OpenSSL 命令参考
证书、密钥和加密的常用 OpenSSL 命令。
Generate RSA-2048 Private Key
Generate a 2048-bit RSA private key in PEM format.
openssl genrsa -out private.pem 2048
Generate RSA-4096 Private Key
Generate a 4096-bit RSA private key in PEM format.
openssl genrsa -out private.pem 4096
Generate EC Private Key (P-256)
Generate an Elliptic Curve private key using P-256 curve.
openssl ecparam -name prime256v1 -genkey -noout -out ec_private.pem
Extract Public Key from Private Key
Extract the public key from an existing RSA private key.
openssl rsa -in private.pem -pubout -out public.pem
Generate AES-256 Random Key
Generate a random 256-bit (32-byte) key in hex.
openssl rand -hex 32
Generate Random Base64 String
Generate a random 32-byte string encoded as Base64.
openssl rand -base64 32
Generate Self-Signed Certificate
Create a self-signed certificate valid for 365 days.
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes
Generate CSR (Certificate Signing Request)
Create a CSR for submission to a Certificate Authority.
openssl req -new -key private.pem -out request.csr
Generate CSR with Subject (one-liner)
Create a CSR with subject info in one command.
openssl req -new -key private.pem -out req.csr -subj "/C=US/ST=CA/L=San Francisco/O=My Org/CN=example.com"
View Certificate Details
Display detailed information about a PEM certificate.
openssl x509 -in cert.pem -text -noout
Check Certificate Expiry
Show only the validity dates of a certificate.
openssl x509 -in cert.pem -noout -dates
Verify Certificate Against CA
Verify that a certificate was signed by a given CA.
openssl verify -CAfile ca.pem cert.pem
Encrypt File with AES-256-CBC
Encrypt a file using AES-256-CBC symmetric encryption.
openssl enc -aes-256-cbc -salt -in plaintext.txt -out encrypted.enc -k mypassword
Decrypt File with AES-256-CBC
Decrypt a file encrypted with AES-256-CBC.
openssl enc -aes-256-cbc -d -in encrypted.enc -out decrypted.txt -k mypassword
Encrypt with RSA Public Key
Encrypt a small file using an RSA public key.
openssl rsautl -encrypt -inkey public.pem -pubin -in plaintext.txt -out encrypted.bin
Decrypt with RSA Private Key
Decrypt a file encrypted with the corresponding public key.
openssl rsautl -decrypt -inkey private.pem -in encrypted.bin -out decrypted.txt
Sign a File with Private Key
Create a digital signature for a file.
openssl dgst -sha256 -sign private.pem -out signature.bin input.txt
Verify a Digital Signature
Verify a digital signature using the public key.
openssl dgst -sha256 -verify public.pem -signature signature.bin input.txt
View Private Key Info
Display information about an RSA private key.
openssl rsa -in private.pem -text -noout
Check CSR Details
Display the details in a Certificate Signing Request.
openssl req -in request.csr -text -noout
Check Remote SSL Certificate
View the SSL certificate of a remote server.
openssl s_client -connect example.com:443 -showcerts
Get Remote Certificate Expiry
Check expiry date of a remote server's certificate.
echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -dates
Compute SHA-256 Hash of File
Calculate the SHA-256 hash of a file.
openssl dgst -sha256 file.txt
Compute MD5 Hash of File
Calculate the MD5 hash of a file.
openssl dgst -md5 file.txt
Convert PEM to DER
Convert a PEM certificate to DER binary format.
openssl x509 -in cert.pem -outform DER -out cert.der
Convert DER to PEM
Convert a DER certificate to PEM text format.
openssl x509 -inform DER -in cert.der -outform PEM -out cert.pem
Convert PFX/P12 to PEM
Extract certificate and key from a PKCS#12 file.
openssl pkcs12 -in archive.pfx -out certs.pem -nodes
Convert PEM to PFX/P12
Package certificate and key into a PKCS#12 file.
openssl pkcs12 -export -out archive.pfx -inkey private.pem -in cert.pem -certfile ca.pem
Convert PKCS8 to RSA Private Key
Convert a PKCS#8 private key to traditional RSA format.
openssl pkcs8 -in pkcs8.pem -out rsa.pem
Comments & Feedback
Comments are powered by Giscus. Sign in with GitHub to leave a comment.