OpenSSL Lab manual

OpenSSL

Estimated Time:
The below exercise may take approximately 45 minutes.

Requirements:
●​ Ubuntu
●​ OpenSSL

Objective:
The objective of this lab is to provide hands-on experience with various cryptographic techniques, including
hashing, symmetric and asymmetric encryption, digital signatures, the creation of self-signed certificates, and
Certificate Authority (CA) creation and issuing certificates.

Lab Exercises
Open VMware Workstation Pro; power on the Ubuntu virtual machine and open the terminal.

Experimenting with hash algorithms:

1.​ Create a sample-file.txt using the below command. We can use this file for all the exercises.
echo “hello world” > sample-file.txt
2.​ Create the SHA1 message digest of the file using the below command. The output will be on the
console.
openssl dgst -sha1 ./sample-file.txt
3.​ To Write the message digest/hash (in hexadecimal form) to a file, in the below command the output
will be stored in digest.txt.
openssl sha1 -out digest.txt ./sample-file.txt

Experimenting with symmetric key cryptographic algorithms:

4.​ Symmetric cryptographic algorithms use a single secret key that is shared between communicating
parties. This key is used for both encryption and decryption.
5.​ To generate a 256-bit random key that can be used with the AES-256 algorithm and store it in a file,
use the following command:
openssl rand -out symmetric_key.bin 32
Here, symmetric_key.bin will store the generated key, and 32 represents the 256-bit key (32 bytes * 8
= 256 bits). AES (Advanced Encryption Standard) supports key sizes of 128-bit, 192-bit, and 256-bit.
6.​ Encrypt the file using the symmetric key:​
openssl enc -aes-256-cbc -in sample-file.txt -out test.enc -pass
file:symmetric_key.bin
Successful execution gives an encrypted output file (test.enc).
Use the below command to list out the files present in the current folder.
ls
7.​ Decrypt the file using the same key using the below command:
openssl enc -d -aes-256-cbc -in test.enc -out decrypted.txt -pass
file:symmetric_key.bin
Successful execution will generate a decrypted file (decrypted.txt).

Experimenting with asymmetric key cryptographic algorithms:

8.​ Asymmetric cryptographic algorithms use a pair of keys: a private key (kept secret) and a public key
(shared openly). The private key is used for decryption and signing, while the public key is used for
encryption and verifying signatures.
9.​ To Generate the 2048-bit private key using the RSA algorithm use the below command.

Software & Network Security Fundamentals

Copyright © C-DAC Hyderabad, 2025 Page 1 of 4
OpenSSL Lab manual

openssl genrsa -out privatekey1.pem 2048

Successful execution will generate a privatekey1.pem.
10.​ To Generate the public key corresponding to the private key. Use the below command.
openssl rsa -in privatekey1.pem -pubout -out publickey1.pem
Here privatekey1.pem is the input private key and the generated public key will be publickey1.pem
11.​ Encrypt the file using a public key (publickey1.pem):
openssl pkeyutl -encrypt -inkey publickey1.pem -pubin -in sample-file.txt
-out test1.enc
12.​ Decrypt the encrypted file (test1.enc) using the private key (privatekey1.pem):
openssl pkeyutl -decrypt -inkey privatekey1.pem -in test1.enc -out
decrypted1.txt
13.​ Generate the 2048-bit private key using the RSA algorithm and encrypt it using the 3DES algorithm.
privatekey2.pem will be generated after successful execution. You will be requested to enter a
passphrase (mininum 4 characters) and requested to re-enter the passphrase to verify it.
openssl genrsa -out privatekey2.pem -des3 2048
14.​ To Generate the public key corresponding to the private key. Use the below command.
openssl rsa -in privatekey2.pem -pubout -out publickey2.pem
You will be requested to enter the passphrase which was used during the generation of the private
key. Here privatekey2.pem is the input private key and the generated public key will be
publickey2.pem.
15.​ You can replicate encryption and decryption of the file similar to steps 11 and 12 using
publickey2.pem and privatekey2.pem. During decryption, you will be prompted for the passphrase.

Experimenting with digital signatures:

16.​ Sign a digest using the private key and verify it using the public key.
a.​ Signing: Use the private key to sign the file.
openssl sha1 -sign privatekey1.pem -out signed-sample-file.bin
./sample-file.txt
b.​ Verification: Use the public key to verify the file.
openssl sha1 -verify publickey1.pem -signature
signed-sample-file.bin ./sample-file.txt
If the verification is successful, you will receive the output:
Verified OK

Experimenting with self-signed root CA digital certificates:

17.​ Generate a self-signed root CA certificate while generating a new private key.
openssl req -x509 -newkey rsa:2048 -out rootcacert1.pem -outform PEM
18.​ You will be requested a passphrase for the new private key, country, state, organization, unit, name,
and email address for certificate generation. Enter the details as shown below.
Generating a 2048 bit RSA private key
.+++++
..........................+++++
writing new private key to 'privkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
—----
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:Hyd
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Workshop
Organizational Unit Name (eg, section) []:Training

