🖥️openssl

➡️This is a command-line reference manual for commands and command combinations that you don’t use often enough to remember it. This cheatsheet explains the openssl command with important options and switches using examples.

▁ ▂ ▃ ▄ ꧁ 🔴☠ COMMANDLINE-KUNGFU WITH CHEATSHEETS ☠🔴꧂▅ ▃ ▂ ▁

#                 ██████╗ ██████╗ ███████╗███╗   ██╗███████╗███████╗██╗     
#                ██╔═══██╗██╔══██╗██╔════╝████╗  ██║██╔════╝██╔════╝██║     
#                ██║   ██║██████╔╝█████╗  ██╔██╗ ██║███████╗███████╗██║     
#                ██║   ██║██╔═══╝ ██╔══╝  ██║╚██╗██║╚════██║╚════██║██║     
#                ╚██████╔╝██║     ███████╗██║ ╚████║███████║███████║███████╗
#                 ╚═════╝ ╚═╝     ╚══════╝╚═╝  ╚═══╝╚══════╝╚══════╝╚══════╝
                                                                           

# To create a 2048-bit private key:
openssl genrsa -out server.key 2048

# To create the Certificate Signing Request (CSR):
openssl req -new -key server.key -out server.csr

# To sign a certificate using a private key and CSR:
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

# (The above commands may be run in sequence to generate a self-signed SSL certificate.)

# To show certificate information for a certificate signing request
openssl req -text -noout -in server.csr

# To show certificate information for generated certificate
openssl x509 -text -noout -in server.crt 

# To view certificate expiration:
echo | openssl s_client -connect <hostname>:443 2> /dev/null | \
awk '/-----BEGIN/,/END CERTIFICATE-----/' | \
openssl x509 -noout -enddate

# Generate Diffie-Hellman parameters:
openssl dhparam -outform PEM -out dhparams.pem 2048

#==============================#
# CMD OPENSSL
#==============================##==============================#
openssl s_client -connect smtp.example.net:25 -starttls smtp -quiet

openssl s_client -connect www.lxu.io:443 -crlf
    GET / HTTP/1.0
    Host: www.lxu.io

openssl s_client -connect imap.example.org:143 -starttls imap -quiet
    depth=0 CN = imap.example.org
    verify error:num=18:self signed certificate
    verify return:1
    depth=0 CN = imap.example.org
    verify return:1
    . OK CAPABILITY completed
    a1 login $user $pass
    a1 OK LOGIN Ok.
    a2 logout
    * BYE Courier-IMAP server shutting down
    a2 OK LOGOUT completed

openssl des3 -salt -in infile.txt -out encryptedfile.txt
# Encrypt a file with OpenSSL - Works on OS X, Linux, anywhere with OpenSSL installed: To encrypt a file

openssl des3 -d -salt -in encryptedfile.txt -out normalfile.txt
# To decrypt the file

##########################################################

# SMTP auth mit starttls auf der Kommandozeile testen
#------------------------------------------------------#

# Zuerst brauchen wir für auth plain den mime encoded String aus unseren Logindaten:
printf 'benutzername\0kontoname\0passwort' | mimencode
YmVudXR6ZXJuYW1lAGtvbnRvbmFtZQBwYXNzd30ydA==

# Dann hilft uns openssl bei der verschlüsselten Verbindung:
openssl s_client -connect lxu.io:25 -crlf -starttls smtp

# SMTP auth mit starttls auf der Kommandozeile testen
# Zuerst brauchen wir für auth plain den mime encoded String aus unseren Logindaten:
printf 'benutzername\0kontoname\0passwort' | mimencode
YmVudXR6ZXJuYW1lAGtvbnRvbmFtZQBwYXNzd30ydA==

# Dann hilft uns openssl bei der verschlüsselten Verbindung:
openssl s_client -connect lxu.io:25 -crlf -starttls smtp

# Die Ausgabe bezüglich Zertifikat des Servers ist umfangreich und wurde hier radikal gekürzt:
			CONNECTED(00000003)
			depth=0 C = AT, ......
				 .....
				 Verify return code: 18 (self signed certificate)
			---
			250 DSN
			helo localhost.local
			250 lxu.io
			auth plain
			334
			YmVudXR6ZXJuYW1lAGtvbnRvbmFtZQBwYXNzd30ydA==
			235 2.7.0 Authentication successful
			quit
			221 2.0.0 Bye
			closed

			

##########################################################

# Encrypt Files in Linux
##############################
tar -czf - * | openssl enc -e -aes256 -out secured.tar.gz
    enc – openssl command to encode with ciphers
    -e – a enc command option to encrypt the input file, which in this case is the output of the tar command
    -aes256 – the encryption cipher
    -out – enc option used to specify the name of the out filename, secured.tar.gz

openssl enc -d -aes256 -in secured.tar.gz | tar xz -C test
    -d – used to decrypt the files
    -C – extract in subdirectory named test

# HowTo signrequest erzeugen und unterschreiben
# Request testen:
openssl req -in lxu.io_ssl_req_new.pem -text -verify -noout

# Unterschreiben:
openssl ca -in lxu.io_ssl_req_new.pem -notext -out servercert.pem
openssl ca -extensions v3_ca -in 20161116_asg1.csr -notext -out 20161116servercert_asg1.pem

rueben....

