Before that it is licensed under OpenSSL license.


It provides various cryptographic functions

  • RSA & AES keys
  • Certificate Signing Requests(CSR), X509 certificates
  • Message digest/checksums
  • Encryption / Decryption with ciphers and encoding commands.


Encoding and decoding schemes are used to convert the binary to text and vice versa respectively. Base64 is one of the encoding scheme where a group of similar binary-to-text encoding schemes that represent binary data in an ASCII string format by translating it into a radix-64 representation. This base64 encoding used in the encrypted bytes to convert into textual format and transmit the data securely.

Below commands will base64 encode the text and then decode back to the text format.

$ echo "secret password" | openssl enc -base64

$ echo "c2VjcmV0IHBhc3N3b3JkZAo=" | openssl enc -base64 -d

Advanced Encryption Standard(AES)

AES is symmetric encryption algorithm, where text will be encrypted by secret key, then it will be decrypted by same secret key. Openssl provides AES encryption/decryption facilities of different block sizes.

Cipher algorithm (AES cyber block chain of 256 bit) which will encrypt and then does base64 encoding. To encrypt the data, provide encryption password (secret key). During decryption, same password / secret has to be provided. Cyber block chain will split the message text into block size, xor with initialiation vector and encrypt with key, then output will be xor with next block of message text which will again encrypt with key, it will continue until all blocks encrypted.

$ echo "confidential-data" | openssl enc -aes-256-cbc -base64
enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption password:

$ echo "U2FsdGVkX1/2T5aTQE9K/PCJlXCqtAC9RIxGoQIdrFc=" | openssl enc -aes-256-cbc -base64 -d
enter aes-256-cbc decryption password:

Rivest-Shamir-Adleman Encryption Algorithm

RSA algorithm works with public (known to everyone) and private key (secret key) combinations based on factorization difficulty of large prime numbers. Message will be encrypted with public key and transmitted to recipient who will decrypt with his secret private key. It is slow algorithm so it is used to share the symmetric secret key, less commonly used for encryption of user data.

Alice and Bob want to transfer secure information.

  1. Bob has securely stored his private key and  Bob's public key is available with Alice.
  2. Alice encrypts the data using Bob's public key and sends the encrypted data to Bob
  3. Bob decrypts the data using his private key

Below OpenSSL commands used to generate private key and then public key from private key.

 $ openssl genrsa -out rsaprivatekey.pem 2048

 $ openssl rsa -in rsaprivatekey.pem -pubout -outform PEM -out rsapublickey.pem

rsautl command option will encrypt the message with public key which produce secure message. Redirect the output to a file. Decrypt the secure message with generated private key.

 $ echo "confidential-data" | openssl rsautl -encrypt -pubin -inkey rsapublickey.pem > encryptedmsg

 $ openssl rsautl -decrypt -inkey rsaprivatekey.pem -in encryptedmsg -out decryptedmsg
 $ cat decryptedmsg

Message Digest/Hashing Message

Message Digest or Hash Function takes any arbitrary message (with any content or length) as an input and provides a fixed size hash value as a result.

Use Case:

  • It is to used to verify the message was transmitted without any loss or tampering by hashing the message matches with message checksums.
  • It is also used to store password by hashing the password. (Hashing is one-way function which will not be reversed).
OpenSSL has dgst command option to hash the password. If same command executed again, it will give the same hash value. Below command generates hash using sha256 algorithm.
 $ echo 'password' | openssl dgst -sha256
   (stdin)= 6b3a55e0261b0304143f805a24924d0c1c44524821305f31d9277843b8a10f4e

 $ echo 'password' | openssl dgst -sha256
   (stdin)= 6b3a55e0261b0304143f805a24924d0c1c44524821305f31d9277843b8a10f4e

Certificate Signing Requests

SSL Certificate is valid certificate only after authorized by Certificate Authority(CA). So to get the authoriztion, certificate signing request has to be sent to CA.

OpenSSL is to generate the certificate signing request, which will prompt for the details like location, organization details and finally generatedcertificate.csr is generated.

$ openssl req -new -key rsaprivatekey.pem -out generatedcertificate.csr -sha256
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:TAMILNADU
Locality Name (eg, city) []:COIMBATORE
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Findbestopensource
Organizational Unit Name (eg, section) []:TechnicalBlogs
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:nagappan08@gmail.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:password
An optional company name []:TechnicalBlogs


Print the generated certificate request file.

$ cat generatedcertificate.csr



X509 Certificate Generation

Similar to CA generating the certificate, we can use openssl to create certificate for local development purposes. X509 certificate is a standard defining public key certificate. It contains public key, identity, location and validity period..

OpenSSL with X509 tool to generate the certificate from certificate signing request, validity days and root CA certificate with private key. Root CA certificate and private key can be generated if it is not already using mkcert certificate authority tool.