Software & Network Security Fundamentals

Copyright © C-DAC Hyderabad, 2025 Page 2 of 4
OpenSSL Lab manual

Common Name (e.g. server FQDN or YOUR name) []:training.com

Email Address []:[email protected]
Note: By default, a new private key named privkey.pem is generated and encrypted.
19.​ Generate a self-signed root CA certificate using the existing private key.
openssl req -x509 -new -key privatekey2.pem -out rootcacert2.pem -outform
PEM
You will be requested to enter the passphrase used in the generation of privatekey2.pem (step 5)
and other certificate details, similar to the previous steps
20.​ Generate a self-signed root certificate, the new key and key should not be encrypted and valid for
365 days.
openssl req -x509 -nodes –days 365 –newkey rsa:1024 –keyout myprivkey.pem
-out cacert.pem -outform PEM
Since the private key is not encrypted, you will not be prompted for a passphrase. However, you will
still need to enter certificate details.
21.​ To View the specific details of the created digital certificate, use the below commands (for root CA)
a.​ This will show the complete certificate
openssl x509 -in rootcacert1.pem -text -noout
b.​ Print the dates/time during which the certificate is valid.
openssl x509 -in rootcacert1.pem -dates -noout
c.​ Prints who issued the certificate
openssl x509 -in rootcacert1.pem -issuer -noout
d.​ Prints to whom the certificate was issued
openssl x509 -in rootcacert1.pem -subject -noout
22.​ Convert the PEM-encoded (ASCII) certificate to the DER-encoded (binary) certificate.
openssl x509 -outform der -in rootcacert1.pem -out rootcacert1.der
23.​ View DER encoded certificate
openssl x509 -in rootcacert1.der -inform der -text -noout

Creating Certificate Authority (CA) and issuing certificates to Server and Client:
Steps to configure CA:
24.​ Generate a private key for the CA..You will be requested to enter a passphrase and verify it. After
successful execution ca.key will be generated in the current working directory.
25.​openssl genrsa -des3 -out ca.key 4096
26.​ Create a self-signed root certificate for the CA. Here you need to provide the pass phrase used in
private key generation and later provide the details similar to step18. Here $(pwd) provides the
current working directory path.
openssl req -new -x509 -days 365 -key $(pwd)/ca.key -out ca.crt

Steps to get Server certificate issued by CA

27.​ Generate a private key for the server using the below command,you will be requested to enter a
passphrase and verify it.
openssl genrsa -des3 -out server.key 4096
28.​ Generate a Certificate Signing Request (CSR) for the servers by using the below command,Here you
will be requested to enter the passphrase provided during the private key generation of the server
and later enter the details of the server similar to step18. you should also be requested to provide
extra attributes like a challenge password and an optional company name.
openssl req -new -key $(pwd)/server.key -out server.csr
29.​ Sign the server certificate using the CA,you will be requested to enter the passphrase used in
generating the ca.key in step24.
openssl x509 -req -days 365 -in $(pwd)/server.csr -CA $(pwd)/ca.crt -CAkey
$(pwd)/ca.key -set_serial 01 -out server.crt

Software & Network Security Fundamentals

Copyright © C-DAC Hyderabad, 2025 Page 3 of 4
OpenSSL Lab manual

Steps to get a Client certificate issued by CA:

30.​ Generate a private key for the client using the below command,you will be requested to enter a
passphrase and verify it.
openssl genrsa -des3 -out client.key 4096
31.​ Generate a Certificate Signing Request (CSR) for the client using the below command ,Here you will
be requested to enter the passphrase provided during the private key generation of the client and
later enter the details of the server similar to step18. you should also be requested to provide extra
attributes like a challenge password and an optional company name.
openssl req -new -key $(pwd)/client.key -out client.csr
32.​ Sign the client certificate using the CA,you will be requested to enter the passphrase used in
generating the ca.key in step24.
openssl x509 -req -days 365 -in $(pwd)/client.csr -CA $(pwd)/ca.crt -CAkey
$(pwd)/ca.key -set_serial 01 -out client.crt

Converting Certificates to PFX format:

33.​ Network Applications require certificates in PFX format (will password protect certificate). For this
command, the input certificate in PEM format must contain the key and certificate in a concatenated
manner
openssl pkcs12 -export -out server.pfx -inkey $(pwd)/server.key -in
$(pwd)/server.crt -name "Server Certificate"
The following flags were used:
-export -out server.pfx – export and save the PFX file as server.pfx
-inkey server.key – use the private key file server.key as the private key to combine with the
certificate.
-in server.crt – use server.crt as the certificate the private key will be combined with.
You will be asked to validate the passphrase for the server key, enter an export password, and then
verify it.
34.​ Similarly, convert the client certificate using the below command
openssl pkcs12 -export -out client.pfx -inkey $(pwd)/client.key -in
$(pwd)/client.crt -name "Client Certificate"
​

Software & Network Security Fundamentals

Copyright © C-DAC Hyderabad, 2025 Page 4 of 4