Claude Code Plugins

Community-maintained marketplace

Feedback

OpenSSL

@oriolrius/pki-manager-web
0
0

Expert guidance for OpenSSL operations including certificate generation, key management, CSR creation, certificate verification, encryption, and PKI operations. Use this when working with SSL/TLS certificates, cryptographic keys, or PKI infrastructure.

Install Skill

1Download skill
2Enable skills in Claude

Open claude.ai/settings/capabilities and find the "Skills" section

3Upload to Claude

Click "Upload skill" and select the downloaded ZIP file

Note: Please verify skill by going through its instructions before using it.

SKILL.md

name OpenSSL
description Expert guidance for OpenSSL operations including certificate generation, key management, CSR creation, certificate verification, encryption, and PKI operations. Use this when working with SSL/TLS certificates, cryptographic keys, or PKI infrastructure.

OpenSSL

Expert assistance with OpenSSL cryptographic operations and PKI management.

Key Generation

RSA Keys

# Generate RSA private key (2048-bit)
openssl genrsa -out private.key 2048

# Generate RSA private key (4096-bit, more secure)
openssl genrsa -out private.key 4096

# Generate encrypted RSA private key
openssl genrsa -aes256 -out private.key 4096

# Extract public key from private key
openssl rsa -in private.key -pubout -out public.key

# Remove passphrase from encrypted key
openssl rsa -in encrypted.key -out decrypted.key

EC (Elliptic Curve) Keys

# List available curves
openssl ecparam -list_curves

# Generate EC private key (P-256)
openssl ecparam -name prime256v1 -genkey -noout -out ec-private.key

# Generate EC private key (P-384, more secure)
openssl ecparam -name secp384r1 -genkey -noout -out ec-private.key

# Extract public key
openssl ec -in ec-private.key -pubout -out ec-public.key

Certificate Signing Requests (CSR)

Create CSR

# Create CSR from existing private key
openssl req -new -key private.key -out request.csr

# Create CSR with inline subject
openssl req -new -key private.key -out request.csr \
  -subj "/C=US/ST=State/L=City/O=Organization/CN=example.com"

# Generate private key and CSR in one command
openssl req -newkey rsa:2048 -nodes -keyout private.key -out request.csr

# Create CSR with SAN (Subject Alternative Names)
openssl req -new -key private.key -out request.csr -config san.cnf

SAN Configuration File (san.cnf)

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req

[req_distinguished_name]
CN = example.com

[v3_req]
subjectAltName = @alt_names

[alt_names]
DNS.1 = example.com
DNS.2 = www.example.com
DNS.3 = api.example.com
IP.1 = 192.168.1.1

View CSR

# Display CSR details
openssl req -in request.csr -noout -text

# Verify CSR signature
openssl req -in request.csr -noout -verify

Self-Signed Certificates

Create Self-Signed Certificate

# Generate self-signed certificate (1 year validity)
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365

# Generate self-signed certificate without passphrase
openssl req -x509 -newkey rsa:4096 -nodes -keyout key.pem -out cert.pem -days 365

# From existing key
openssl req -x509 -key private.key -out cert.pem -days 365

# With specific subject
openssl req -x509 -newkey rsa:4096 -nodes -keyout key.pem -out cert.pem -days 365 \
  -subj "/C=US/ST=State/L=City/O=Org/CN=example.com"

Certificate Authority (CA) Operations

Create Root CA

# Generate CA private key
openssl genrsa -aes256 -out ca-key.pem 4096

# Create CA certificate
openssl req -x509 -new -nodes -key ca-key.pem -sha256 -days 3650 \
  -out ca-cert.pem -subj "/C=US/O=MyOrg/CN=MyOrg Root CA"

Sign Certificate with CA

# Sign CSR with CA
openssl x509 -req -in request.csr -CA ca-cert.pem -CAkey ca-key.pem \
  -CAcreateserial -out cert.pem -days 365 -sha256

# Sign with extensions (SAN)
openssl x509 -req -in request.csr -CA ca-cert.pem -CAkey ca-key.pem \
  -CAcreateserial -out cert.pem -days 365 -sha256 -extensions v3_req -extfile san.cnf

Create Intermediate CA

# Generate intermediate CA key
openssl genrsa -aes256 -out intermediate-key.pem 4096

# Create intermediate CSR
openssl req -new -key intermediate-key.pem -out intermediate.csr

# Sign intermediate certificate with root CA
openssl x509 -req -in intermediate.csr -CA ca-cert.pem -CAkey ca-key.pem \
  -CAcreateserial -out intermediate-cert.pem -days 1825 -sha256

# Create certificate chain
cat intermediate-cert.pem ca-cert.pem > chain.pem

Certificate Inspection & Verification

View Certificate Details

# Display certificate details
openssl x509 -in cert.pem -noout -text

# Show specific fields
openssl x509 -in cert.pem -noout -subject
openssl x509 -in cert.pem -noout -issuer
openssl x509 -in cert.pem -noout -dates
openssl x509 -in cert.pem -noout -serial
openssl x509 -in cert.pem -noout -fingerprint

