OpenSSL Commands
OpenSSL is a robust full-featured open-source cryptographic toolkit implementing TLS, SSL, and other cryptographic protocols. This cheat sheet covers essential commands for certificate management, encryption, and secure operations.
Installation
Linux/Ubuntu
sudo apt update
sudo apt install opensslmacOS
brew install opensslWindows
choco install openssl
# or
scoop install opensslBasic Commands
| Command | Description |
|---|---|
openssl version | Display OpenSSL version and build information |
openssl help | Show available commands |
openssl genrsa -out key.pem 2048 | Generate 2048-bit RSA private key |
openssl req -new -key key.pem -out req.csr | Create certificate signing request |
openssl x509 -req -in req.csr -signkey key.pem -out cert.pem | Self-sign certificate |
openssl x509 -in cert.pem -text -noout | Display certificate details |
Key Generation
RSA Keys
# Generate 2048-bit RSA key
openssl genrsa -out private.pem 2048
# Generate 4096-bit RSA key (more secure)
openssl genrsa -out private.pem 4096
# Generate encrypted RSA key (AES-256)
openssl genrsa -aes256 -out private.pem 2048
# Extract public key from private key
openssl rsa -in private.pem -pubout -out public.pem
# Display key information
openssl rsa -in private.pem -text -noout
# Remove passphrase from encrypted key
openssl rsa -in encrypted.pem -out unencrypted.pemECDSA Keys
# Generate elliptic curve key (P-256)
openssl ecparam -name prime256v1 -genkey -noout -out ec_key.pem
# Generate elliptic curve key (P-384)
openssl ecparam -name secp384r1 -genkey -noout -out ec_key.pem
# Display EC key information
openssl ec -in ec_key.pem -text -nooutCertificate Requests (CSR)
# Create CSR from existing private key
openssl req -new -key private.pem -out request.csr
# Create CSR with specific values (non-interactive)
openssl req -new -key private.pem -out request.csr \
-subj "/C=US/ST=California/L=SF/O=Company/CN=example.com"
# View CSR contents
openssl req -in request.csr -text -noout
# Create key and CSR in one command
openssl req -new -newkey rsa:2048 -nodes -out request.csr -keyout private.pem \
-subj "/C=US/ST=State/L=City/O=Org/CN=domain.com"
# Create CSR with SAN (Subject Alternative Name)
openssl req -new -key private.pem -out request.csr \
-subj "/CN=example.com" \
-config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:example.com,DNS:www.example.com"))Certificate Creation and Management
Self-Signed Certificates
# Create self-signed cert valid 365 days
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 \
-subj "/C=US/ST=State/L=City/O=Org/CN=example.com"
# Create self-signed cert from existing key
openssl req -new -x509 -key private.pem -out cert.pem -days 365 \
-subj "/C=US/ST=State/O=Org/CN=example.com"
# Create self-signed cert valid 10 years
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 3650 -nodesCertificate Information
# Display certificate details
openssl x509 -in cert.pem -text -noout
# Check certificate expiration
openssl x509 -in cert.pem -noout -dates
# Extract public key from certificate
openssl x509 -in cert.pem -pubkey -noout -out public.pem
# Verify certificate signature
openssl x509 -in cert.pem -noout -issuer
# Get certificate fingerprint (SHA-256)
openssl x509 -in cert.pem -noout -fingerprint -sha256
# Get certificate serial number
openssl x509 -in cert.pem -noout -serial
# Check if certificate and key match
openssl x509 -noout -modulus -in cert.pem | openssl md5
openssl rsa -noout -modulus -in key.pem | openssl md5Certificate Verification
# Verify certificate with CA chain
openssl verify -CAfile ca-chain.pem cert.pem
# Verify certificate signed by specific CA
openssl verify -CAfile ca.pem cert.pem
# Verify certificate with CRL
openssl verify -CAfile ca.pem -CRLfile crl.pem cert.pem
# Check certificate validity against current date
openssl x509 -in cert.pem -noout -checkend 86400
# Returns 0 if valid for at least 1 day, 1 if expired/expiring soonEncryption and Decryption
Symmetric Encryption
# Encrypt file with AES-256-CBC
openssl enc -aes-256-cbc -in plaintext.txt -out encrypted.bin -S [8-hex-digits]
# Encrypt with password prompt
openssl enc -aes-256-cbc -in plaintext.txt -out encrypted.bin -e
# Decrypt file
openssl enc -aes-256-cbc -d -in encrypted.bin -out plaintext.txt
# Encrypt and base64 encode
openssl enc -aes-256-cbc -in plaintext.txt -out encrypted.txt -e -a
