OpenSSL – Cryptography And SSL/TLS Toolkit
Last Updated on 2025-01-27 16:31 by Sture
Description:
The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v3) and Transport Layer Security (TLS v1, v1.1, v1.2, v1.3) protocols with full-strength cryptography world-wide. The project is managed by a worldwide community of volunteers who use the Internet to communicate, plan, and develop the OpenSSL toolkit and its related documentation.
OpenSSL is based on the excellent SSLeay library developed by Eric A. Young and Tim J. Hudson. The OpenSSL toolkit is licensed under an Apache-style license, which basically means that you are free to get and use it for commercial and non-commercial purposes, subject to some simple license conditions.
WWW: http://www.openssl.org/.
How to use
The OpenSSL program is a command line tool for using the various cryptography functions of OpenSSL’s crypto library from the shell. It can be used for:
- Creation and management of private keys, public keys, and parameters
- Public key cryptographic operations
- Creation of X.509 certificates, CSRs and CRLs
- Calculation of Message Digests
- Encryption and Decryption with Ciphers
- SSL/TLS Client and Server Tests
- Handling of S/MIME signed or encrypted mail
- Time Stamp requests, generation, and verification
Display version information for includes a stable OpenSSL with:
user@freebsdsrv:~ $ openssl version [enter]
OpenSSL 3.0.15 3 Sep 2024 (Library: OpenSSL 3.0.15 3 Sep 2024)
user@freebsdsrv:~ $Display version information for the current package version(s) of OpenSSL with:
user@freebsdsrv:~ $ pkg search openssl | egrep '^openssl[0-9]+-[0-9]' [enter]
openssl111-1.1.1w_2 TLSv1.3 capable SSL and crypto library
openssl31-3.1.7_1 TLSv1.3 capable SSL and crypto library
openssl32-3.2.3_1 TLSv1.3 capable SSL and crypto library
openssl33-3.3.2_1 TLSv1.3 capable SSL and crypto library
openssl34-3.4.0 TLSv1.3 capable SSL and crypto library
user@freebsdsrv:~ $Note: The latest stable version is the 3.4!
In this example, an update to the stable version of OpenSSL, version 3.4.0, will be performed!
Installation
Install openssl34 with:
user@freebsdsrv:~ $ sudo pkg install -y security/openssl34 [enter]
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
openssl34: 3.4.0
Number of packages to be installed: 1
The process will require 27 MiB more space.
8 MiB to be downloaded.
[1/1] Fetching openssl34-3.4.0.pkg: 100% 8 MiB 8.1MB/s 00:01
Checking integrity... done (0 conflicting)
[1/1] Installing openssl34-3.4.0...
[1/1] Extracting openssl34-3.4.0: 100%
user@freebsdsrv:~ $Configuration
Disable the use of the old version of OpenSSL in directory /usr/bin/ with:
user@freebsdsrv:~ $ sudo mv /usr/bin/openssl /usr/bin/openssl.default [enter]
user@freebsdsrv:~ $Create a symbolic link to enable the use of the new version of OpenSSL with:
user@freebsdsrv:~ $ sudo ln -s /usr/local/bin/openssl /usr/bin/ ; ls -l /usr/bin/openssl [enter]
lrwxr-xr-x 1 root wheel 22 Dec 5 15:26 /usr/bin/openssl@ -> /usr/local/bin/openssl
user@freebsdsrv:~ $Edit file /etc/ssl/openssl.cnf with:
user@freebsdsrv:~ $ sudo ee +168 /usr/local/openssl/openssl.cnf [enter]This is an example:
...
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = SE
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Vastra Gotaland
localityName = Locality Name (eg, city)
localityName_default = Hisings Karra
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Polymathic
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = Support and Development
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = freebsdsrv.local.lan
commonName_max = 64
emailAddress = Email Address
emailAddress_default = admin@local.lan
emailAddress_max = 64
# SET-ex3 = SET extension number 3
...Generate a key and certificate for 10 year usage with:
user@freebsdsrv:~ $ sudo sh -c 'openssl req -newkey rsa:2048 -nodes -keyout /etc/ssl/server.key -x509 -days 3650 -out /etc/ssl/server.crt' [enter]
.....+.+........+....+..+.........+.+...+..+.+...+..+...+......+..................+.+++++++++++++++++++++++++++++++++++++++*.....+..+.....................+....+.....+.+++++++++++++++++++++++++++++++++++++++*....+....+...+..+......+.+...+..++++++
