The OpenSSL toolkit

About OpenSSL

OpenSSL is an open-source cryptography and SSL/TLS Toolkit licensed under the apache license. OpenSSL enables a user, through the openssl commandline tool, to: encrypt/decrypt files and data streams, tunnel data through encrypted ciphers, create/verify/sign public/private keys and signatures, and many other things involving cryptography.

I'm using openssl version 0.9.8k. By the time you read this, it is possible that the latest version has been updated. You may want to use a newer version, but it's possible a newer version might not work the same way. To ensure a positive outcome, don't upgrade unless you have a good reason to, or if the openssl folks recommend you to do so on their website.

Prerequisites

OpenSSL requires perl, and can make use of zlib

Downloading openssl

As I write this, the latest version of openssl is 0.9.8k. You can download this, or another version, at http://www.openssl.org/source/. Assuming you want to install version 0.9.8k: download openssl-0.9.8k.tar.gz; put this into a temporary folder, such as /tmp/openssl, and follow the rest of these instructions to install it.

For example: downloading openssl using wget:

$ mkdir /tmp/openssl
$ cd /tmp/openssl
$ wget http://www.openssl.org/source/openssl-0.9.8k.tar.gz

Installing openssl

Extract openssl

$ cd /tmp/openssl
$ gzip -dc < openssl-0.9.8k.tar.gz | tar -xf -
$ cd openssl-0.9.8k

Build openssl

$ ./config shared --prefix=/usr --openssldir=/usr/ssl
$ make

Run test suite (optional)

$ make test

Install openssl (must be root user)

# make install

Hashing

To calculate the SHA1 hash of FILE:

openssl sha1 < FILE

To calculate the MD5 hash of FILE:

openssl md5 < FILE

Base64 Conversion

To encode FILE into FILE.b64 using the base64 algorithm:

openssl base64 < FILE > FILE.b64

To decode FILE.b64 into FILE using the base64 algorithm:

openssl base64 -d < FILE.b64 > FILE

Symmetric Cryptography (password-based)

To encrypt FILE into FILE.aes using the AES-256 cipher:

openssl aes-256-cbc < FILE > FILE.aes

To decrypt FILE.aes into FILE using the AES-256 cipher:

openssl aes-256-cbc -d < FILE.aes > FILE

To encrypt FILE into FILE.bf using the blowfish cipher:

openssl bf < FILE > FILE.bf

To decrypt FILE.bf into FILE using the blowfish cipher:

openssl bf -d < FILE.bf > FILE

Asymmetric Cryptography (key-based)

To generate a private key id_rsa.pem using the RSA-2048 algorithm:

openssl genrsa 2048 > id_rsa.pem

To generate a public key id_rsa.pub from private key id_rsa.pem:

openssl rsa -pubout < id_rsa.pem > id_rsa.pub

To encrypt FILE into FILE.rsa using the RSA private key id_rsa.pem:

openssl rsautl -encrypt -inkey id_rsa.pem < FILE > FILE.rsa

To encrypt FILE into FILE.rsa using the RSA public key id_rsa.pub:

openssl rsautl -encrypt -inkey id_rsa.pub -pubin < FILE > FILE.rsa

To decrypt FILE.rsa into FILE using the RSA private key id_rsa.pem:

openssl rsautl -decrypt -inkey id_rsa.pem < FILE.rsa > FILE

Signatures

To sign FILE with the private key id_rsa.pem, producing digital signature FILE.asc:

openssl dgst -sign id_rsa.pem < FILE > FILE.asc

To verify FILE.asc against FILE using the public key id_rsa.pub:

openssl dgst -verify id_rsa.pub -signature FILE.asc < FILE

Certificates

To create a self-signed certificate auth.crt with the private key auth.pem:

openssl req -x509 -new -key auth.pem > auth.crt

To create a certificate signing request example.csr with the private key example.pem:

openssl req -new -key example.pem > example.csr

To create a signed certificate example.crt from example.csr:

openssl x509 -req -CA auth.crt -CAkey auth.pem -CAcreateserial < example.csr > example.crt

To verify that auth.crt is a valid certificate:

openssl verify < auth.crt

To verify that example.crt is a valid certificate:

openssl verify -CAfile auth.crt < example.crt

To create a PKCS#12 keystore: (for Microsoft compatibility)

cat example.pem example.crt | openssl pkcs12 -export > example.pfx

Examples

cat FILE

Hello, World!