# Ergebnis testen:
openssl x509 -in newcerts/02.pem -text -noout

# Ergbnis convert PEM to P7B
openssl crl2pkcs7 -nocrl -certfile servercert_MSDBQSSL.pem -out servercert_MSDBQSSL.p7b -certfile lxu.ioProxyCert-v2.crt

openssl extract certificate privkey
openssl pkcs12 -in file.pfx -nocerts -out privateKey.pem
openssl pkcs12 -in file.pfx -clcerts -nokeys -out publicCert.cer
openssl rsa -in privateKey.pem -out privateKey_nopasswd.pem

openssl rand -base64 12
# Generate a random password quickly in CLI using openssl

openssl rsa -in server1.key -out server2.key 
# Strip SSL Password - Remove password from SSL, stop Apache from asking for a password on startup.

openssl s_client -connect http://smtp.lxu.io:25  -starttls smtp 
# If you used to use telnet or netcat to test protocols, but are stumped by SSL/TLS connections. Try using openssl s_client with --starttls and the name of the protocol.

openssl req -out CSR.csr -key privateKey.key -new
# Generate a certificate signing request (CSR) for an existing private key. CSR.csr MUST be exists before

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
# Generate a self-signed certificate

openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
# Generate a new private key and Certificate Signing Request. CSR.csr MUST be extist before !

openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key
# Generate a certificate signing request based on an existing certificate. certificate.crt MUST be exists before !

#-----------------------------------------------------------------------///

# bash: openssl extract certificate privkey
openssl pkcs12 -in file.pfx -nocerts -out privateKey.pem
openssl pkcs12 -in file.pfx -clcerts -nokeys -out publicCert.cer
openssl rsa -in privateKey.pem -out privateKey_nopasswd.pem

# Concatenate multiple SSL certificate files to make one PEM file
files=("yourcert.crt" "provider.ca.pem") && for i in ${files[@]} ; do $(cat $i >> yourcert.pem && echo "" >> yourcert.pem) ; done

# Explanation: If you want to concat multiple files, you might end up with cat {a,b,c} >> yourcert.pem in a loop. But the problem is that it doesnt create new line after each cat. This script is for that matter. To use, e.g.:
cd /etc/ssl/certs
files=("yourcert.crt" "provider.ca.pem") && for i in ${files[@]} ; do $(cat $i >> yourcert.pem && echo "" >> yourcert.pem) ; done

# pretty print json block that has quotes escaped
echo 'json_here' | sed 's/\\//g' | jq .

# Download certificate chain from FTP
echo | openssl s_client -showcerts -connect ftp.domain.com:ftp -starttls ftp 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'

# Download certificate from FTP
echo | openssl s_client -servername ftp.domain.com -connect ftp.domain.com:21 -starttls ftp 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'

# List SAN domains for a certificate - List SAN Domains for a certificate
echo | openssl s_client -connect google.com:443 2>&1 | openssl x509 -noout -text | awk -F, -v OFS="\n" '/DNS:/{x=gsub(/ *DNS:/, ""); $1=$1; print $0}'
    # Sample output
	    # *.google.com
	    # *.android.com
	    # *.appengine.google.com
	    # *.cloud.google.com
	    # ...
	    # youtubeeducation.com
	    # youtubekids.com
	    # yt.be

# Host cpu performance - Measure the cpu performance: In-case if the cpu is thermal throttling then you can find it using this command. Check the first line of the output. Example: Doing md5 for 3s on 16 size blocks: 11406892 md5's in 2.98s ? #(When cpu is not throttling) Doing md5 for 3s on 16 size blocks: 110692 md5's in 2.98s ?? #(When cpu is thermal throttling) Practical use case: Once we had cooling outage in data center which caused thermal throttling in some of the worker nodes. We used this tool to prove that some servers are not performing well because of the cpu thermal throttling.
openssl speed md5
    # Sample output
	# 			Doing md5 for 3s on 16 size blocks: 11406892 md5's in 2.98s
	# 			Doing md5 for 3s on 64 size blocks: 8479926 md5's in 2.99s
	# 			Doing md5 for 3s on 256 size blocks: 4800618 md5's in 2.99s
	# 			Doing md5 for 3s on 1024 size blocks: 1719000 md5's in 2.98s
	# 			Doing md5 for 3s on 8192 size blocks: 249448 md5's in 2.99s

#==============================##==============================#
# CMD OPENSSL						       #
#==============================##==============================#
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░

  █║▌│║█║▌★ KALI ★ PARROT ★ DEBIAN 🔴 PENTESTING ★ HACKING ★ █║▌│║█║▌

              ██╗ ██╗ ██████╗  ██████╗ ██╗  ██╗███████╗██████╗
             ████████╗██╔══██╗██╔═══██╗╚██╗██╔╝██╔════╝██╔══██╗
             ╚██╔═██╔╝██║  ██║██║   ██║ ╚███╔╝ █████╗  ██║  ██║
             ████████╗██║  ██║██║   ██║ ██╔██╗ ██╔══╝  ██║  ██║
             ╚██╔═██╔╝██████╔╝╚██████╔╝██╔╝ ██╗███████╗██████╔╝
              ╚═╝ ╚═╝ ╚═════╝  ╚═════╝ ╚═╝  ╚═╝╚══════╝╚═════╝

               █║▌│║█║▌ WITH COMMANDLINE-KUNGFU POWER █║▌│║█║▌

░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░