Skip to content
🛠️ToolsShed

OpenSSL Commands Reference

Common OpenSSL commands for certificates, keys, and encryption.

Generate RSA-2048 Private Key

Generate a 2048-bit RSA private key in PEM format.

openssl genrsa -out private.pem 2048

Generate RSA-4096 Private Key

Generate a 4096-bit RSA private key in PEM format.

openssl genrsa -out private.pem 4096

Generate EC Private Key (P-256)

Generate an Elliptic Curve private key using P-256 curve.

openssl ecparam -name prime256v1 -genkey -noout -out ec_private.pem

Extract Public Key from Private Key

Extract the public key from an existing RSA private key.

openssl rsa -in private.pem -pubout -out public.pem

Generate AES-256 Random Key

Generate a random 256-bit (32-byte) key in hex.

openssl rand -hex 32

Generate Random Base64 String

Generate a random 32-byte string encoded as Base64.

openssl rand -base64 32

Generate Self-Signed Certificate

Create a self-signed certificate valid for 365 days.

openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes

Generate CSR (Certificate Signing Request)

Create a CSR for submission to a Certificate Authority.

openssl req -new -key private.pem -out request.csr

Generate CSR with Subject (one-liner)

Create a CSR with subject info in one command.

openssl req -new -key private.pem -out req.csr -subj "/C=US/ST=CA/L=San Francisco/O=My Org/CN=example.com"

View Certificate Details

Display detailed information about a PEM certificate.

openssl x509 -in cert.pem -text -noout

Check Certificate Expiry

Show only the validity dates of a certificate.

openssl x509 -in cert.pem -noout -dates

Verify Certificate Against CA

Verify that a certificate was signed by a given CA.

openssl verify -CAfile ca.pem cert.pem

Encrypt File with AES-256-CBC

Encrypt a file using AES-256-CBC symmetric encryption.

openssl enc -aes-256-cbc -salt -in plaintext.txt -out encrypted.enc -k mypassword

Decrypt File with AES-256-CBC

Decrypt a file encrypted with AES-256-CBC.

openssl enc -aes-256-cbc -d -in encrypted.enc -out decrypted.txt -k mypassword

Encrypt with RSA Public Key

Encrypt a small file using an RSA public key.

openssl rsautl -encrypt -inkey public.pem -pubin -in plaintext.txt -out encrypted.bin

Decrypt with RSA Private Key

Decrypt a file encrypted with the corresponding public key.

openssl rsautl -decrypt -inkey private.pem -in encrypted.bin -out decrypted.txt

Sign a File with Private Key

Create a digital signature for a file.

openssl dgst -sha256 -sign private.pem -out signature.bin input.txt

Verify a Digital Signature

Verify a digital signature using the public key.

openssl dgst -sha256 -verify public.pem -signature signature.bin input.txt

View Private Key Info

Display information about an RSA private key.

openssl rsa -in private.pem -text -noout

Check CSR Details

Display the details in a Certificate Signing Request.

openssl req -in request.csr -text -noout

Check Remote SSL Certificate

View the SSL certificate of a remote server.

openssl s_client -connect example.com:443 -showcerts

Get Remote Certificate Expiry

Check expiry date of a remote server's certificate.

echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -dates

Compute SHA-256 Hash of File

Calculate the SHA-256 hash of a file.

openssl dgst -sha256 file.txt

Compute MD5 Hash of File

Calculate the MD5 hash of a file.

openssl dgst -md5 file.txt

Convert PEM to DER

Convert a PEM certificate to DER binary format.

openssl x509 -in cert.pem -outform DER -out cert.der

Convert DER to PEM

Convert a DER certificate to PEM text format.

openssl x509 -inform DER -in cert.der -outform PEM -out cert.pem

Convert PFX/P12 to PEM

Extract certificate and key from a PKCS#12 file.

openssl pkcs12 -in archive.pfx -out certs.pem -nodes

Convert PEM to PFX/P12

Package certificate and key into a PKCS#12 file.

openssl pkcs12 -export -out archive.pfx -inkey private.pem -in cert.pem -certfile ca.pem

Convert PKCS8 to RSA Private Key

Convert a PKCS#8 private key to traditional RSA format.

openssl pkcs8 -in pkcs8.pem -out rsa.pem

About this tool

OpenSSL is the de facto standard toolkit for working with TLS/SSL and cryptography, but its command syntax is notoriously dense and easy to forget between uses. This reference collects the OpenSSL commands developers and system administrators reach for most often so you can find the right one without digging through manual pages.

Use it to look up how to generate a private key and a CSR, inspect the details of an existing certificate, test a live TLS connection with s_client, or convert a certificate between formats such as PEM, DER, and PKCS12. Each command is laid out so you can scan for the task at hand and grab the exact invocation.

Copy a command and adapt the file names and options to match your own setup before running it. This page is a learning and reference aid, not an executor: you run the commands yourself in your own terminal, where your keys and certificates stay private.

Frequently Asked Questions

Code Implementation

import subprocess

def run_openssl(args: list[str]) -> str:
    """Run an openssl command and return stdout."""
    result = subprocess.run(
        ["openssl"] + args,
        capture_output=True, text=True, check=True
    )
    return result.stdout

# Generate a self-signed certificate using subprocess
def generate_self_signed_cert(
    key_path: str = "key.pem",
    cert_path: str = "cert.pem",
    days: int = 365,
    cn: str = "localhost",
    bits: int = 4096,
) -> None:
    # Step 1: generate private key
    subprocess.run(
        ["openssl", "genrsa", "-out", key_path, str(bits)],
        check=True
    )
    # Step 2: generate self-signed cert
    subprocess.run(
        [
            "openssl", "req", "-x509",
            "-key", key_path,
            "-out", cert_path,
            "-days", str(days),
            "-subj", f"/CN={cn}",
        ],
        check=True
    )
    print(f"Certificate written to {cert_path}")

# Read certificate info using cryptography library (pip install cryptography)
from cryptography import x509
from cryptography.hazmat.backends import default_backend
from datetime import datetime, timezone

def inspect_cert(pem_path: str) -> dict:
    with open(pem_path, "rb") as f:
        cert = x509.load_pem_x509_certificate(f.read(), default_backend())
    now = datetime.now(timezone.utc)
    san = cert.extensions.get_extension_for_class(x509.SubjectAlternativeName)
    return {
        "subject": cert.subject.rfc4514_string(),
        "issuer": cert.issuer.rfc4514_string(),
        "not_before": cert.not_valid_before_utc.isoformat(),
        "not_after": cert.not_valid_after_utc.isoformat(),
        "is_expired": cert.not_valid_after_utc < now,
        "serial": cert.serial_number,
        "san": san.value.get_values_for_type(x509.DNSName) if san else [],
    }

Comments & Feedback

Comments are powered by Giscus. Sign in with GitHub to leave a comment.