AES: ENCRYPTION: Trick: OpenSSL encrypts (enc) my file using AES 256 CBC, makes the password stronger with PBKDF2, reads plaintext.txt as input, and writes encrypted.txt as output. Command: openssl enc -aes-256-cbc -pbkdf2 -in plaintext.txt -out encrypted.txt DECRYPTION: Trick: same as encryption just use -d after -aes-256-cbc and it take encryption as input and generate decryption as output Command: openssl enc -aes-256-cbc -d -pbkdf2 -in encrypted.txt -out decrypted.txt SEE RESULT: Command: cat decrypted.txt ASYMMETRIC KEY GENERATION RSA: Generate an RSA Private Key Trick: Open SSL generates (gen) a private key (pkey) using RSA, puts it in a file, and decides the key will be 2048 bits long. Command: openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048 Extract the Public Key Trick: OpenSSL reads my private key, extracts the public key, and saves it in public_key.pem Command: openssl rsa -in private_key.pem -pubout -out public_key.pem Encrypting and Decrypting Using RSA ENCRYPTION Trick: OpenSSL’s pkeyutl reads my plaintext.txt, locks it with the public key, and saves the locked file as encrypted_rsa.txt. Command: openssl pkeyutl -encrypt -in plaintext.txt -inkey public_key.pem -pubin -out encrypted_rsa.txt DECRYPTION Trick: OpenSSL’s pkeyutl reads encrypted_rsa.txt, unlocks it with the private key, and saves the result as decrypted_rsa.txt.” Command: openssl pkeyutl -decrypt -in encrypted_rsa.txt -inkey private_key.pem -out decrypted_rsa.txt Generate a Certificate Signing Request (CSR) CREATION Trick: I request a certificate (req), create a new key (newkey rsa:2048), don’t encrypt it (nodes), save my private key (keyout) and my request (out). Command: openssl req -new -newkey rsa:2048 -nodes -keyout private_key.pem -out mycsr.csr VERIFICATION Trick: I read my request (req), show text details (-text), hide raw output (-noout), and check validity (-verify) Command: openssl req -text -noout -verify -in mycsr.csr Create a Self-Signed Certificate CREATION Trick: I take my CSR (-in mycsr.csr), create a certificate (x509), valid 1 year (-days 365), signed with my private key (-signkey), and save it (-out). Command: openssl x509 -req -days 365 -in mycsr.csr -signkey private_key.pem -out mycert.pem VERIFICATION Trick: I verify my certificate (verify), using it as its own CA (-CAfile mycert.pem) Command: openssl x509 -text -noout -in mycert.pem Command: openssl verify -CAfile mycert.pem mycert.pem