openssl sha1 < FILE

60fde9c2310b0d4cad4dab8d126b04387efba289

openssl md5 < FILE

bea8252ff4e80f41719ea13cdf007273

openssl base64 < FILE

SGVsbG8sIFdvcmxkIQo=

cat id_rsa.pem

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA+m01YpfcKxcozXxymzVhRcmosRETgOWkiE1xRgD2ny8kouNm
yQ3HmkHkJqgaBACtlT8cv+xW342FLtb2e/fvzuenrSoUN23la3UNkwTlhgvOQDyQ
tNqpM8ch0wxDMewRztbI2DXPaPOSotjjfvU/bYLyg+IklRiD8LRcQR5IwBBv6Xuv
s/WhMdy6cwndxLTRc0MNLiYzYm3dmE7Y9Z4UsTgNaqPK1Ik0xYHLZNPlG0/L+fhl
y1K7APcdagbwPk7xp1Zm6dBuv4mwhgBDk4UX4w6dUy9xHtOKggHSejcaPC5JapX+
nPruO3LdjWZX4Dx0mGHhEWRSr7Ybj15i9ZlZIwIDAQABAoIBAEDp5hi0fKG+0xjQ
1XReFeTdLRkY8BFNdaTPTjlzLnp84eZHQ/GB3OejhNxwXq4C7vvs7CrjvHEeYhOO
LT5dOpBLhC9i5PKpTfrY0Lf3YPeqP8Bu8qOuuoVtbNskJpbeNo+DJXTGHgl6edw0
lGPodpSQiQSerhTn0eunFPLcQsdl+BgbiJN3loPyWUHT4ESPlrvvsQ+/LkENgIJL
rLqhWKfb94JWvHddBHIWWoE5b903UkpLybBH15UQ6H5o0vKEq+Z0LWagShaEyTFg
Lt3Q5/IiNLS4p9bzeuZTQ0et3UCgiPEMmXCXwaby7rWjWi5zUGstLoL9Hm2MD2ow
j7pEP0ECgYEA/h1Xs374q+DXFf6ZaezaUG3U4jbDRa9pqtF034sCspTPcgBGj7li
HiXTJUyZ/9TAU1ZM8eGejvXBIuFuqioehy18Y2ShH/2voM2st2vjj6ebiYs/1cyF
2PQS6Agw8xr8LOwhEV3GquyZXWcuz1jmcm8ID8rk3vYYII20EVl12jsCgYEA/Ejc
bNIwtQHNzpYeFNa13Z15i5mmlyMELMCE/0n3IwrMUPAGz3p9aLxVESeJoHVomXdk
/PvTCU9gsS+LagOtweRchHj7svT8AI7GMTnHLePkx11njRoTE1uwcZqxv/TsxKUx
Mnz4jdS3x8AyHGxehlA0uJ6CUvQ63oV+SX11JjkCgYBXdYnlwWGc5nmgnEv45QgO
fn6yjN6QcVsQ654qAhIfnI/5UJb4iHl4ntQZFlA6eOLoy98XsOt9kJ+0fZo0/uIa
7FDPdKbv98QmuCMlzgA4RRuHL2H9F7NJhFetfIQ8Z6E7ZNnMvFXQJjZyqzy1KIfI
AubnaJF1G4YaTisXfY7OWQKBgQDVt2tzjEPSsqqEHUtyX8lE6cgzaIBlfDZnKtf/
48rGFrmqvwsl7CAc/54YoCPImG15xFj6ruHB+0pwD1TNBDzICgoN9udSXJK2bjyb
KtT+nRYLhabZM4OBXKUGOAPoFzYUB9S7bn6ot9DQGJLa3TreEUf4Nd81IsxUAUZQ
P0VkkQKBgGZFPlEDbajY2fVp/nlON6MEvyFAcH1LEXRM9/X2NiGdG/0ESmhLclZF
E3qLZvjiUnlD1sZHjz2QnphWGerx4LIs6/Tev0OQeLYY9hpH7+Kkaj7EHSjfW/Jx
1yv/a/nCU18O9iC2O+8KqpTuR9l0Qe/M9uMXQkBMmGqe2T5pYWd1
-----END RSA PRIVATE KEY-----

