# OpenSSL — TLS, Certificates and Cryptography on the Command Line > Practical guide to OpenSSL — create certificates and CSRs, manage keys, test TLS connections, encrypt and decrypt files, and compute hashes. Source: https://www.jpkc.com/db/en/cheatsheets/security/openssl/ OpenSSL is the standard toolkit for TLS/SSL and cryptography on the command line. A single command lets you create certificates and CSRs, manage keys, test TLS connections or encrypt and decrypt files. The tool also handles hashes, HMAC and conversion between formats like PEM, DER and PKCS#12. This guide walks you through the commands you reach for daily – from inspecting a certificate to AES encryption. Always treat private keys as secrets: restrictive file permissions, strong ciphers and no self-signed certificates in production. ## Certificate Information `openssl x509 -in -text -noout` — Display the full details of a certificate in human-readable format. ```bash openssl x509 -in server.crt -text -noout ``` `openssl x509 -in -subject -noout` — Show only the subject (CN, O, etc.) of a certificate. ```bash openssl x509 -in server.crt -subject -noout ``` `openssl x509 -in -issuer -noout` — Show the issuer of a certificate. ```bash openssl x509 -in server.crt -issuer -noout ``` `openssl x509 -in -dates -noout` — Show the validity dates (notBefore and notAfter). ```bash openssl x509 -in server.crt -dates -noout ``` `openssl x509 -in -fingerprint -sha256 -noout` — Display the SHA-256 fingerprint of a certificate. ```bash openssl x509 -in server.crt -fingerprint -sha256 -noout ``` `openssl x509 -in -serial -noout` — Show the serial number of a certificate. ```bash openssl x509 -in server.crt -serial -noout ``` `openssl x509 -in -ext subjectAltName -noout` — Show the Subject Alternative Names (SANs) of a certificate. ```bash openssl x509 -in server.crt -ext subjectAltName -noout ``` ## Remote Server Inspection `openssl s_client -connect :` — Connect to a remote server and display the SSL/TLS handshake and certificate chain. ```bash openssl s_client -connect example.com:443 ``` `openssl s_client -connect :443 -servername ` — Connect with SNI (Server Name Indication) for virtual hosts. ```bash openssl s_client -connect example.com:443 -servername example.com ``` `openssl s_client -connect :443 | openssl x509 -text -noout` — Fetch and display a remote server's certificate details. ```bash openssl s_client -connect example.com:443 :443 -showcerts` — Show the full certificate chain from the server. ```bash openssl s_client -connect example.com:443 -showcerts :443 -status` — Check OCSP stapling status of the server's certificate. ```bash openssl s_client -connect example.com:443 -status :443 -tls1_3` — Force a TLS 1.3 connection to test protocol support. ```bash openssl s_client -connect example.com:443 -tls1_3 ``` `openssl s_client -connect :443 -cipher ` — Test if a specific cipher suite is supported. ```bash openssl s_client -connect example.com:443 -cipher ECDHE-RSA-AES256-GCM-SHA384 ``` ## Key Generation `openssl genrsa -out ` — Generate an RSA private key. The file is unencrypted – protect it with restrictive file permissions (`chmod 600`). ```bash openssl genrsa -out private.key 4096 ``` `openssl genrsa -aes256 -out ` — Generate an RSA private key encrypted with a passphrase. ```bash openssl genrsa -aes256 -out private.key 4096 ``` `openssl ecparam -genkey -name prime256v1 -out ` — Generate an ECDSA private key using the P-256 curve. ```bash openssl ecparam -genkey -name prime256v1 -out ec-private.key ``` `openssl genpkey -algorithm ed25519 -out ` — Generate an Ed25519 private key. ```bash openssl genpkey -algorithm ed25519 -out ed25519.key ``` `openssl rsa -in -pubout -out ` — Extract the public key from a private key. ```bash openssl rsa -in private.key -pubout -out public.key ``` `openssl rsa -in -text -noout` — Display