1
2
3
4
5
6
7
8
9

# Ubuntu/Debian
sudo apt-get update
sudo apt-get install openssl libssl-dev

# CentOS/RHEL
sudo yum install openssl openssl-devel

# Verificar instalación
openssl version -a

1
2
3
4
5
6
7
8

# Usando Chocolatey
choco install openssl

# Usando vcpkg
vcpkg install openssl

# Verificar instalación
openssl version

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

# Descargar OpenSSL
wget https://www.openssl.org/source/openssl-3.0.12.tar.gz
tar -xzf openssl-3.0.12.tar.gz
cd openssl-3.0.12

# Configurar y compilar
./config --prefix=/usr/local/openssl
make
sudo make install

# Configurar variables de entorno
export PATH="/usr/local/openssl/bin:$PATH"
export LD_LIBRARY_PATH="/usr/local/openssl/lib:$LD_LIBRARY_PATH"

1
2
3
4
5
6
7
8

# Generar clave privada RSA de 2048 bits
openssl genrsa -out private.key 2048

# Generar clave privada RSA con contraseña
openssl genrsa -aes256 -out private.key 2048

# Verificar clave privada
openssl rsa -in private.key -text -noout

1
2
3
4
5
6
7
8

# Generar clave privada ECC P-256
openssl ecparam -genkey -name prime256v1 -out private.key

# Generar clave privada ECC P-384
openssl ecparam -genkey -name secp384r1 -out private.key

# Verificar clave privada ECC
openssl ec -in private.key -text -noout

1
2
3
4
5
6

# Generar certificado autofirmado
openssl req -x509 -newkey rsa:4096 -keyout private.key -out certificate.crt -days 365 -nodes

# Con información específica
openssl req -x509 -newkey rsa:4096 -keyout private.key -out certificate.crt -days 365 -nodes \
  -subj "/C=ES/ST=Madrid/L=Madrid/O=Comfidentia/OU=IT/CN=example.com"

1
2
3
4
5
6
7
8

# Generar CSR
openssl req -new -newkey rsa:2048 -nodes -keyout private.key -out request.csr

# Verificar CSR
openssl req -in request.csr -text -noout

# Firmar CSR con CA
openssl x509 -req -in request.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out certificate.crt -days 365

1
2
3
4
5
6
7
8

# Cifrar archivo con AES-256-CBC
openssl enc -aes-256-cbc -salt -in plaintext.txt -out ciphertext.enc

# Descifrar archivo
openssl enc -aes-256-cbc -d -in ciphertext.enc -out plaintext.txt

# Cifrar con contraseña
openssl enc -aes-256-cbc -salt -in plaintext.txt -out ciphertext.enc -pass pass:mypassword

1
2
3
4
5

# Cifrar con clave pública
openssl rsautl -encrypt -pubin -inkey public.key -in plaintext.txt -out ciphertext.enc

# Descifrar con clave privada
openssl rsautl -decrypt -inkey private.key -in ciphertext.enc -out plaintext.txt

1
2
3
4
5
6
7
8

# Firmar con RSA
openssl dgst -sha256 -sign private.key -out signature.bin document.txt

# Verificar firma
openssl dgst -sha256 -verify public.key -signature signature.bin document.txt

# Firmar con ECDSA
openssl dgst -sha256 -sign private.key -out signature.bin document.txt

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/rsa.h>
#include <openssl/pem.h>

int main() {
    // Inicializar OpenSSL
    SSL_library_init();
    SSL_load_error_strings();
    ERR_load_crypto_strings();
    
    // Generar clave RSA
    RSA *rsa = RSA_generate_key(2048, RSA_F4, NULL, NULL);
    
    // Guardar clave privada
    FILE *fp = fopen("private.key", "w");
    PEM_write_RSAPrivateKey(fp, rsa, NULL, NULL, 0, NULL, NULL);
    fclose(fp);
    
