Skip to content

openssl Command Cheat Sheet

openssl is the Swiss Army knife for cryptography. It manages private keys, public keys, certificates, and can act as a client/server for TLS testing.

1. Key & CSR Generation

Generate Private Key (RSA)

Create a 2048-bit private key.

openssl genrsa -out private.key 2048
Add -aes256 to encrypt the key with a password.

Generate CSR (Certificate Signing Request)

Required to get a certificate from a CA (DigiCert, Let's Encrypt).

openssl req -new -key private.key -out request.csr
You will be prompted for Country, State, CN (Common Name = domain.com), etc.

Generate Key + CSR in One Step

openssl req -new -newkey rsa:2048 -nodes -keyout private.key -out request.csr
(-nodes: No DES, i.e., skip password protection for the key).

2. Certificates (Self-Signed)

Generate Self-Signed Cert (for Testing)

Create a key and a certificate valid for 365 days in one go.

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes

Inspect a Certificate

Read the contents (Expiration, Issuer, Subject) of a file.

openssl x509 -in cert.pem -text -noout

Inspect a CSR

openssl req -in request.csr -text -noout

3. Format Conversion

PEM to DER

Convert readable text format (PEM) to binary (DER).

openssl x509 -in cert.pem -outform der -out cert.der

PEM to PFX (PKCS#12)

Combine Key + Cert into a PFX file (Importable in Windows).

openssl pkcs12 -export -out bundle.pfx -inkey private.key -in cert.pem

4. Testing Connections (s_client)

Debug HTTPS Connection

Connect to a server and show the certificate chain.

openssl s_client -connect google.com:443
Type Q to quit.

Show Server Certificate Expiry

Check when a remote site's cert expires.

echo | openssl s_client -servername google.com -connect google.com:443 2>/dev/null | openssl x509 -noout -dates

Test Specific TLS Version

openssl s_client -connect example.com:443 -tls1_2

5. Encryption (AES)

Encrypt a File

openssl enc -aes-256-cbc -salt -in clean.txt -out secret.enc

Decrypt a File

openssl enc -d -aes-256-cbc -in secret.enc -out clean.txt

6. Hashing

Calculate SHA256 checksum.

openssl dgst -sha256 filename.txt

Notes

  • CA Bundle: If s_client says "Verify return code: 21 (unable to get local issuer certificate)", you might need to specify -CAfile.
  • Common Extensions:
    • .pem: Base64 encoded (starts with -----BEGIN CERTIFICATE-----).
    • .der: Binary.
    • .crt: Usually PEM.
    • .key: Private key (Keep safe!).