Tutorial: OpenSSL provision on Windows 10 and Windows 11

OpenSSL was previously reserved for Linux operating systems or had to be compiled from the source code itself under Mac and Windows. With Win32/Win64 OpenSSL, the open source software library can also be run on 32-bit and 64-bit Windows OS (x86/i386) and can be integrated on Windows machines via installer.

OpenSSL is widely used and found by encryption in numerous application and secure connections, as well as for SSL/TLS connections HTTPS, including cryptography in SSH, OpenVPN and DNSSEC.

The Win32/Win64 OpenSSL installation project from Shining Light Productions (slproweb.com) carrying the ease of deployment of OpenSSL for Microsoft Windows. The installation consists of downloading and unpacking the binaries, which eliminates the need to compile source code.

Installation

This tutorial shows two methods to deploy OpenSSL on Windows 10 and Windows 11. The simple method right at the beginning, by running Windows Package Manager with hit the Windows-logo+R keys and enter cmd in the Run box then click OK, or press and hit cmd then click the command prompt icon.

In the now opened command prompt ran the following command, if you are not authorized as administrator with the logged in user, you can select “Run as administrator”.

C:\> winget install openssl

The Windows package manager “winget” allows you to install applications and other packages by using the command line. If winget is started for the first time, you will be prompted to confirm the source agreement terms, by hit the Y key.

The OpenSSL package is now installed. The second method is to download and install the package.

Install Win64 OpenSSL package manually

The table (screenshot) on the slproweb.com website contains the versions for Win32 and Win64 OpenSSL as EXE and MSI installers.

Recommended here is the latest version with the most commonly used essentials of Win64 OpenSSL v3.0.7, at the time of writing this article, it is Win64 OpenSSL v3.0.7 EXE Light, at the top of the first line.

Double-click to execute the file Win64OpenSSL_Light-3_0_7.exe will the setup wizard appears. Confirm the Windows Account Control (UAC) with Yes to continue the installation.

The setup wizard unpacks and copies the OpenSSL files.

Set up the OpenSSL environment

After the OpenSSL files are copied and installed, the search path and environment variable are now added to the operating system, with + R and paste SYSTEMPROPERTIESADVANCED and click OK.

The System Properties window opens.

Click the Environment Variables button at the bottom.

In the lower area System Variables, select the Path line with the mouse and click on the Edit button.

In the “Edit Environment Variables” window, click New to add the path to the OpenSSL-Win64\bin folder under Program files. The path in which the file openssl.exe is located can be found with Windows Explorer and copied to the clipboard, there is also the possibility to choose the path to the bin folder with the Browse button. Confirm the action with OK.

Now add another system variable with click New.

Enter OPENSSL_CONF in the Variable name field. In the next field insert the path to which the file openssl.cnf is located, here it is C:\Program Files\OpenSSL-Win64\bin\cnf\openssl.cnf

The installation is now complete and OpenSSL can be used. First of all, there is the opportunity to check the OpenSSL provisioned release.

C:\> openssl version -a
OpenSSL 3.0.7 1 Nov 2022 (Library: OpenSSL 3.0.7 1 Nov 2022)
built on: Tue Nov  1 16:04:12 2022 UTC
...
C:\> openssl version -d
OPENSSLDIR: "C:\Program Files\Common Files\SSL"

The OpenSSL Toolkit is a versatile utility with many options, but under Windows there is not the possibility of using the man page, as is known on Linux. However, the openssl help command provides context-sensitive help, such asopenssl help s_clientor useopenssl help x509oropenssl help reqto show just a few examples. Help is also offered on the documentation pages on the web, where manpages can also be found.

Useful OpenSSL Examples

A few of the most commonly used openssl command examples in the console are shown below, note that this is not a comprehensive collection of all possible applicable commands of this powerful open source toolkit.

openssl x509 -noout -text -in ca-cert.pem

Displaying and print the ca-cert.pem certificate file in plain text.

openssl req -text -noout -verify -in x509-check.csr

View and verify the contents of CSR x509-check.csr in plain text.

openssl rsa -check -in rootCA.key

Verify key consistency of the rootCA.key file.

openssl x509 -noout -modulus -in ca-cert.pem | openssl md5

Check md5 checksum of certificate ca-cert.pem file.

openssl crl2pkcs7 -nocrl -certfile servercert.pem -out c:\temp\servercert.p7b

Convert certificate from pem to p7b format and write to temp folder.

openssl pkcs12 -export -in rootCA.pem -inkey rootCA.key -out c:\temp\rootCA.p12 -name "PKCS12 certificate"

Convert certificate rootCA.pem to PKCS12 format as rootCA.p12 file.

openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -keyout server.key -out server.crt

Generate SSL certificate and key on a single line, using SHA256 with RSA 2048 encryption, the certificate will be valid for 1 year.

openssl s_client -connect imap.gmail.com:993

Check connection to imap.gmail.com service 993 to get more useful results like than as in telnet.

openssl s_client -crlf -connect smtp.gmail.com:587 -starttls smtp

Try to connect service 587 on smtp.gmail.com using the starttls protocol, possibly to check a firewall policy for its effect.

openssl s_client -verify_quiet -brief www.ietf.org:443

Check protocol version and ciphersuite, peer certificate and hash used.

openssl rand -base64 20

Generate a random password in base64 using OpenSSL, can be used as a passphrase to hide private keys from spying eyes.

These were just a few examples, because openssl is a versatile toolkit that offers numerous application options.

Conclusion

The OpenSSL open-source library for cryptography is more important than ever and indispensable. Connections are encrypted and protected, so why shouldn’t the OpenSSL Toolkit be used on Windows? Creating and managing Digital X. 509 certificates, check algorithms for data encryption such as Chiper Suite, digital fingerprint, MD5 and SHA hash values can be checked, which was previously reserved only for Linux.

Sources Links:
slproweb.com Win32/Win64 OpenSSL Installation Project for Windows
openssl.org Cryptography and SSL/TLS Toolkit

How to Test HTTPS and IMAPS connection using OpenSSL

OpenSSL can be used in many ways, so not only keys and certificates for SSL/TLS encrypted connections can be generated, but also their analysis and testing is possible.

This article shows how to perform the usage of OpenSSL for verification and analysis, when accessing web servers via TCP port 443 and STARTTLS over TCP 587 or IMAPS TCP 993 to mail server, which requires OpenSSL on the computer.

The free online service SSL Labs provide deep analysis of the configuration of any SSL web server that can be performed, the connection is performed with many different browsers and displayed, and which encryption has been achieved. The evaluation shows which encryption methods and key exchange methods have been used.

HTTPS Connection Test with OpenSSL

If individual tests are to be performed, the following examples show how to do this. An encrypted connection to unblog.ch is established and then the Web page is retrieved.

$ openssl s_client -connect unblog.ch:443 -showcerts

In a situation where an alternate port is used instead of the default port 443 for HTTPS, for example, 4443, the command is the same, with :4443 specifying the port number.

Retrieve certificate in RAW text

If you want to retrieve the public certificate of a web page in the RAW text, the certificate can be issued by the following command line.

$ openssl s_client -connect think.unblog.ch:443 -showcerts | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'

This command runs in a Linux terminal, in macOS terminal, in Git Bash or in a WSL session, the output between:
from: —–BEGIN CERTIFICATE—–
to —–END CERTIFICATE—–

-----BEGIN CERTIFICATE-----
MIIFajCCBFKgAwIBAgISAwYFPWKaEox8MgKHV5yqROeWMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDA3MTcwMzAyMTZaFw0y
...
-----END CERTIFICATE-----

copy paste in Notepad and save as PEM/CER file (.cer).

By double-clicking on the public certificate saved in this way, it opens and appears on Windows as follows.

SMTPS Connection Test with OpenSSL

Use OpenSSL you can determine whether a mail server (MTA) offers encrypted STARTTLS connections, with the following command line.

$ openssl s_client -connect smtp-gw-246.server.com:587 -starttls smtp

The query displays the public certificate, then the encryption strength, the algorithm (SHA256), the TLS version (TLSv1.2), and cipher (ECDHE-RSA-AES256-GCM-SHA384) and other status information.

subject=CN = smtp-gw-246.server.com

issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3441 bytes and written 480 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN
SSL session:
    Protocol : TLSv1.2
    Cipher : ECDHE-RSA-AES256-GCM-SHA384
    Session ID: E1528C64C3CC7A9B28C4E1C2EA33EA0BEF1BACB6602B066351A49C705E192EB5
    Session ID ctx:
    Master Key: 573AB776B9954B51B7FE4908171752874EFCC3DE5F35ECC42AA5F04E48B736290DECC948DE252AD61188B5A94A8BAE9A
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 0b 99 b3 3a 91 90 66 a8-86 8d 0e 41 8a 90 61 9e ...:.. Q....A.. A.

IMAPS Connection Test use OpenSSL

Check IMAPs using OpenSSL in the command line, to perform the command line with IMAPS (SSL/TLS) connection can be checked over TCP port 993.

$ openssl s_client -crlf -connect imap.gmail.com:993

The output then as here with CONNECT to imap.gmail.com via the SSL port 993 the raw output will displaying as shown in shortened way.