the components of an RSA key in human-readable format. ```bash openssl rsa -in private.key -text -noout ``` `openssl rsa -in -out ` — Remove the passphrase from an encrypted private key. The key then sits unprotected on disk – use only in controlled environments. ```bash openssl rsa -in encrypted.key -out decrypted.key ``` ## Certificate Signing Requests (CSR) `openssl req -new -key -out ` — Generate a CSR from an existing private key. ```bash openssl req -new -key private.key -out server.csr ``` `openssl req -new -newkey rsa:4096 -nodes -keyout -out ` — Generate a new private key and CSR in one step. `-nodes` stores the key unencrypted – use only in protected environments. ```bash openssl req -new -newkey rsa:4096 -nodes -keyout server.key -out server.csr ``` `openssl req -in -text -noout` — Display the contents of a CSR. ```bash openssl req -in server.csr -text -noout ``` `openssl req -verify -in ` — Verify the signature of a CSR. ```bash openssl req -verify -in server.csr ``` `openssl req -new -key -out -subj "/CN="` — Generate a CSR non-interactively with a subject line. ```bash openssl req -new -key server.key -out server.csr -subj "/CN=example.com/O=My Company/C=DE" ``` `openssl req -new -key -out -addext "subjectAltName=DNS:"` — Generate a CSR with Subject Alternative Names (SANs). ```bash openssl req -new -key server.key -out server.csr -addext "subjectAltName=DNS:example.com,DNS:www.example.com" ``` ## Self-Signed Certificates `openssl req -x509 -newkey rsa:4096 -nodes -keyout -out -days ` — Generate a new self-signed certificate with a new key in one step. Use self-signed certificates for testing or internal purposes only – browsers and clients won't trust them without a manual exception. ```bash openssl req -x509 -newkey rsa:4096 -nodes -keyout server.key -out server.crt -days 365 ``` `openssl req -x509 -key -in -out -days ` — Create a self-signed certificate from an existing CSR. ```bash openssl req -x509 -key server.key -in server.csr -out server.crt -days 365 ``` `openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout -out -days 365 -subj "/CN=" -addext "subjectAltName=DNS:"` — One-liner for a self-signed cert with SAN (modern browsers require SANs). ```bash openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout server.key -out server.crt -days 365 -subj "/CN=localhost" -addext "subjectAltName=DNS:localhost,IP:127.0.0.1" ``` ## Certificate Conversion `openssl x509 -in -outform DER -out ` — Convert a PEM certificate to DER (binary) format. ```bash openssl x509 -in server.crt -outform DER -out server.der ``` `openssl x509 -in -inform DER -outform PEM -out ` — Convert a DER certificate to PEM format. ```bash openssl x509 -in server.der -inform DER -outform PEM -out server.pem ``` `openssl pkcs12 -export -out -inkey -in -certfile ` — Create a PKCS#12/PFX file from a key, cert, and optional CA chain. ```bash openssl pkcs12 -export -out server.pfx -inkey server.key -in server.crt -certfile ca-chain.crt ``` `openssl pkcs12 -in -out -nodes` — Extract all certificates and keys from a PKCS#12 file. `-nodes` writes the key unencrypted. ```bash openssl pkcs12 -in server.pfx -out server.pem -nodes ``` `openssl pkcs12 -in -clcerts -nokeys -out ` — Extract only the client certificate from a PKCS#12 file. ```bash openssl pkcs12 -in server.pfx -clcerts -nokeys -out cert.pem ``` `openssl pkcs12 -in -nocerts -nodes -out ` — Extract only the private key from a PKCS#12 file. ```bash openssl pkcs12 -in server.pfx -nocerts -nodes -out key.pem ``` ## Verification & Validation `openssl verify -CAfile ` — Verify a certificate against a CA certificate. ```bash openssl verify -CAfile ca.crt server.crt ``` `openssl x509 -in -noout -checkend ` — Check if a certificate will expire within the given number of seconds. ```bash openssl x509 -in server.crt -noout -checkend 2592000 ``` `openssl