A quick reference for OpenSSL โ certificates, encryption, and TLS testing. Bookmark this page.
Certificate Operations
# Generate private key
openssl genrsa -out server.key 4096
openssl ecparam -genkey -name prime256v1 -out server-ec.key # EC key
# Generate CSR (Certificate Signing Request)
openssl req -new -key server.key -out server.csr \
-subj "/C=NL/ST=North Holland/L=Amsterdam/O=MyOrg/CN=example.com"
# Generate self-signed certificate
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem \
-sha256 -days 365 -nodes \
-subj "/CN=example.com"
# Generate self-signed with SAN
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem \
-sha256 -days 365 -nodes \
-subj "/CN=example.com" \
-addext "subjectAltName=DNS:example.com,DNS:*.example.com,IP:10.0.0.1"Inspect Certificates
# View certificate details
openssl x509 -in cert.pem -text -noout
# View specific fields
openssl x509 -in cert.pem -subject -noout
openssl x509 -in cert.pem -issuer -noout
openssl x509 -in cert.pem -dates -noout # Validity dates
openssl x509 -in cert.pem -fingerprint -noout
# View CSR
openssl req -in server.csr -text -noout
# View private key
openssl rsa -in server.key -text -noout
# Check key matches certificate
openssl x509 -in cert.pem -modulus -noout | md5sum
openssl rsa -in key.pem -modulus -noout | md5sum
# If both MD5 hashes match, key and cert are pairedTLS Connection Testing
# Test TLS connection to a server
openssl s_client -connect example.com:443
# Show full certificate chain
openssl s_client -connect example.com:443 -showcerts
# Test specific TLS version
openssl s_client -connect example.com:443 -tls1_2
openssl s_client -connect example.com:443 -tls1_3
# Test specific cipher
openssl s_client -connect example.com:443 -cipher ECDHE-RSA-AES256-GCM-SHA384
# Check certificate expiration remotely
echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -dates -noout
# SNI (Server Name Indication)
openssl s_client -connect example.com:443 -servername example.comFormat Conversion
# PEM to DER
openssl x509 -in cert.pem -outform DER -out cert.der
# DER to PEM
openssl x509 -in cert.der -inform DER -outform PEM -out cert.pem
# PEM to PKCS12 (for browsers/Java)
openssl pkcs12 -export -out cert.p12 -inkey key.pem -in cert.pem -certfile chain.pem
# PKCS12 to PEM
openssl pkcs12 -in cert.p12 -out combined.pem -nodes
# Extract private key from PKCS12
openssl pkcs12 -in cert.p12 -nocerts -nodes -out key.pem
# Extract certificate from PKCS12
openssl pkcs12 -in cert.p12 -clcerts -nokeys -out cert.pemEncryption and Hashing
# Hash a file
openssl dgst -sha256 file.txt
openssl dgst -sha512 file.txt
# Encrypt a file
openssl enc -aes-256-cbc -salt -in plaintext.txt -out encrypted.bin -pbkdf2
openssl enc -aes-256-cbc -d -in encrypted.bin -out decrypted.txt -pbkdf2
# Generate random password
openssl rand -base64 32
openssl rand -hex 16
# Base64 encode/decode
openssl base64 -in file.bin -out file.b64
openssl base64 -d -in file.b64 -out file.binTips and Tricks
- Always use
-nodes(no DES) in dev to skip passphrase prompts - Use EC keys (
prime256v1orsecp384r1) for better performance than RSA - Check cert expiry in CI/CD: alert if under 30 days remaining
- Use
openssl s_clientto debug TLS handshake failures - Modern best practice: TLS 1.3 only, ECDSA certificates