.+.................+...+.+..+.........+...+.+..+..................+....+++++++++++++++++++++++++++++++++++++++*.....+.+..+.......+++++++++++++++++++++++++++++++++++++++*..+.+......+...+.....+....+...+..+......+.......+.................+...+....+.....+...+...+...............+...+.+.........+......+......+..+.+..+....+........+......+............+.............+.........+..+....+.....+.+......+...+............+..+............+......+....+.....+.+.........+...+...........+......+...+.+..+....+...+.....+...+...+................+...+.....+.......+........+.+..+...+....+...........+.......+...+..+...+................+...+..+....+.....+.......+............+..+.+........+.+.....+....+.....+.......+.....+...+.+...+.....................+..+.........+...+..........+......+......+...+..+...................+.....+....+..+...................++++++
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [SE]: [enter]
State or Province Name (full name) [Vastra Gotaland]: [enter]
Locality Name (eg, city) [Hisings Karra]: [enter]
Organization Name (eg, company) [Polymathic]: [enter]
Organizational Unit Name (eg, section) [Support and Development]: [enter]
Common Name (e.g. server FQDN or YOUR name) [freebsdsrv.local.lan]: [enter]
Email Address [admin@local.lan]: [enter]
user@freebsdsrv:/usr/local/etc/ssl $Review the certificate with:
user@freebsdsrv:~ $ sudo sh -c 'openssl x509 -text -noout -in /etc/ssl/server.crt' [enter]
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
21:b3:69:65:0b:00:ec:5b:bf:55:2e:b3:58:10:e6:58:23:11:21:0b
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=SE, ST=Vastra Gotaland, L=Hisings Karra, O=Polymathic, OU=Support and Development, CN=freebsdsrv.local.lan, emailAddress=admin@local.lan
Validity
Not Before: Jan 27 16:26:04 2025 GMT
Not After : Jan 25 16:26:04 2035 GMT
Subject: C=SE, ST=Vastra Gotaland, L=Hisings Karra, O=Polymathic, OU=Support and Development, CN=freebsdsrv.local.lan, emailAddress=admin@local.lan
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:bd:d0:43:bb:19:32:7f:b8:4d:36:57:20:02:e3:
07:6a:8b:e1:7c:4a:59:c0:78:be:72:c2:b6:e7:10:
c8:c5:b7:d0:2b:c5:e6:f7:f1:a7:cf:39:21:98:d2:
98:5b:69:d0:e6:e2:00:49:b9:3a:c7:e2:d5:32:4c:
d2:3d:b5:d7:91:32:23:7e:8e:4d:82:75:4a:10:54:
86:cf:b7:49:44:d0:32:d8:cb:f1:4a:7f:65:68:9a:
0b:59:f2:0d:0f:1a:55:19:57:c1:ce:69:d8:36:b4:
77:1a:45:29:b0:d6:2d:93:26:4c:f9:10:a2:71:1d:
ac:8e:c0:1a:1d:be:98:34:4a:e8:23:bd:e8:87:af:
01:7c:30:4c:70:1f:84:80:de:33:4e:f8:19:ae:3c:
d5:d0:2b:42:cb:2d:1b:74:79:36:f9:33:20:9e:58:
08:99:03:61:f3:60:e3:75:d7:d0:0a:0a:68:0b:b0:
ba:51:83:11:6d:cd:b2:06:6d:56:7f:b2:e4:6d:72:
1b:b1:a0:2c:18:f0:0c:0f:17:82:0d:61:a1:b2:0f:
c2:6f:11:08:6d:74:b6:3d:eb:9d:f4:94:4f:e3:66:
ae:36:0d:d8:e9:c5:db:1a:f6:2c:27:ce:66:a3:75:
46:e9:98:9b:70:53:37:44:33:a4:f1:68:65:d3:03:
72:01
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
D0:E3:3C:AA:67:16:7A:E0:4F:8B:66:16:49:15:E4:19:11:36:C7:23
X509v3 Authority Key Identifier:
D0:E3:3C:AA:67:16:7A:E0:4F:8B:66:16:49:15:E4:19:11:36:C7:23
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
99:07:ac:20:4d:19:68:22:5b:0c:21:c0:9f:01:53:01:aa:a5:
1b:2c:dd:64:7e:8f:33:4f:d3:58:cb:6e:7a:f6:38:00:85:c8:
60:71:3a:51:94:da:ff:ed:f9:80:7e:c3:57:e8:c3:ea:88:be:
5b:f1:ee:d9:fa:40:8a:ee:89:3a:9c:f9:ac:a5:68:ab:27:10:
33:92:ef:2f:ee:1d:80:6e:90:e6:82:e1:ea:f1:f5:50:cc:6f:
ce:db:78:00:94:6c:52:13:d5:71:e3:4a:4d:f2:b9:b6:7a:eb:
41:cd:43:a5:86:ee:72:e0:3b:04:af:d2:a4:c5:47:d6:2b:86:
82:96:21:a6:ab:47:61:54:0d:9a:70:62:e6:e9:7b:ae:b5:68:
db:b9:49:dc:a0:55:55:45:64:a0:a0:fb:70:33:6b:8c:70:45:
50:ef:13:e0:4e:53:d7:2f:16:63:55:16:61:ef:d3:f0:61:0b:
ce:a5:04:3b:c2:91:e5:52:48:a3:60:b6:ab:ab:b7:2c:b1:65:
1c:ac:c5:e8:f7:d8:3d:dc:56:cb:91:b4:27:56:ab:e2:0e:a6:
fc:c1:72:b4:33:46:93:15:10:72:5c:34:01:09:af:43:65:90:
bd:c6:bf:f0:89:b8:a2:b1:11:5a:1e:25:9d:3b:a0:5c:5c:b2:
0f:44:5e:51
user@freebsdsrv:~ $Display a list of files that have been created with:
user@freebsdsrv:~ $ ls -l /etc/ssl/ [enter]
total 49
drwxr-xr-x 2 root wheel 149 Nov 29 12:13 certs
-rw-r--r-- 1 root wheel 12336 Nov 29 11:21 openssl.cnf
-rw-r--r-- 1 root wheel 1554 Jan 27 17:26 server.crt
-rw------- 1 root wheel 1704 Jan 27 17:25 server.key
drwxr-xr-x 2 root wheel 54 Nov 29 12:12 untrusted
user@freebsdsrv:~ $