$ openssl x509 -req -in generatedcertificate.csr -signkey rsaprivatekey.pem -CA rootCA.pem -CAkey rootCA-key.pem -CAcreateserial -out technicalblogcertificate.crt -days 365
Signature ok
subject=C = IN, ST = TAMILNADU, L = COIMBATORE, O = Findbestopensource, OU = TechnicalBlogs, emailAddress = nagappan08@gmail.com
Getting Private key
Getting CA Private Key

Print the certificate and could find the root CA as mkcert with given identity.

$ openssl x509 -in technicalblogcertificate.crt -text -noout | head -20
Version: 1 (0x0)
Serial Number:
Signature Algorithm: sha256WithRSAEncryption
Issuer: O = mkcert development CA, OU = ubuntu@ip-172-31-40-103, CN = mkcert ubuntu@ip-172-31-40-103
Not Before: Jan 24 07:25:42 2019 GMT
Not After : Jan 24 07:25:42 2020 GMT
Subject: C = IN, ST = TAMILNADU, L = COIMBATORE, O = Findbestopensource, OU = TechnicalBlogs, emailAddress = nagappan08@gmail.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)

Certificate can also verified by verify command options provided by OpenSSL.

$ openssl verify technicalblogcertificate.crt
technicalblogcertificate.crt: OK




mkcert - no config certificate authority tool



Nagappan is a techie-geek and a full-stack senior developer having 10+ years of experience in both front-end and back-end. He has experience on front-end web technologies like HTML, CSS, JAVASCRIPT, Angular and expert in Java and related frameworks like Spring, Struts, EJB and RESTEasy framework. He hold bachelors degree in computer science and he is very passionate in learning new technologies.

Subscribe to our newsletter.

We will send mail once in a week about latest updates on open source tools and technologies. subscribe our newsletter

Related Articles

Angular Service Workers Usage Guide

  • angular service-worker offline-app

Web developers come across scenarios like web application completely breaks when workstation goes offline. Likewise to get into our application, every time we need to open a browser and then access it. Instead if it is in app, it will be easy to access for end-user. Push notifications similar to email client need to be done through web application. All these are addressed by a magic called service worker.

Read More

LetsEncrypt certificate using ZeroSSL tools

  • ssl-certificate certificate security

Let’s Encrypt is a free, automated, and open Certificate Authority. It uses ACME protocol to validate your domain. If you have complete control over your domain, you can get a certificate for free. In order to provide secure access to your public network like HTTPS, LDAPS etc you need a certificate from a Certificate Authority. The cost of the certificate range from 10$ to 100$. If you want a wildcard certificate then it may cost more. The certificate is valid for one year and you need to pay and renew every year. Let's Encrypt comes for the rescue. You can create and renew certificate for few.

Read More

mkcert - No config certificate authority tool

  • certificate ssl security cert go go-lang

Mkcert is go-lang project, which is super easy tool to setup certificate authority without any configuration. Using certificates are inevitable these days, data should be transferred in a secure communication channel. Buying a certificate is expensive and mostly companies buy certificates only for production systems. In Dev setup, if we use self-signed certificate then there will be trust errors. mkcert automatically creates and installs a local CA in the system root store, and generates locally-trusted certificates.

Read More

GlobalSign - Free Certificate for Open Source Projects

  • free certificate ssl security

GlobalSign is one of the Internet’s original trust service providers (technically known as Certificate Authorities). They have issued millions of trusted Digital Certificates to people, servers and mobile devices for Public Key Infrastructure (PKI) enabled solutions and applications. They are now giving certificates for free for open source projects.

Read More

Angular Security - Authentication Service

  • angular security authentication jwt

Angular is a framework for creating single page web application. Angular facilitates the security feature and protection mechanism. It provides frameworks by verifying all the routing urls with security authguard interface to validate and verify the user and its permissions.

Read More

8 Reasons Why Python Scores Over PHP for Web Development

  • python php web-development

PHP, the general-purpose scripting language has been used since decades for socket programming and web development. But in recent times, Python has become the most sought after programming language. This all-purpose programming language is attracting more developers in the industry owing to its highly dynamic and extensible nature. Let's see how Python is winning over age-old PHP.

Read More

AbanteCart - Easy to use open source e-commerce platform, helps selling online

  • e-commerce ecommerce cart php

AbanteCart is a free, open source shopping cart that was built by developers with a passion for free and accessible software. Founded in 2010 (launched in 2011), the platform is coded in PHP and supports MySQL. AbanteCart’s easy to use admin and basic layout management tool make this open source solution both easy to use and customizable, depending on the skills of the user. AbanteCart is very user-friendly, it is entirely possible for a user with little to no coding experience to set up and use this cart. If the user would be limited to the themes and features available in base AbanteCart, there is a marketplace where third-party extensions or plugins come to the rescue.

Read More

Activiti - Open Source Business Automation

  • business-automation business bpm

Activiti Cloud is the first Cloud Native BPM framework built to provide a scalable and transparent solution for BPM implementations in cloud environments. The BPM discipline was created to provide a better understanding of how organisations do their work and how this work can be improved in an iterative fashion.

