These days, we live in a hostile Internet. Everyone knows hat. However, working with crypto can be difficult at times. I've found that the “openssl” command, provided as part of the openssl package (command-line, not libraries), has some extremely handy tools in it. Of course, you can use it to generate SSL certificates and Certificate Signing Requests (CSRs). That's what most people use it for. You can also use it for setting up your own Certificate Authority. Here are some of the other things I use it for.
You can generate an RSA key using “openssl genrsa -out private 512”, where “512” is the number of bits in the key and the key is written to the file “private”. You can then split out the public key using “openssl rsa -in private -out public -pubout”. See the man pages for “genrsa” and “rsa” for more information on this.
Once you have a public/private key pair, you can then sign a message with “openssl dgst -sign private -out signature <source”. In this command, “source” is the file containing the message to be signed, and the resulting signature is written to the file “signature”. At a later point, you can then hand the public key, source, and signature to another party and they can verify that the source is unaltered and is signed by that key.
To verify the signature, use “openssl dgst -verify public -signature signature <source”, this time using the public key. The program will exit with 0 (success) if the signature matches and 1 (failure) if it is incorrect.
Why would you want to use the openssl command when there's already an infrastructure for doing these sorts of things with Gnu Privacy Guard (GPG)? I originally found out how to do this because I was on a system with extremely limited RAM and disc, which already had “openssl”, but did not have GPG. I've come to find that if all you want to do is be able to ensure unaltered transit of something from an authority, it's easier to script with the openssl tools than GPG, because GPG tends to be working in a much heavier-weight environment (including a tty input, a populated “~/.gnupg”, public and private keyrings, etc). You can do it with GPG, but it requires much more work.
Another one that I use all the time is to use “openssl” to print out information from a CSR file so I can tell when it expires and other things: “openssl req -noout -text -in certificate.csr”. This can be very handy, because by default the CSR files aren't at all human readable.
My biggest use of the “openssl” command-line program is definitely the “s_client” command. If you are testing a regular mail server or web server, you can just telnet to the appropriate port to get low-level details on the protocol. On SSL protected services, however, you can't just telnet in. That's where “openssl s_client” comes in. For example, to test an SSL web server on example.com: “openssl s_client -connect www.example.com:443”.
This will print out information about the certificate, then will drop you into a session with the server, running over the encrypted channel. Extremely useful for testing.
There is apparently a “netcat” variant that includes SSL support, but “openssl” is on most machines, where even the regular netcat isn't on a lot of machines, and the SSL version is even more rare.comments powered by Disqus