# Check expiration
openssl x509 -in cert.pem -noout -enddate

# Show in human-readable format
openssl x509 -in cert.pem -text -noout

Verify Certificates

# Verify certificate against CA
openssl verify -CAfile ca-cert.pem cert.pem

# Verify certificate chain
openssl verify -CAfile ca-cert.pem -untrusted intermediate-cert.pem cert.pem

# Check if certificate and key match
openssl x509 -noout -modulus -in cert.pem | openssl md5
openssl rsa -noout -modulus -in private.key | openssl md5

Test SSL/TLS Connection

# Connect to server and show certificate
openssl s_client -connect example.com:443 -showcerts

# Test specific protocol
openssl s_client -connect example.com:443 -tls1_2
openssl s_client -connect example.com:443 -tls1_3

# Test with SNI
openssl s_client -connect example.com:443 -servername example.com

# Check certificate expiration remotely
echo | openssl s_client -connect example.com:443 2>/dev/null | \
  openssl x509 -noout -dates

Format Conversion

PEM ↔ DER

# PEM to DER
openssl x509 -in cert.pem -outform DER -out cert.der

# DER to PEM
openssl x509 -in cert.der -inform DER -out cert.pem -outform PEM

PKCS#12 (PFX)

# Create PKCS#12 bundle (certificate + private key)
openssl pkcs12 -export -out cert.pfx -inkey private.key -in cert.pem

# Include certificate chain
openssl pkcs12 -export -out cert.pfx -inkey private.key -in cert.pem -certfile chain.pem

# Extract from PKCS#12
openssl pkcs12 -in cert.pfx -out cert-and-key.pem -nodes

# Extract only certificate
openssl pkcs12 -in cert.pfx -clcerts -nokeys -out cert.pem

# Extract only private key
openssl pkcs12 -in cert.pfx -nocerts -nodes -out private.key

PKCS#7

# Convert PEM to PKCS#7
openssl crl2pkcs7 -nocrl -certfile cert.pem -out cert.p7b

# Convert PKCS#7 to PEM
openssl pkcs7 -print_certs -in cert.p7b -out cert.pem

Encryption & Decryption

Symmetric Encryption

# Encrypt file with AES-256
openssl enc -aes-256-cbc -salt -in file.txt -out file.enc

# Decrypt file
openssl enc -aes-256-cbc -d -in file.enc -out file.txt

# Encrypt with password from file
openssl enc -aes-256-cbc -salt -in file.txt -out file.enc -pass file:password.txt

# Base64 encode encrypted output
openssl enc -aes-256-cbc -salt -in file.txt -out file.enc -a

Asymmetric Encryption

# Encrypt with public key
openssl rsautl -encrypt -pubin -inkey public.key -in file.txt -out file.enc

# Decrypt with private key
openssl rsautl -decrypt -inkey private.key -in file.enc -out file.txt

Hashing & Digests

# Generate hash
openssl dgst -sha256 file.txt
openssl dgst -sha512 file.txt
openssl dgst -md5 file.txt

# Create signature
openssl dgst -sha256 -sign private.key -out signature.bin file.txt

# Verify signature
openssl dgst -sha256 -verify public.key -signature signature.bin file.txt

# HMAC
openssl dgst -sha256 -hmac "secret-key" file.txt

Certificate Revocation

Create Certificate Revocation List (CRL)

# Create CRL configuration (crl.cnf)
# [ca section with database and crl settings needed]

# Generate CRL
openssl ca -gencrl -config crl.cnf -out crl.pem

# View CRL
openssl crl -in crl.pem -text -noout

# Verify certificate against CRL
openssl verify -crl_check -CRLfile crl.pem -CAfile ca-cert.pem cert.pem

OCSP (Online Certificate Status Protocol)

# Start OCSP responder
openssl ocsp -port 8080 -index index.txt -CA ca-cert.pem -rkey ca-key.pem -rsigner ca-cert.pem

# Query OCSP responder
openssl ocsp -issuer ca-cert.pem -cert cert.pem -url http://ocsp.example.com:8080

Common PKI Workflows

Complete Certificate Workflow

# 1. Generate private key
openssl genrsa -out server.key 4096

# 2. Create CSR
openssl req -new -key server.key -out server.csr \
  -subj "/C=US/ST=CA/L=SF/O=MyOrg/CN=example.com"

# 3. Sign with CA
openssl x509 -req -in server.csr -CA ca-cert.pem -CAkey ca-key.pem \
  -CAcreateserial -out server.crt -days 365 -sha256

# 4. Verify
openssl verify -CAfile ca-cert.pem server.crt

# 5. Test locally
openssl s_server -cert server.crt -key server.key -accept 8443

Best Practices

  1. Key Size: Use at least 2048-bit RSA or 256-bit EC keys
  2. Hash Algorithm: Use SHA-256 or stronger (avoid MD5, SHA-1)
  3. Validity Period: Certificates should be valid for ≤ 398 days (current CA/Browser Forum baseline)
  4. Private Key Protection: Always encrypt private keys with strong passphrases
  5. SAN: Always include Subject Alternative Names, even for single domain
  6. Key Backup: Securely backup private keys and CA certificates
  7. Certificate Chain: Always provide complete certificate chain
  8. Regular Rotation: Rotate certificates before expiration

Security Notes

  • Never share private keys - They should remain on the server
  • Use strong passphrases for encrypted keys (16+ characters)
  • Protect CA keys with HSM or secure key storage
  • Monitor expiration - Set up alerts 30 days before expiry
  • Revoke compromised certificates immediately
  • Use Certificate Transparency for public certificates