Tag Archives: OpenSSL software

OpenSSL includes implementations of the network protocols and various ciphers, as well as the openssl program for the command line to request,

Convert password to MD5 or SHA hash algorithm with OpenSSL

Home
Leave a comment

A password often needs to be convert to an MD5 or SHA algorithm using OpenSSL to be paste as hash into a SQL table or into a configuration file such as an XML or JSON file.

This is where the OpenSSL Toolkit can be used to convert a password.

Message-Digest Algorithm 5 (MD5) is a popular cryptographic hash function that calculates a 128-bit hash value from any message. Secure Hash Algorithm (SHA) refers to a group of standardized cryptological hash functions and is used to calculate a check value for any digital data and is, among other things, the basis for creating a digital signature.

How to convert a password to MD5-based or SHA algorithm hash with OpenSSL

How to convert password MD5-based

Fire up an terminal shell (Ctrl+Alt+T) or an command prompt and hitopenssl passwdto convert a password to MD5-based algorithm.

openssl passwd -1 "TopSecret"
$1$UwcEHfFx$pv99SO2tq3MZ5u2JtTN.O0

A password is converted to SHA256-based algorithm.

openssl passwd -5 "TopSecret"
$5$6wC.6bysAZzl1zAm$758mNsbX6d.Uzhrm1eAtF3ftrWBgnYi/BES8tSYgKR1

The option password displaying the hash together with text to digest.

openssl passwd -5 password "TopSecret"
$5$6wC.6bysAZzl1zAm$758mNsbX6d.Uzhrm1eAtF3ftrWBgnYi/BES8tSYgKR1
$5$Po.hbT1imQPmydXm$seJP5igIfO0NmTLfx6IcBxrgU7Hh2HthpJ9VTqWWag9

This input convert to SHA512-based password algorithm.

openssl passwd -6 "TopSecret"
$6$CRY0sZkUObU1tIMg$JFM8Artzxz6efj3kVTMyfXimOD.cSZB3VAh3a7pShjJBLiiU598D0YCKCsyBaOXvhwiJG7Onf4Djru2XjMBKf.

This input convert MD5-based password Apache variant algorithm using OpenSSL.

openssl passwd -apr1 "TopSecret"
$apr1$cVLBkacR$hKouNKpKP0XUkOoNfsPBx/

 openssl is also available for windows, the article here shows how to do it.

OpenSSL passwd help is available with this command.

openssl passwd --help
Usage: passwd [options] [password]

General options:
 -help               Display this summary

Input options:
 -in infile          Read passwords from file
 -noverify           Never verify when reading password from terminal
 -stdin              Read passwords from stdin

Output options:
 -quiet              No warnings
 -table              Format output as table
 -reverse            Switch table columns

Cryptographic options:
 -salt val           Use provided salt
 -6                  SHA512-based password algorithm
 -5                  SHA256-based password algorithm
 -apr1               MD5-based password algorithm, Apache variant
 -1                  MD5-based password algorithm
 -aixmd5             AIX MD5-based password algorithm

Random state options:
 -rand val           Load the given file(s) into the random number generator
 -writerand outfile  Write random data to the specified file

Provider options:
 -provider-path val  Provider load path (must be before 'provider' argument if required)
 -provider val       Provider to load (can be specified multiple times)
 -propquery val      Property query used when fetching algorithms

Parameters:
 password            Password text to digest (optional)

Conclusion

This tutorial show you how to convert a password to SHA or MD5-based algorithm.

We use the versatile OpenSSL Toolkit to convert passwords and key phrases. Under no circumstances you should use one of the many online tools on the web, as there is a risk that your password can be misused for malicious attacks.

Easy Create a Certificate Signing Request Using OpenSSL

Home
Leave a comment

This tutorial will show you how to deploy a Certificate Signing Request (CSR) in Linux and Windows using OpenSSL, of course, you’ll find out that it’s also very easy to do in the command prompt.

How to Easy Deploy Certificates Signing Requests (CSR) with OpenSSL

OpenSSL is on board with most Linux distributions, under Windows the open-source toolkit can be installed in a command prompt using the Windows package manager as follows:

C:\> winget install -e --id ShiningLight.OpenSSL

 Windows provide also the Subsystem for Linux (WSL) with which a virtual Ubuntu GNU/Linux can by performed, OpenSSL is included.

Let’s how it’s done

Run the command below to generate a 2048-bit RSA private key and x509 CSR in plain text on Linux as well as on Windows in the same way:

openssl req -newkey rsa:2048 -nodes -keyout domain.key -out domain.csr

  Instead of the placeholder use your desired domain name. Upon completion of this process, you will be returned to a command prompt. You will not receive any notification that your CSR was successfully created.

The last file in the command with -out domain.csr contains the CSR we need for the Certificate Authority (CA) and is usually submitted to the certificate issuer after pasting into a form. This will generate the public certificate that you will download.