cat id_rsa.pub

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+m01YpfcKxcozXxymzVh
RcmosRETgOWkiE1xRgD2ny8kouNmyQ3HmkHkJqgaBACtlT8cv+xW342FLtb2e/fv
zuenrSoUN23la3UNkwTlhgvOQDyQtNqpM8ch0wxDMewRztbI2DXPaPOSotjjfvU/
bYLyg+IklRiD8LRcQR5IwBBv6Xuvs/WhMdy6cwndxLTRc0MNLiYzYm3dmE7Y9Z4U
sTgNaqPK1Ik0xYHLZNPlG0/L+fhly1K7APcdagbwPk7xp1Zm6dBuv4mwhgBDk4UX
4w6dUy9xHtOKggHSejcaPC5JapX+nPruO3LdjWZX4Dx0mGHhEWRSr7Ybj15i9ZlZ
IwIDAQAB
-----END PUBLIC KEY-----

cat example.csr

-----BEGIN CERTIFICATE REQUEST-----
MIICijCCAXICAQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUx
ITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBALc3vvAV2aEL7xZQS4ctxaiK6C66KPffI2iESKbm
UPyB7b56yDRKoa4UNABk78+a98fnlAN7LgD5xNuGiaka9ioBm+rwyo8JN6ijUbMN
q4sxgUI1vnrqOXJVmyuYFYDuIYQFwg0jU4/K9atPxPvxhnVVyRKTCnxZCEawxraU
kSRkmjAI5Hosv7jCMYGNbiXSLlCx+JjQzJ/yfgdRyhqoBiYOs6WQ9KLNtV+K5KJ+
ue/+5KKTNle1Ds03hOF1F1Qi/NQ/iusxkTdMRbAbssm6eQ85zXJeilweVp5n9rd1
vUITbjWhUj+7lSa88LA2sFp2k6gcj/5LaAC7gyhFi6RWrqMCAwEAAaAAMA0GCSqG
SIb3DQEBBQUAA4IBAQBIOUoxw4/oGwIa0ughvEldolJbw9/DoSchlH64zolR6bFb
fjwbwt0ArjD+GitPv9wqSn1FkgPlxyWiIQACEElzb9zw4NwP/D5HKGLFymOdhlfg
aMyOFUZ8KOEwmcP9GbJVYZJp9Xht7SszpwS8wnmGN/wor3Bmfh78z8U7JzDVVqAp
EgCgy8226ibIYj2ivrAHR3IAHA5uJSX6nbHHSReN3u3dUTjfc9OsNDE2kyNFnWca
EzY4FJw8gWuHzhsIco/F8zPHkSdH4bXFWKsitJENeG3noPHG0bB+gaLQNob7Oomp
OpOdWIdChJu6DeXW5RZ1zXyezTMIPS0EKxbBBlu4
-----END CERTIFICATE REQUEST-----

cat example.crt

-----BEGIN CERTIFICATE-----
MIIDBjCCAe4CCQD8Dik7X+1OWTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJB
VTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0
cyBQdHkgTHRkMB4XDTA5MDgyMTE4NTYzOFoXDTA5MDkyMDE4NTYzOFowRTELMAkG
A1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0
IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
APptNWKX3CsXKM18cps1YUXJqLERE4DlpIhNcUYA9p8vJKLjZskNx5pB5CaoGgQA
rZU/HL/sVt+NhS7W9nv3787np60qFDdt5Wt1DZME5YYLzkA8kLTaqTPHIdMMQzHs
Ec7WyNg1z2jzkqLY4371P22C8oPiJJUYg/C0XEEeSMAQb+l7r7P1oTHcunMJ3cS0
0XNDDS4mM2Jt3ZhO2PWeFLE4DWqjytSJNMWBy2TT5RtPy/n4ZctSuwD3HWoG8D5O
8adWZunQbr+JsIYAQ5OFF+MOnVMvcR7TioIB0no3GjwuSWqV/pz67jty3Y1mV+A8
dJhh4RFkUq+2G49eYvWZWSMCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAjLnZgxqb
vlFtumTwTKrVzWwkdKPDE137e1FJT1yqNmn+VWvI+sYzdn2Yl7tvfrZfPA8z/Ml+
BZBeN+ertvjJJ/RG2J62l2Iyg1/norN9Ju0mGLd6iHYRjNPFH+1Cm5TUya61F9JD
SLGRyv6uhfGZAIJnDAruZ//jndBzjTMuq/CTC0+3HfhGaHGtdBQECPjdm8e7VORX
lyqHr/nV78OHGeqlf+vUMuToR0qsiePmlmq6/mXB8BGxjKT45LnonCscpIY00CQz
jE5qmy0kA1LbqDEqn5BbWAJrPhJLYiyTr8JUaIW10rDMsjGetwqNfssBHAAEyYHg
C2uW8ApbOWE4EA==
-----END CERTIFICATE-----

Files

This version of openssl, when installed using the steps given above, produces the following files:

OpenSSL Executables

/usr/bin/openssl

/usr/bin/c_rehash

OpenSSL Libraries

/usr/lib/libssl.a

/usr/lib/libssl.so

/usr/lib/libssl.so.0.9.8

/usr/lib/libcrypto.a

/usr/lib/libcrypto.so

/usr/lib/libcrypto.so.0.9.8

OpenSSL Engine Libraries

/usr/lib/engines/lib4758cca.so

/usr/lib/engines/libaep.so

/usr/lib/engines/libatalla.so

/usr/lib/engines/libcapi.so

/usr/lib/engines/libchil.so

/usr/lib/engines/libcswift.so

/usr/lib/engines/libgmp.so

/usr/lib/engines/libnuron.so

/usr/lib/engines/libsureware.so

/usr/lib/engines/libubsec.so

OpenSSL pkg-config Files

/usr/lib/pkgconfig/openssl.pc

/usr/lib/pkgconfig/libssl.pc

/usr/lib/pkgconfig/libcrypto.pc

OpenSSL C Headers

/usr/include/openssl/aes.h

/usr/include/openssl/asn1.h

/usr/include/openssl/asn1_mac.h

/usr/include/openssl/asn1t.h

/usr/include/openssl/bio.h

/usr/include/openssl/blowfish.h

/usr/include/openssl/bn.h

/usr/include/openssl/buffer.h

/usr/include/openssl/cast.h

/usr/include/openssl/comp.h

/usr/include/openssl/conf.h

/usr/include/openssl/conf_api.h

/usr/include/openssl/crypto.h

/usr/include/openssl/des.h

/usr/include/openssl/des_old.h

/usr/include/openssl/dh.h

/usr/include/openssl/dsa.h

/usr/include/openssl/dso.h

/usr/include/openssl/dtls1.h

/usr/include/openssl/e_os2.h

/usr/include/openssl/ebcdic.h

/usr/include/openssl/ec.h

/usr/include/openssl/ecdh.h

/usr/include/openssl/ecdsa.h

/usr/include/openssl/engine.h

/usr/include/openssl/err.h

/usr/include/openssl/evp.h

/usr/include/openssl/hmac.h

/usr/include/openssl/idea.h

/usr/include/openssl/krb5_asn.h

/usr/include/openssl/kssl.h

/usr/include/openssl/lhash.h

/usr/include/openssl/md2.h

/usr/include/openssl/md4.h

/usr/include/openssl/md5.h

/usr/include/openssl/obj_mac.h

/usr/include/openssl/objects.h

/usr/include/openssl/ocsp.h

/usr/include/openssl/opensslconf.h

/usr/include/openssl/opensslv.h

/usr/include/openssl/ossl_typ.h

/usr/include/openssl/pem.h

/usr/include/openssl/pem2.h

/usr/include/openssl/pkcs12.h

/usr/include/openssl/pkcs7.h

/usr/include/openssl/pq_compat.h

/usr/include/openssl/pqueue.h

/usr/include/openssl/rand.h

/usr/include/openssl/rc2.h

/usr/include/openssl/rc4.h

/usr/include/openssl/ripemd.h

/usr/include/openssl/rsa.h

/usr/include/openssl/safestack.h

/usr/include/openssl/sha.h

/usr/include/openssl/ssl.h

/usr/include/openssl/ssl2.h

/usr/include/openssl/ssl23.h

/usr/include/openssl/ssl3.h

/usr/include/openssl/stack.h

/usr/include/openssl/store.h

/usr/include/openssl/symhacks.h

/usr/include/openssl/tls1.h

/usr/include/openssl/tmdiff.h

/usr/include/openssl/txt_db.h

/usr/include/openssl/ui.h

/usr/include/openssl/ui_compat.h

/usr/include/openssl/x509.h

/usr/include/openssl/x509_vfy.h

/usr/include/openssl/x509v3.h

OpenSSL Miscellaneous Files

/usr/ssl/openssl.cnf

/usr/ssl/misc/CA.sh

/usr/ssl/misc/CA.pl

/usr/ssl/misc/c_hash

/usr/ssl/misc/c_issuer

/usr/ssl/misc/c_name

/usr/ssl/misc/c_info

OpenSSL Man Pages (Complete List)

/usr/ssl/man/man1/...

/usr/ssl/man/man3/...

/usr/ssl/man/man5/...

/usr/ssl/man/man7/...

Feedback

I personally dislike outdated documentation. If anything here seems wrong, or perhaps did not work for you, please email me (jay@petio.org) and tell me so I can update it. Thanks!