    // Guardar clave pública
    fp = fopen("public.key", "w");
    PEM_write_RSAPublicKey(fp, rsa);
    fclose(fp);
    
    // Limpiar
    RSA_free(rsa);
    EVP_cleanup();
    ERR_free_strings();
    
    return 0;
}

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

from OpenSSL import SSL, crypto
import socket

# Crear contexto SSL
context = SSL.Context(SSL.TLSv1_2_METHOD)

# Cargar certificado y clave
context.use_certificate_file('server.crt')
context.use_privatekey_file('server.key')

# Crear socket SSL
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
ssl_sock = SSL.Connection(context, sock)

# Conectar
ssl_sock.connect(('example.com', 443))
ssl_sock.do_handshake()

# Enviar datos
ssl_sock.send(b'GET / HTTP/1.1\r\nHost: example.com\r\n\r\n')

# Recibir datos
data = ssl_sock.recv(4096)
print(data.decode())

# Cerrar conexión
ssl_sock.close()

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

const crypto = require('crypto');
const fs = require('fs');

// Generar par de claves RSA
const { publicKey, privateKey } = crypto.generateKeyPairSync('rsa', {
    modulusLength: 2048,
    publicKeyEncoding: {
        type: 'spki',
        format: 'pem'
    },
    privateKeyEncoding: {
        type: 'pkcs8',
        format: 'pem'
    }
});

// Guardar claves
fs.writeFileSync('public.key', publicKey);
fs.writeFileSync('private.key', privateKey);

// Firmar datos
const data = 'Hello, World!';
const sign = crypto.createSign('SHA256');
sign.update(data);
const signature = sign.sign(privateKey, 'hex');

// Verificar firma
const verify = crypto.createVerify('SHA256');
verify.update(data);
const isValid = verify.verify(publicKey, signature, 'hex');

console.log('Signature valid:', isValid);

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

# Ver información de certificado
openssl x509 -in certificate.crt -text -noout

# Ver fechas de validez
openssl x509 -in certificate.crt -dates -noout

# Verificar certificado
openssl verify certificate.crt

# Verificar cadena de certificados
openssl verify -CAfile ca-bundle.crt certificate.crt

1
2
3
4
5
6
7
8

# Verificar clave privada RSA
openssl rsa -in private.key -check -noout

# Verificar clave privada ECC
openssl ec -in private.key -check -noout

# Extraer clave pública de privada
openssl rsa -in private.key -pubout -out public.key

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

# Conectar a servidor SSL
openssl s_client -connect example.com:443

# Conectar con verificación de certificado
openssl s_client -connect example.com:443 -verify_return_error

# Conectar con cipher específico
openssl s_client -connect example.com:443 -cipher AES256-SHA

# Ver información de sesión
openssl s_client -connect example.com:443 -state -debug

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

# Configuración SSL en Apache
<VirtualHost *:443>
    ServerName example.com
    DocumentRoot /var/www/html
    
    SSLEngine on
    SSLCertificateFile /path/to/certificate.crt
    SSLCertificateKeyFile /path/to/private.key
    SSLCertificateChainFile /path/to/chain.crt
    
    # Configuración de seguridad
    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
    SSLHonorCipherOrder on
    SSLSessionTickets off
</VirtualHost>

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

# Configuración SSL en Nginx
server {
    listen 443 ssl http2;
    server_name example.com;
    
    ssl_certificate /path/to/certificate.crt;
    ssl_certificate_key /path/to/private.key;
    ssl_trusted_certificate /path/to/chain.crt;
    
    # Configuración de seguridad
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers on;
    ssl_session_tickets off;
}

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

# Verificar configuración SSL
openssl s_client -connect example.com:443 -showcerts

# Verificar cipher suites
nmap --script ssl-enum-ciphers -p 443 example.com

# Verificar certificados
curl -vI https://example.com

# Verificar configuración
sslscan example.com