Yes, you’ll find out that it’s also very easy to do in the command prompt

The process with the inputs in this example shown bellow:

......+++++++++++++++++++++++++++++++++++++++*..+....+........+.
..........+........+.+.....++++++++++++++++++++++++++++++++++*.+
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:Quebec
Locality Name (eg, city) []:Montreal
Organization Name (eg, company) []:Wind Energy Ltd
Organizational Unit Name (eg, section) []:Branch Lab
Common Name (e.g. server FQDN or YOUR name) []:domain.tld
Email Address []:hostmaster@domain.tld

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

  Instead of the placeholder Country Name, State or Province Name, Locality Name, Organization Name, Organizational Unit Name, Common Name and Email Address use your desired Name, a optional challenge password does not have to be entered.

Let’s explain the command:

openssl is the command for running OpenSSL.
req is the OpenSSL utility for generating a CSR.
-newkey rsa:2048 tells OpenSSL to generate a new 2048-bit RSA private key. If you would prefer a 4096-bit key you can change to 4096.
-nodes is used to specify that the output of the command should not be encrypted. When this option is used, the private key associated with the certificate is displayed in plain text.
-keyout domain.key specifies where to save the private key file.
-out domain.csr specifies where to save the CSR file.

Optionally after generating you can check the SCR as follows:

openssl req -text -noout -verify -in domain.csr

The output looks something like this (abbreviated).

Certificate request self-signature verify OK
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = CA, ST = Quebec, L = Montreal, O = Wind Energy Ltd, OU = Branch lab, CN = domain.tld, emailAddress = hostmaster@domain.tld
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
...

The content of example CSR domain.csr

-----BEGIN CERTIFICATE REQUEST-----
MIIC4TCCAckCAQAwgZsxCzAJBgNVBAYTAkNBMQ8wDQYDVQQIDAZRdWViZWMxETAP
BgNVBAcMCE1vbnRyZWFsMRgwFgYDVQQKDA9XaW5kIEVuZXJneSBMdGQxEzARBgNV
BAsMCkJyYW5jaCBsYWIxEzARBgNVBAMMCmRvbWFpbi50bGQxJDAiBgkqhkiG9w0B
CQEWFWhvc3RtYXN0ZXJAZG9tYWluLnRsZDCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAMJTiL11C5GP0B8r9QAJZeVQZuhjd/VOKufu9Rl98kbHKJ+olL1Y
rc88z3UTntzBQwJk6wL3IMYaLtydWC4ekF3swYI9S+mHy6Y5pw/lc3/wAwS/rTcH
UiptUYCvh3Z6zratULigK4lzEPNBUVwyijikAFsJokgjBPTFzFYaUDsTJVlbdJvu
MyGRQke++sNJaIEE9wE4WoNOXU9aQ3DK6jIlEPyN8YaQ+Sy0OKLDUiSO/RqOCMmS
Wwkwnx9hwHGaAwQRNJo93OEaSYYdPziAqKpigiVjqYkfNpfHHZcWnCwtiYOHjAIH
qD/8HciCaJKH5BwQc+vhUCly0g4RtbqXNJkCAwEAAaAAMA0GCSqGSIb3DQEBCwUA
A4IBAQCUjURKBn4oq6LzHEpUeNPbNOQk8KQQhxVtHQqv0EtstkZYJEqEFfJTkfUq
WiNsiDdDumfH4M1ufImym2f6/9jEwnu0p8dT6MrOjh77c/0nTFlDNcTRhucClIwJ
rGT4FepWzV3plOhOkXkN4PvL+1Un7pMNmK05ZkyJqXWDnRYGhV9wrFHJsUofBUkO
Ql+hs+wFmMgZISHOD3VKirPgOBNWDRxcG9mal1/hkgiymPxxPdMHKQ+l4qB5LUdH
VO6v0tkjnVQ9VR9Z9AP86bLWJJwuAjc+GD6mO+FaFPvLRzMYWSgL9dqx22vnWVeU
QsnX/t4zDcfvgeMcMdEhOTWk2XPC
-----END CERTIFICATE REQUEST-----

  do not change the content of the CSR file, including the text BEGIN to END CERTIFICATE REQUEST with the bindings must be transmitted unchanged to the certificate authority issuer.

How to convert a .crt to the .pfx (PKCS#12) format

Windows services commonly use the PFX and PKCS12 format, like IIS and Microsoft Exchange Server use PFX (Personal Information Exchange) PKCS 12 certificates, here the x509 PEM certificates can be converted to PFX Certificate (.pfx) Format, how doing will show the following command:

openssl pkcs12 -export -out domain.pfx -inkey domain.key -in domain.crt

  Ensure you have the certificate file (domain.crt) and the corresponding private key file (domain.key) available. If you don’t have the private key file, you won’t be able to create the .pfx file.

Create a Self-signed Certificate

If you want a self-signed certificate. Let’s create a self-signed certificate (domain.crt) with our existing private key and CSR, run this command:

openssl x509 -signkey domain.key -in domain.csr -req -days 3652 -out domain.crt

A self-signed certificate domain.crt is created vaild for 10 years that’s signed with its own private key. It can be used to encrypt data just as well as CA-signed certificates, but you and your users will be shown a warning that says the certificate isn’t trusted, but you can solve that too.

Conclusion

In this tutorial you will learn how easy it is to manually deploy a X.509 certificate signing request (CSR) on Linux and Windows using OpenSSL. As the OpenSSL versatile toolkit is very widely used in many devices and applications, so it provide us numerous possibilities as shown in this article.

Yes, you’ll find out that it’s also very easy to do in the command prompt.