Some Common OpenSSL Commands

OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It’s useful but hard to remember so many commands, so I have listed some common usages below.

General OpenSSL Commands

  • Generate a new RSA private key

    openssl genrsa 4096 > private.key
  • Generate a new ECC private key

    openssl ecparam -genkey -name secp256r1 | openssl ec -out private.key
    openssl ecparam -genkey -name secp384r1 | openssl ec -out private.key
  • Generate a new private key and Certificate Signing Request

    openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout private.key
  • Generate a self-signed certificate

    openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout private.key -out certificate.crt
  • Generate a certificate signing request (CSR) for an existing private key

    openssl req -out CSR.csr -key private.key -new
  • Generate a multi-domain SSL certificate signing request (CSR) for an existing private key

    openssl req -new -sha256 -key private.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\,")) > domain.csr
    # if no openssl.cnf
    openssl req -new -sha256 -key private.key -out domain.csr 
  • Generate a certificate signing request based on an existing certificate

    openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey private.key
  • Remove a passphrase from a private key

    openssl rsa -in private.pem -out newPrivate.pem

Checking Using OpenSSL

  • Check a Certificate Signing Request (CSR)

    openssl req -text -noout -verify -in CSR.csr
  • Check a private key

    openssl rsa -in private.key -check
  • Check a certificate

    openssl x509 -in certificate.crt -text -noout
  • Check a PKCS#12 file (.pfx or .p12)

    openssl pkcs12 -info -in keyStore.p12
  • Check the chained certificates

    openssl crl2pkcs7 -nocrl -certfile CHAINED.pem | openssl pkcs7 -print_certs -text -noout

Debugging Using OpenSSL

  • Check an MD5 hash of the public key to ensure that it matches with what is in a CSR or private key

    openssl x509 -noout -modulus -in certificate.crt | openssl md5
    openssl rsa -noout -modulus -in private.key | openssl md5
    openssl req -noout -modulus -in CSR.csr | openssl md5
  • Check an SSL connection. All the certificates (including Intermediates) should be displayed

    openssl s_client -connect
  • Check an SSL connection using specified CA

    openssl s_client -connect  '' -CAfile ca.crt

Converting Using OpenSSL

  • Convert a DER file (.crt .cer .der) to PEM

    openssl x509 -inform der -in certificate.cer -out certificate.pem
  • Convert a PEM file to DER

    openssl x509 -outform der -in certificate.pem -out certificate.der
  • Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM

    openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes
  • Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)

    openssl pkcs12 -export -out certificate.pfx -inkey private.key -in certificate.crt -certfile CACert.crt

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

This site uses Akismet to reduce spam. Learn how your comment data is processed.