$devvkit learn --librarie openssl-guide
OpenSSL Guide
[tls][ssl][crypto][certificates]
Security & Cryptography
Install
# Pre-installed on most Linux/macOS sudo apt install openssl # Windows: download from openssl.org or via WSL brew install openssl
OpenSSL is the de facto standard for TLS in the open-source world. The CLI can generate CSRs, self-signed certs, check certificate expiry, test TLS connections, encrypt/decrypt files, and compute hashes — all without writing code.
The most useful subcommands: `req` (CSR/cert generation), `x509` (certificate inspection), `s_client` (test TLS connections — better than curl for TLS debugging), `s_server` (quick TLS test server), `speed` (benchmark crypto).
For everyday use: `openssl s_client -connect example.com:443` shows the full certificate chain, TLS version, and cipher negotiated. Add `-servername` for SNI and `-tlsextdebug` for ALPN debugging. GUI: Keychain Access (macOS), certlm.msc (Windows), or XCA for certificate management.
Certificate Management
Generate CSR— Certificate Signing Request.
openssl req -new -newkey rsa:2048 -nodes \ -keyout mydomain.key -out mydomain.csr \ -subj "/C=US/ST=State/L=City/O=Org/CN=mydomain.com" # Check CSR content: openssl req -text -noout -verify -in mydomain.csr
Self-signed cert— Quick dev certificate.
openssl req -x509 -newkey rsa:4096 -nodes \ -days 365 -keyout key.pem -out cert.pem \ -subj "/CN=localhost" \ -addext "subjectAltName=DNS:localhost,DNS:*.local,IP:127.0.0.1"
Inspect certificate— Check cert details.
openssl x509 -in cert.pem -text -noout openssl x509 -in cert.pem -dates -noout # Validity dates openssl x509 -in cert.pem -subject -issuer -noout # Subject + issuer openssl x509 -in cert.pem -fingerprint -sha256 -noout # SHA256 fingerprint
Check certificate expiry— Monitor expiry dates.
# Check all certs in a directory: for cert in *.pem; do expiry=$(openssl x509 -in "$cert" -enddate -noout | cut -d= -f2) days=$(( ( $(date -d "$expiry" +%s) - $(date +%s) ) / 86400 )) echo "$cert: expires $expiry ($days days)" done # Check remote cert expiry: echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -enddate -noout
TLS Testing
Test TLS connection— Debug TLS handshake.
openssl s_client -connect example.com:443 # Basic TLS test echo | openssl s_client -connect example.com:443 2>&1 | grep -E "SSL-Session|Protocol|Cipher" # Check SNI: echo | openssl s_client -connect 1.1.1.1:443 -servername cloudflare.com # Show full certificate chain: echo | openssl s_client -showcerts -connect example.com:443
Test TLS version support— Which TLS versions.
# Test each TLS version: echo | openssl s_client -tls1_2 -connect example.com:443 2>&1 | grep -q "Protocol.*TLSv1.2" && echo "TLS 1.2: OK" echo | openssl s_client -tls1_3 -connect example.com:443 2>&1 | grep -q "Protocol.*TLSv1.3" && echo "TLS 1.3: OK" # TLS 1.0/1.1 should fail — check with: echo | openssl s_client -tls1 -connect example.com:443 2>&1 | grep "alert" || echo "TLS 1.0 rejected"
Encryption
Encrypt file— AES-256 encryption.
# Encrypt: openssl enc -aes-256-cbc -salt -pbkdf2 -in secret.txt -out secret.enc # Decrypt: openssl enc -aes-256-cbc -d -pbkdf2 -in secret.enc -out secret.txt # Encrypt with password file: openssl enc -aes-256-cbc -salt -pbkdf2 -pass file:key.txt -in data.txt -out data.enc
Prime number generation— Generate cryptographically secure primes.
openssl prime -generate -bits 2048 -hex openssl prime -generate -bits 4096 -safe # Safe prime: (p-1)/2 is also prime # DH parameters (for Diffie-Hellman): openssl dhparam -out dhparam.pem 2048
Hashing
Hash a file— Compute checksums.
openssl dgst -sha256 file.txt openssl dgst -sha512 file.txt > file.sha512 # Verify: openssl dgst -sha512 -verify pubkey.pem -signature file.sig file.txt # Quick MD5/SHA1 (but prefer SHA256): openssl md5 file.txt openssl sha1 file.txt
Benchmark
Speed benchmark— Benchmark crypto algorithms.
openssl speed sha256 aes-256-cbc rsa2048 openssl speed -multi 4 # Use 4 threads openssl speed -evp aes-256-gcm # OpenSSL 3.x EVP API # Compare: hardware AES vs software AES