Using the OpenSSL tool and utilities

Some general considerations regarding OpenSSL:
  • openssl:
    OpenSSL provides a single tool, "openssl", that is used at the command line to run different utilities for the various objects. Examples for such utilities used in this topic are:
    • genrsa: generate a RSA private key
    • req: generate certificate requests or self-signed certificates
    • x509: handle or create and sign certificates of the X.509 standard.
    • pkcs12: create or parse PKCS #12 keystore files
    • rand: generate a sequence of random bytes
    • version: display OpenSSL version information
  • PEM

    Privacy-Enhanced Mail (PEM) is a de facto file format for handling and storing cryptographic objects like private keys, certificates and certificate requests. It is a convenient format for use with "openssl" and its utilities, and therefore also used extensively in the examples. Cryptographic objects generally are ASN.1 and DER encoded objects, i.e. consist of binary data that includes non-printable character/byte sequences. PEM uses base64 encoding for binary data and adds one line for headers and footers to individual objects. The resulting text files are not really human readable, but can be handled easily, e.g. sending them in an e-mail.

  • Random number generator
    It may be necessary to create a file ".rnd" in the user's home directory, so that "openssl" can use its content as seed value for the random number generator. If the file is absent, an "openssl" command may fail with an error like the following:
    Can't load ~/.rnd into RNG
140102054789568:error:2406F079:random number generator:RAND_load_file:
Cannot open file:../crypto/rand/randfile.c:88:Filename=~/.rnd
    In this case, the file can easily be created by putting some random bytes into it, e.g. with the following command:
    $ openssl rand 256 > ~/.rnd

    The command generates a sequence of 256 random bytes and writes them to the file ".rnd" in the user's home directory. Afterwards, any "openssl" command that previously failed with the above error message can be repeated and should then run without producing the error.

  • OpenSSL configuration

    OpenSSL has a lot of configuration options. Many of them are setting default values that affect "openssl" commands by replacing absent command line options. Therefore, if an "openssl" command does not produce the desired result, it may be possible to specify an additional command line option rather than changing the system wide configuration for OpenSSL. Configuration changes may not only affect "openssl" commands, but also the functionality of the crypto library and its API functions. Changing of the OpenSSL configuration therefore should be done with utmost care, and in any case not without discussing things with the responsible system administrator.

    With some "openssl" commands, it is also possible to specify an alternative configuration file on the command line. This can be a locally modified copy of the generic configuration file, just to use it with a particular command run. The name of the system wide configuration file is "openssl.cnf". The location of the file depends on the individual installation of OpenSSL. It can be determined with the following command:
    $ openssl version -d

    The file "openssl.cnf" can be found in the directory shown as OPENSSLDIR.