# List available ciphers
openssl enc -ciphers
# Use specific cipher (Chacha20-Poly1305)
openssl enc -chacha20 -in plaintext.txt -out encrypted.bin -eAsymmetric Encryption (RSA)
# Encrypt with public key
openssl rsautl -encrypt -inkey public.pem -pubin -in plaintext.txt -out encrypted.bin
# Decrypt with private key
openssl rsautl -decrypt -inkey private.pem -in encrypted.bin -out plaintext.txt
# Sign file with private key
openssl rsautl -sign -inkey private.pem -in plaintext.txt -out signature.bin
# Verify signature with public key
openssl rsautl -verify -inkey public.pem -pubin -in signature.binFile Hashing
# Generate SHA-256 hash
openssl dgst -sha256 filename
# Generate SHA-1 hash
openssl dgst -sha1 filename
# Generate MD5 hash
openssl dgst -md5 filename
# Generate hash and save to file
openssl dgst -sha256 -out hash.txt filename
# Verify hash
openssl dgst -sha256 -verify public.pem -signature sig.bin filenameSSL/TLS Connection Testing
# Connect to server and display certificate
openssl s_client -connect example.com:443
# Check certificate chain
openssl s_client -connect example.com:443 -showcerts
# Connect to specific TLS version
openssl s_client -connect example.com:443 -tls1_2
# Get certificate from server
openssl s_client -connect example.com:443 -showcerts < /dev/null | openssl x509 -outform PEM > cert.pem
# Test STARTTLS (SMTP)
openssl s_client -connect mail.example.com:587 -starttls smtp
# Check certificate expiration
openssl s_client -connect example.com:443 -showcerts 2>/dev/null | \
openssl x509 -noout -dates
# Test specific ciphers
openssl s_client -connect example.com:443 -cipher HIGHPKCS#12 Conversion
# Convert PEM to PKCS#12 (PFX)
openssl pkcs12 -export -in cert.pem -inkey private.pem -out cert.pfx
# Convert PKCS#12 to PEM
openssl pkcs12 -in cert.pfx -out cert.pem -nodes
# Extract private key from PKCS#12
openssl pkcs12 -in cert.pfx -out private.pem -nocerts -nodes
# Extract certificate from PKCS#12
openssl pkcs12 -in cert.pfx -out cert.pem -nokeys
# Extract CA certificates from PKCS#12
openssl pkcs12 -in cert.pfx -out ca-chain.pem -cacerts -nokeys
# Create PKCS#12 with password
openssl pkcs12 -export -in cert.pem -inkey private.pem -out cert.pfx -password pass:secretpassCSR Signing
# Sign CSR with CA key
openssl x509 -req -in request.csr -CA ca.pem -CAkey ca-key.pem \
-CAcreateserial -out signed.pem -days 365 -sha256
# Sign with specific extensions
openssl x509 -req -in request.csr -CA ca.pem -CAkey ca-key.pem \
-out signed.pem -days 365 -sha256 \
-extensions v3_req -extfile extensions.cnfKey Format Conversion
# Convert PEM to DER format
openssl x509 -in cert.pem -outform DER -out cert.der
# Convert DER to PEM
openssl x509 -inform DER -in cert.der -outform PEM -out cert.pem
# Convert private key to PKCS#8
openssl pkcs8 -topk8 -in rsa_key.pem -out pkcs8_key.pem -nocrypt
# Convert PKCS#8 to traditional format
openssl pkey -in pkcs8_key.pem -out rsa_key.pemCertificate Chain Management
# Combine certificate and key for use with applications
cat cert.pem private.pem > combined.pem
# Create certificate bundle
cat cert.pem intermediate.pem root.pem > ca-bundle.crt
# Verify certificate chain
openssl verify -untrusted intermediate.pem -CAfile root.pem cert.pem
# Extract certificates from bundle
openssl crl2pkcs7 -nocrl -certfile ca-bundle.crt -outform PEM -out bundle.pemCommon Troubleshooting
# Check if key and certificate match
openssl rsa -noout -modulus -in key.pem | openssl md5
openssl x509 -noout -modulus -in cert.pem | openssl md5
# Find expiration date
openssl x509 -in cert.pem -noout -enddate
# Check days until expiration
openssl x509 -in cert.pem -noout -checkend 0
# View CSR details
openssl req -in request.csr -text -noout
# Display RSA key details
openssl rsa -in private.pem -text -noout
# Test TLS handshake
openssl s_client -connect example.com:443 -servername example.comBest Practices
- Use at least 2048-bit RSA keys (4096-bit recommended for long-term security)
- Store private keys securely with restricted permissions (chmod 600)
- Use strong passphrases for encrypted private keys
- Regularly update OpenSSL to patch security vulnerabilities
- Verify certificate chains before accepting certificates
- Use appropriate key lifetimes (typically 1-3 years)
- Employ certificate pinning for critical applications
- Monitor certificate expiration dates
Last updated: 2026-03-30