OpenSSL — TLS, Certificates and Cryptography on the Command Line
Practical guide to OpenSSL — create certificates and CSRs, manage keys, test TLS connections, encrypt and decrypt files, and compute hashes.
OpenSSL is the standard toolkit for TLS/SSL and cryptography on the command line. A single command lets you create certificates and CSRs, manage keys, test TLS connections or encrypt and decrypt files. The tool also handles hashes, HMAC and conversion between formats like PEM, DER and PKCS#12. This guide walks you through the commands you reach for daily – from inspecting a certificate to AES encryption. Always treat private keys as secrets: restrictive file permissions, strong ciphers and no self-signed certificates in production.
Certificate Information
openssl x509 -in <cert> -text -noout — Display the full details of a certificate in human-readable format.
openssl x509 -in server.crt -text -nooutopenssl x509 -in <cert> -subject -noout — Show only the subject (CN, O, etc.) of a certificate.
openssl x509 -in server.crt -subject -nooutopenssl x509 -in <cert> -issuer -noout — Show the issuer of a certificate.
openssl x509 -in server.crt -issuer -nooutopenssl x509 -in <cert> -dates -noout — Show the validity dates (notBefore and notAfter).
openssl x509 -in server.crt -dates -nooutopenssl x509 -in <cert> -fingerprint -sha256 -noout — Display the SHA-256 fingerprint of a certificate.
openssl x509 -in server.crt -fingerprint -sha256 -nooutopenssl x509 -in <cert> -serial -noout — Show the serial number of a certificate.
openssl x509 -in server.crt -serial -nooutopenssl x509 -in <cert> -ext subjectAltName -noout — Show the Subject Alternative Names (SANs) of a certificate.
openssl x509 -in server.crt -ext subjectAltName -nooutRemote Server Inspection
openssl s_client -connect <host>:<port> — Connect to a remote server and display the SSL/TLS handshake and certificate chain.
openssl s_client -connect example.com:443openssl s_client -connect <host>:443 -servername <host> — Connect with SNI (Server Name Indication) for virtual hosts.
openssl s_client -connect example.com:443 -servername example.comopenssl s_client -connect <host>:443 | openssl x509 -text -noout — Fetch and display a remote server's certificate details.
openssl s_client -connect example.com:443 </dev/null | openssl x509 -text -nooutopenssl s_client -connect <host>:443 -showcerts — Show the full certificate chain from the server.
openssl s_client -connect example.com:443 -showcerts </dev/nullopenssl s_client -connect <host>:443 -status — Check OCSP stapling status of the server's certificate.
openssl s_client -connect example.com:443 -status </dev/nullopenssl s_client -connect <host>:443 -tls1_3 — Force a TLS 1.3 connection to test protocol support.
openssl s_client -connect example.com:443 -tls1_3openssl s_client -connect <host>:443 -cipher <cipher> — Test if a specific cipher suite is supported.
openssl s_client -connect example.com:443 -cipher ECDHE-RSA-AES256-GCM-SHA384Key Generation
openssl genrsa -out <key> <bits> — Generate an RSA private key. The file is unencrypted – protect it with restrictive file permissions (chmod 600).
openssl genrsa -out private.key 4096openssl genrsa -aes256 -out <key> <bits> — Generate an RSA private key encrypted with a passphrase.
openssl genrsa -aes256 -out private.key 4096openssl ecparam -genkey -name prime256v1 -out <key> — Generate an ECDSA private key using the P-256 curve.
openssl ecparam -genkey -name prime256v1 -out ec-private.keyopenssl genpkey -algorithm ed25519 -out <key> — Generate an Ed25519 private key.
openssl genpkey -algorithm ed25519 -out ed25519.keyopenssl rsa -in <key> -pubout -out <pubkey> — Extract the public key from a private key.
openssl rsa -in private.key -pubout -out public.keyopenssl rsa -in <key> -text -noout — Display the components of an RSA key in human-readable format.
openssl rsa -in private.key -text -nooutopenssl rsa -in <encrypted_key> -out <decrypted_key> — Remove the passphrase from an encrypted private key. The key then sits unprotected on disk – use only in controlled environments.
openssl rsa -in encrypted.key -out decrypted.keyCertificate Signing Requests (CSR)
openssl req -new -key <key> -out <csr> — Generate a CSR from an existing private key.
openssl req -new -key private.key -out server.csropenssl req -new -newkey rsa:4096 -nodes -keyout <key> -out <csr> — Generate a new private key and CSR in one step. -nodes stores the key unencrypted – use only in protected environments.
openssl req -new -newkey rsa:4096 -nodes -keyout server.key -out server.csropenssl req -in <csr> -text -noout — Display the contents of a CSR.
openssl req -in server.csr -text -nooutopenssl req -verify -in <csr> — Verify the signature of a CSR.
openssl req -verify -in server.csropenssl req -new -key <key> -out <csr> -subj "/CN=<domain>" — Generate a CSR non-interactively with a subject line.
openssl req -new -key server.key -out server.csr -subj "/CN=example.com/O=My Company/C=DE"openssl req -new -key <key> -out <csr> -addext "subjectAltName=DNS:<domain>" — Generate a CSR with Subject Alternative Names (SANs).
openssl req -new -key server.key -out server.csr -addext "subjectAltName=DNS:example.com,DNS:www.example.com"Self-Signed Certificates
openssl req -x509 -newkey rsa:4096 -nodes -keyout <key> -out <cert> -days <days> — Generate a new self-signed certificate with a new key in one step. Use self-signed certificates for testing or internal purposes only – browsers and clients won't trust them without a manual exception.
openssl req -x509 -newkey rsa:4096 -nodes -keyout server.key -out server.crt -days 365openssl req -x509 -key <key> -in <csr> -out <cert> -days <days> — Create a self-signed certificate from an existing CSR.