CONNECTED(00000174)
depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = imap.gmail.com
verify return:1
---
Certificate chain
 0 s:C = US, ST = California, L = Mountain View, O = Google LLC, CN = imap.gmail.com
   i:C = US, O = Google Trust Services, CN = GTS CA 1O1
 1 s:C = US, O = Google Trust Services, CN = GTS CA 1O1
   i:OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIExjCCA66gAwIBAgIQN1SnMAZHJA0IAAAAAFMdITANBgkqhkiG9w0BAQsFADBC
MQswCQYDVQQGEwJVUzEeMBwGA1UEChMVR29vZ2xlIFRydXN0IFNlcnZpY2VzMRMw
...
Post-Handshake New Session Ticket arrived:
SSL session:
    Protocol : TLSv1.3
    Cipher : TLS_AES_256_GCM_SHA384
    Session ID: 6074E0D401DDD1E1DD5608CBC6F7CA4A2779A9AB4A9313732996D6C4DBD84BC68
    Session ID ctx:
    Resumption PSK:
...
read R BLOCK
* OK Gimap ready for requests from 12.34.56.78 t22mb67814ed
Q
Done

If you want to continue here, you can try to authenticate on the IMAP server and query for new mails.

A NO [ALERT] Application-specific password required: https://support.google.com/accounts/answer/185833 (Failure)

Gmail now responds with A NO [ALERT] which requires authentication security settings to have an application password because multi-factor authentication (MFA) is enabled.

* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN AUTH=LOGIN] Dovecot (Debian) ready.

The following is a * OK with the output of the available functionalities (CAPABILITY). The IMAP Prompt is now waiting for input.

We can log in to our Dovecot IMAP server.

A login imap-user password

The login usually consists of the email address (imap-user) and a password.

After successful login, the output appears similar to this one.

A OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SNIPPET=FUZZY LITERAL+ NOTIFY SPECIAL-USE QUOTA] Logged in

Now we’re going to the IMAP inbox (INBOX).

A select INBOX

The output of select INBOX is similar to the following.

* FLAGS (\Answered \Flagged \Deleted \Seen \Draft $Forwarded)
* OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft $Forwarded \*)] Flags permitted.
* 3 EXISTS
* 0 RECENT
* OK [UNSEEN 3] First unseen.
* OK [UIDVALIDITY 1590737718] UIDs valid
* OK [UIDNEXT 12197] Predicted next UID
* OK [HIGHESTMODSEQ 39953] Highest
A OK [READ-WRITE] Select completed (0.001 + 0.000 secs).

There are as seen 3 unread mails in the INBOX. From the first mail we open the header (starts with . dot).

. fetch 1 rfc822.header

The output of . fetch 1 rfc822.header (the first 6 lines).

* 1 FETCH (RFC822.HEADER {3338}
Return-Path: <maxmuster@server.com>
Delivered-To: maxmuster@server.com
Received: from mail.server.com
        by mail.server.com with LMTP
        id sbn9BAzYQF9sJBACykIyCA
        (envelope-from <maxmuster@server.com>)
..
. OK Fetch completed (0.001 + 0.000 secs).

The first unread mail opens with . fetch 1 rfc822.text

. fetch 1 rfc822.text

Output of . fetch 1 then similar to here with my mail.

* 1 FETCH (RFC822. TEXT {596297}

--Apple-Mail-3B8B8770-2CCE-4083-B331-2E1EDAF97C84
Content type: text/plain;
        charset=us-ascii
Content Transfer Encoding: 7bit

Good day.

Attached the PDF in the attachment.

Friendly greetings

--Apple-Mail-3B8C8770-2CCE-4083-B331-2E2EDBF97C94
Content type: application/pdf;
        name="Doc-21.08.2020-10-36.pdf";
        x-apple-part-url=CCDB9E0F-432F-2719-AE44-000259172822
Content disposition: inline;
        filename="Doc-21.08.2020-10-36.pdf"
Content Transfer Encoding: base64

JVBERi0jLjMKJbe+7aoKMSAwIG9iago8PA0vVHlwZSAvQ2F0YWxvZwozUGFnZXMgMiAwIFIKPj4K
ZW5kc2JqCjIgMCBvYmoKPDwKL1R5cGUgL1BhZ2VzCi9LaWRzIFsgNCFxIFIgXQovQ291bnQgMQo+
...
. OK Fetch completed (0.003 + 0.034 secs).

So this is a mail with PDF attachment, which is base64 encoded.
Enter Q will terminate the encrypted IMAP session.

Conclusion

OpenSSL as a versatile open-source toolkit offers numerous options, such as testing connections. Also including under Windows, as shown in this posting.