Read More

Exonum Blockchain Framework by the Bitfury Group

  • blockchain bitcoin hyperledger blockchain-framework

Exonum is an extensible open source blockchain framework for building private blockchains which offers outstanding performance, data security, as well as fault tolerance. The framework does not include any business logic, instead, you can develop and add the services that meet your specific needs. Exonum can be used to build various solutions from a document registry to a DevOps facilitation system.

Read More

RESTEasy Advanced Guide - Filters and Interceptors

  • resteasy rest-api filters interceptors java

RESTEasy is JAX-RS 2.1 compliant framework for developing rest applications. It is a JBoss project that provides various frameworks to help you build RESTful Web Services and RESTful Java applications. It is a fully certified and portable implementation of the JAX-RS 2.1 specification, a JCP specification that provides a Java API for RESTful Web Services over the HTTP protocol.

Read More

Top 10 AI development tools which you should know in 2020

  • artificial-Intelligence neural-networks frameworks ai machine-learning

It is a fact the 2020 is not going the way we expected to be but when it comes to technology breakthrough we can say 2020 will be the heir of greatness. <br />Speaking of technical breakthroughs we have got artificial intelligence which is known to be taking over the mankind like a wildfire. Everything around us is connected through AI be it shopping travelling or even reading. Every other activity of ours is transforming into a whole new extent.

Read More

A Quick Guide to Finding Open Source Social Media Management Software

  • social-media social-media-management smm

As the social media trend continues to alter the face and infrastructure of the business world as we once knew it, the need to keep up with the demand for content management is at an all-time high. Companies are putting more and more energy and resources into this area in the form of Social Media Managers and Media Communications Representatives. This can get expensive and overwhelming, so finding resources that can help alleviate some of those responsibilities is in the best interest of individuals and companies alike.

Read More

Benefits in contributing to Open Source

  • open-source opensource contribute benifits

What the benefit will i get, if i contribute to Open Source? This is the frequently asked question by many people. I just want to pen down the benefits which i know and i hope you will agree with it.

Read More

Build Consulting Website using Next.js

  • react nextjs website-development ssr

One of the popular web framework for building Single page application (SPA) or static site is React library. Application built with React packages will be rendered completely on the client side browser. If you want to reduce the load on client side browser, we need to pre-render the pages in server (Serer side rendering) and serve it to the client. So the client loads the page like simple html page. Also if the pages are rendered from server then search engine will be able to fetch and extract the pages. To do SSR for React, the best abstraction framework is Next.js. In this blog, we will explain how to build a simple consulting website using NextJS.

Read More

Introduction to Light 4J Microservices Framework

  • light4j microservice java programming framework

Light 4j is fast, lightweight, secure and cloud native microservices platform written in Java 8. It is based on pure HTTP server without Java EE platform. It is hosted by server UnderTow. Light-4j and related frameworks are released under the Apache 2.0 license.

Read More

Getting Started With Django Python Web Framework

  • django python web-framework

Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design. It is pre-loaded with user authentication, content administration, site maps, RSS feeds and many more tasks. Security features provided are cross site scripting (XSS) protection, cross site request forgery protection, SQL injection protection, click-jacking protection, host header validation, session security and so on. It also provides in built caching framework.

Read More

Should web application store images in Database or File system?

  • database image-store filesystem

Web developers most frequent question, Should user images be stored in database or file system? Which is the best way. Both has some pros and cons.

Read More

RESTEasy Advanced guide - File Upload

  • resteasy rest-api file-upload java

RESTEasy is a JBoss project that provides various frameworks to help you build RESTful Web Services and RESTful Java applications. It is a fully certified and portable implementation of the JAX-RS 2.1 specification, a JCP specification that provides a Java API for RESTful Web Services over the HTTP protocol. It is licensed under the ASL 2.0.

Read More

Restrict Solr Admin Access

  • solr searchengine tips

Solr is a search engine built on top of Lucene. It supports REST interface and has lot of built-in capabilities. Solr package has Admin UI interface which has support to perform query and even delete the contents of the index. If you are using Solr in production then you may need to restrict access. I saw couple of questions in the group related to this topic. Thought to write an article explaining few tips to restrict the user access to Solr admin UI.

Read More

Enhancing The Experience With Android TV: Briefly About One Developer's Impressions

  • android android-tv

In my software development career, I have always been attracted to new technologies and innovative solutions. Project by project, I have been exploring something new, discovering and implementing different approaches and trying new solutions. When Android TV showed up, I set a new personal goal. I described my impressions and the overall opinion on the application development for Android TV right here. Hope you will find it useful and interesting.

Read More

We have large collection of open source products. Follow the tags from Tag Cloud >>

Open source products are scattered around the web. Please provide information about the open source projects you own / you use. Add Projects.