openssl req -x509 -key server.key -in server.csr -out server.crt -days 365openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout <key> -out <cert> -days 365 -subj "/CN=<domain>" -addext "subjectAltName=DNS:<domain>" — One-liner for a self-signed cert with SAN (modern browsers require SANs).
openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout server.key -out server.crt -days 365 -subj "/CN=localhost" -addext "subjectAltName=DNS:localhost,IP:127.0.0.1"Certificate Conversion
openssl x509 -in <cert.pem> -outform DER -out <cert.der> — Convert a PEM certificate to DER (binary) format.
openssl x509 -in server.crt -outform DER -out server.deropenssl x509 -in <cert.der> -inform DER -outform PEM -out <cert.pem> — Convert a DER certificate to PEM format.
openssl x509 -in server.der -inform DER -outform PEM -out server.pemopenssl pkcs12 -export -out <pfx> -inkey <key> -in <cert> -certfile <ca> — Create a PKCS#12/PFX file from a key, cert, and optional CA chain.
openssl pkcs12 -export -out server.pfx -inkey server.key -in server.crt -certfile ca-chain.crtopenssl pkcs12 -in <pfx> -out <pem> -nodes — Extract all certificates and keys from a PKCS#12 file. -nodes writes the key unencrypted.
openssl pkcs12 -in server.pfx -out server.pem -nodesopenssl pkcs12 -in <pfx> -clcerts -nokeys -out <cert> — Extract only the client certificate from a PKCS#12 file.
openssl pkcs12 -in server.pfx -clcerts -nokeys -out cert.pemopenssl pkcs12 -in <pfx> -nocerts -nodes -out <key> — Extract only the private key from a PKCS#12 file.
openssl pkcs12 -in server.pfx -nocerts -nodes -out key.pemVerification & Validation
openssl verify -CAfile <ca> <cert> — Verify a certificate against a CA certificate.
openssl verify -CAfile ca.crt server.crtopenssl x509 -in <cert> -noout -checkend <seconds> — Check if a certificate will expire within the given number of seconds.
openssl x509 -in server.crt -noout -checkend 2592000openssl rsa -in <key> -check — Verify the consistency of an RSA private key.
openssl rsa -in private.key -checkopenssl x509 -in <cert> -modulus -noout | openssl md5 — Get the modulus hash of a certificate (compare with key to verify they match).
openssl x509 -in server.crt -modulus -noout | openssl md5openssl rsa -in <key> -modulus -noout | openssl md5 — Get the modulus hash of a key (must match the certificate modulus).
openssl rsa -in server.key -modulus -noout | openssl md5Hashing & Encoding
openssl dgst -sha256 <file> — Calculate the SHA-256 hash of a file.
openssl dgst -sha256 document.pdfopenssl dgst -md5 <file> — Calculate the MD5 hash of a file. MD5 and SHA1 are considered cryptographically broken – use SHA-256 for security purposes.
openssl dgst -md5 document.pdfecho -n "<text>" | openssl dgst -sha256 — Hash a string with SHA-256.
echo -n "hello" | openssl dgst -sha256openssl base64 -in <file> — Base64 encode a file.
openssl base64 -in image.pngopenssl base64 -d -in <file> — Decode a Base64-encoded file.
openssl base64 -d -in encoded.txt -out decoded.binEncryption & Decryption
openssl enc -aes-256-cbc -salt -pbkdf2 -in <file> -out <encrypted> — Encrypt a file with AES-256-CBC using a password.
openssl enc -aes-256-cbc -salt -pbkdf2 -in secret.txt -out secret.encopenssl enc -d -aes-256-cbc -pbkdf2 -in <encrypted> -out <decrypted> — Decrypt a file encrypted with AES-256-CBC.
openssl enc -d -aes-256-cbc -pbkdf2 -in secret.enc -out secret.txtopenssl rsautl -encrypt -inkey <pubkey> -pubin -in <file> -out <encrypted> — Encrypt a small file with an RSA public key.
openssl rsautl -encrypt -inkey public.key -pubin -in secret.txt -out secret.encopenssl rsautl -decrypt -inkey <privkey> -in <encrypted> -out <decrypted> — Decrypt a file with an RSA private key.
openssl rsautl -decrypt -inkey private.key -in secret.enc -out secret.txtopenssl rand -hex <bytes> — Generate random bytes as a hexadecimal string.
openssl rand -hex 32openssl rand -base64 <bytes> — Generate random bytes as a Base64 string.
openssl rand -base64 32Useful Queries
openssl version — Show the installed OpenSSL version.
openssl version -aopenssl list -cipher-algorithms — List all available cipher algorithms.
openssl list -cipher-algorithmsopenssl list -digest-algorithms — List all available digest (hash) algorithms.
openssl list -digest-algorithmsopenssl ecparam -list_curves — List all supported elliptic curves.
openssl ecparam -list_curvesopenssl ciphers -v — List all supported cipher suites with protocol versions.
openssl ciphers -v 'TLSv1.3'openssl speed <algorithm> — Benchmark the performance of a cryptographic algorithm.
openssl speed aes-256-cbc sha256Conclusion
OpenSSL ships on virtually every server and remains the reference tool whenever TLS and cryptography are involved. Master the x509, req and s_client subcommands and you diagnose certificate problems in seconds and automate PKI tasks in CI/CD pipelines. Stick to modern algorithms (SHA-256, AES-256, Ed25519), avoid MD5/SHA1 and protect private keys consistently – then OpenSSL is a dependable companion.
Further Reading
- OpenSSL – official documentation – reference and manual pages
- OpenSSL project – openssl.org – project site and documentation overview
- OpenSSL – Wikipedia – background and history