rsa -in -check` — Verify the consistency of an RSA private key. ```bash openssl rsa -in private.key -check ``` `openssl x509 -in -modulus -noout | openssl md5` — Get the modulus hash of a certificate (compare with key to verify they match). ```bash openssl x509 -in server.crt -modulus -noout | openssl md5 ``` `openssl rsa -in -modulus -noout | openssl md5` — Get the modulus hash of a key (must match the certificate modulus). ```bash openssl rsa -in server.key -modulus -noout | openssl md5 ``` ## Hashing & Encoding `openssl dgst -sha256 ` — Calculate the SHA-256 hash of a file. ```bash openssl dgst -sha256 document.pdf ``` `openssl dgst -md5 ` — Calculate the MD5 hash of a file. MD5 and SHA1 are considered cryptographically broken – use SHA-256 for security purposes. ```bash openssl dgst -md5 document.pdf ``` `echo -n "" | openssl dgst -sha256` — Hash a string with SHA-256. ```bash echo -n "hello" | openssl dgst -sha256 ``` `openssl base64 -in ` — Base64 encode a file. ```bash openssl base64 -in image.png ``` `openssl base64 -d -in ` — Decode a Base64-encoded file. ```bash openssl base64 -d -in encoded.txt -out decoded.bin ``` ## Encryption & Decryption `openssl enc -aes-256-cbc -salt -pbkdf2 -in -out ` — Encrypt a file with AES-256-CBC using a password. ```bash openssl enc -aes-256-cbc -salt -pbkdf2 -in secret.txt -out secret.enc ``` `openssl enc -d -aes-256-cbc -pbkdf2 -in -out ` — Decrypt a file encrypted with AES-256-CBC. ```bash openssl enc -d -aes-256-cbc -pbkdf2 -in secret.enc -out secret.txt ``` `openssl rsautl -encrypt -inkey -pubin -in -out ` — Encrypt a small file with an RSA public key. ```bash openssl rsautl -encrypt -inkey public.key -pubin -in secret.txt -out secret.enc ``` `openssl rsautl -decrypt -inkey -in -out ` — Decrypt a file with an RSA private key. ```bash openssl rsautl -decrypt -inkey private.key -in secret.enc -out secret.txt ``` `openssl rand -hex ` — Generate random bytes as a hexadecimal string. ```bash openssl rand -hex 32 ``` `openssl rand -base64 ` — Generate random bytes as a Base64 string. ```bash openssl rand -base64 32 ``` ## Useful Queries `openssl version` — Show the installed OpenSSL version. ```bash openssl version -a ``` `openssl list -cipher-algorithms` — List all available cipher algorithms. ```bash openssl list -cipher-algorithms ``` `openssl list -digest-algorithms` — List all available digest (hash) algorithms. ```bash openssl list -digest-algorithms ``` `openssl ecparam -list_curves` — List all supported elliptic curves. ```bash openssl ecparam -list_curves ``` `openssl ciphers -v` — List all supported cipher suites with protocol versions. ```bash openssl ciphers -v 'TLSv1.3' ``` `openssl speed ` — Benchmark the performance of a cryptographic algorithm. ```bash openssl speed aes-256-cbc sha256 ``` ## Conclusion OpenSSL ships on virtually every server and remains the reference tool whenever TLS and cryptography are involved. Master the `x509`, `req` and `s_client` subcommands and you diagnose certificate problems in seconds and automate PKI tasks in CI/CD pipelines. Stick to modern algorithms (SHA-256, AES-256, Ed25519), avoid MD5/SHA1 and protect private keys consistently – then OpenSSL is a dependable companion. ## Further Reading - [OpenSSL – official documentation](https://docs.openssl.org/) – reference and manual pages - [OpenSSL project – openssl.org](https://www.openssl.org/docs/) – project site and documentation overview - [OpenSSL – Wikipedia](https://en.wikipedia.org/wiki/OpenSSL) – background and history ## Related Commands - [age](https://www.jpkc.com/db/en/cheatsheets/security/age/) – modern, easy-to-use file encryption - [clamav](https://www.jpkc.com/db/en/cheatsheets/security/clamav/) – open-source antivirus scanner - [fail2ban](https://www.jpkc.com/db/en/cheatsheets/security/fail2ban/) – ban attacker IPs based on log patterns