OpenSSL Cheatsheet
Quick reference for OpenSSL commands for keys, CSRs, certificates, format conversion, TLS testing, random data, and hashes
OpenSSL is a command-line toolkit for TLS certificates, keys, cryptographic formats, and live connection testing. This cheatsheet collects common OpenSSL commands for generating keys, creating CSRs, inspecting certificates, converting formats, and debugging TLS services.
Version and Help
Check the installed OpenSSL version and find command help.
| Command | Description |
|---|---|
openssl version | Show OpenSSL version |
openssl version -a | Show build details and paths |
openssl help | List available commands |
openssl req -help | Show help for the req command |
openssl x509 -help | Show help for certificate inspection |
Private Keys
Generate RSA and elliptic-curve private keys.
| Command | Description |
|---|---|
openssl genrsa -out private.key 2048 | Generate RSA private key |
openssl genrsa -out private.key 4096 | Generate larger RSA key |
openssl genrsa -aes256 -out private.key 2048 | Generate encrypted RSA key |
openssl rsa -in encrypted.key -out plain.key | Remove key passphrase |
openssl ecparam -name prime256v1 -genkey -noout -out ec.key | Generate EC private key |
chmod 600 private.key | Restrict private key permissions |
Certificate Signing Requests
Create CSRs for certificate authorities.
| Command | Description |
|---|---|
openssl req -new -newkey rsa:2048 -noenc -keyout domain.key -out domain.csr | Generate key and CSR |
openssl req -new -key domain.key -out domain.csr | Create CSR from existing key |
openssl req -new -newkey rsa:2048 -noenc -keyout domain.key -out domain.csr -subj "/CN=example.com" | Non-interactive CSR |
openssl req -new -key domain.key -out domain.csr -addext "subjectAltName=DNS:example.com,DNS:www.example.com" | CSR with SAN names |
openssl req -in domain.csr -noout -text | Inspect CSR contents |
openssl req -in domain.csr -noout -subject | Print CSR subject |
Self-Signed Certificates
Create local and internal certificates.
| Command | Description |
|---|---|
openssl req -x509 -newkey rsa:2048 -noenc -keyout selfsigned.key -out selfsigned.crt -days 365 | Generate self-signed certificate |
openssl req -x509 -new -key domain.key -out domain.crt -days 365 | Self-sign with existing key |
openssl req -x509 -newkey rsa:2048 -noenc -keyout localhost.key -out localhost.crt -days 365 -subj "/CN=localhost" -addext "subjectAltName=DNS:localhost,IP:127.0.0.1" | Localhost certificate with SAN |
openssl x509 -in selfsigned.crt -noout -text | Inspect certificate |
openssl x509 -in selfsigned.crt -noout -dates | Show validity dates |
Certificate Inspection
Read certificate fields without opening a browser.
| Command | Description |
|---|---|
openssl x509 -in cert.crt -noout -text | Show full certificate details |
openssl x509 -in cert.crt -noout -subject | Show subject |
openssl x509 -in cert.crt -noout -issuer | Show issuer |
openssl x509 -in cert.crt -noout -dates | Show notBefore and notAfter |
openssl x509 -in cert.crt -noout -serial | Show serial number |
openssl x509 -in cert.crt -noout -fingerprint -sha256 | Show SHA-256 fingerprint |
Match Key, CSR, and Certificate
Confirm that files belong together before deployment.
| Command | Description |
|---|---|
openssl rsa -in domain.key -noout -modulus | openssl md5 | Hash RSA key modulus |
openssl x509 -in domain.crt -noout -modulus | openssl md5 | Hash certificate modulus |
openssl req -in domain.csr -noout -modulus | openssl md5 | Hash CSR modulus |
openssl pkey -in private.key -pubout -outform pem | Extract public key from private key |
openssl x509 -in domain.crt -pubkey -noout | Extract public key from certificate |
Format Conversion
Convert certificates between common encodings and bundles.
| Command | Description |
|---|---|
openssl x509 -in cert.pem -outform der -out cert.der | Convert PEM certificate to DER |
openssl x509 -in cert.der -inform der -out cert.pem | Convert DER certificate to PEM |
openssl pkcs12 -export -out bundle.pfx -inkey domain.key -in domain.crt | Create PKCS#12 bundle |
openssl pkcs12 -in bundle.pfx -out bundle.pem -noenc | Extract PEM from PKCS#12 |
openssl rsa -in private.key -outform der -out private.der | Convert RSA key to DER |
TLS Connection Testing
Debug live TLS services with s_client.
| Command | Description |
|---|---|
openssl s_client -connect example.com:443 -servername example.com | Test HTTPS with SNI |
openssl s_client -connect mail.example.com:993 -servername mail.example.com | Test IMAPS TLS |
openssl s_client -starttls smtp -connect mail.example.com:587 -servername mail.example.com | Test SMTP STARTTLS |
echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -dates | Show remote certificate dates |
openssl s_client -connect example.com:443 -tls1_3 | Force TLS 1.3 |
openssl s_client -connect example.com:443 -showcerts | Show certificate chain |
Random Data and Hashes
Generate tokens and verify file digests.
| Command | Description |
|---|---|
openssl rand -base64 32 | Generate base64 token |
openssl rand -hex 32 | Generate hex token |
openssl dgst -sha256 file.iso | SHA-256 file hash |
openssl dgst -sha512 file.iso | SHA-512 file hash |
openssl dgst -sha256 -binary file.iso | openssl base64 | Base64-encoded binary digest |
Related Guides
Use these references for certificate workflows.
| Guide | Description |
|---|---|
| OpenSSL Command Guide | Full OpenSSL tutorial with examples |
| Create a Self-Signed SSL Certificate | Step-by-step self-signed certificate guide |
| What is an SSL Certificate? | SSL/TLS certificate concepts |
| dig Command | Check DNS before certificate testing |