OpenSSL Cheatsheet

OpenSSL command cheatsheet covering certificate inspection, generation, format conversion, key operations, SSL/TLS connection testing, hashing, signing, and encryption organized by category

Related Categories:SSL/TLSSecurity

70 commands

x509 -text

View certificate details

openssl x509 -in cert.pem -text -noout

x509 -enddate

Check certificate expiry date

openssl x509 -in cert.pem -enddate -noout

x509 -startdate

Check certificate start date

openssl x509 -in cert.pem -startdate -noout

x509 -ext SAN

Extract Subject Alternative Names

openssl x509 -in cert.pem -noout -ext subjectAltName

x509 -subject

Show certificate subject

openssl x509 -in cert.pem -subject -noout

x509 -issuer

Show certificate issuer

openssl x509 -in cert.pem -issuer -noout

x509 -serial

Show certificate serial number

openssl x509 -in cert.pem -serial -noout

x509 -fingerprint SHA256

Get SHA256 fingerprint

openssl x509 -in cert.pem -fingerprint -sha256 -noout

x509 -fingerprint SHA1

Get SHA1 fingerprint

openssl x509 -in cert.pem -fingerprint -sha1 -noout

verify

Verify certificate chain

openssl verify -CAfile ca.pem cert.pem

x509 -purpose

Check certificate purpose

openssl x509 -in cert.pem -purpose -noout

req -x509 (self-signed)

Generate self-signed certificate

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes

req -new (CSR)

Generate Certificate Signing Request

openssl req -new -key key.pem -out request.csr

x509 -x509toreq

Create CSR from existing certificate

openssl x509 -x509toreq -in cert.pem -signkey key.pem -out request.csr

req -new -newkey

Generate CSR with new key

openssl req -new -newkey rsa:4096 -nodes -keyout key.pem -out request.csr

x509 -req (CA sign)

Sign CSR with CA certificate

openssl x509 -req -in request.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -days 365

req -x509 -addext SAN

Generate self-signed certificate with SAN

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes -addext "subjectAltName=DNS:example.com,DNS:*.example.com"

req -x509 EC

Generate EC certificate

openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:P-256 -keyout key.pem -out cert.pem -days 365 -nodes

pkcs12 -export

Create PKCS12 file

openssl pkcs12 -export -out cert.pfx -inkey key.pem -in cert.pem -certfile ca.pem

x509 PEM→DER

Convert PEM to DER format

openssl x509 -in cert.pem -outform DER -out cert.der

x509 DER→PEM

Convert DER to PEM format

openssl x509 -in cert.der -inform DER -outform PEM -out cert.pem

pkcs12 PEM→PKCS12

Convert PEM to PKCS12 format

openssl pkcs12 -export -out cert.pfx -inkey key.pem -in cert.pem

pkcs12 PKCS12→PEM

Convert PKCS12 to PEM format

openssl pkcs12 -in cert.pfx -out cert.pem -nodes

pkcs12 extract key

Extract private key from PKCS12

openssl pkcs12 -in cert.pfx -nocerts -out key.pem -nodes

pkcs12 extract cert

Extract certificate from PKCS12

openssl pkcs12 -in cert.pfx -clcerts -nokeys -out cert.pem

pkcs7 PKCS7→PEM

Convert PKCS7 to PEM format

openssl pkcs7 -in cert.p7b -print_certs -out cert.pem

crl2pkcs7 PEM→PKCS7

Convert PEM to PKCS7 format

openssl crl2pkcs7 -nocrl -certfile cert.pem -out cert.p7b

genrsa

Generate RSA private key

openssl genrsa -out key.pem 4096

ecparam P-256

Generate EC key (P-256)

openssl ecparam -genkey -name prime256v1 -noout -out key.pem

ecparam P-384

Generate EC key (P-384)

openssl ecparam -genkey -name secp384r1 -noout -out key.pem

genpkey Ed25519

Generate Ed25519 key

openssl genpkey -algorithm Ed25519 -out key.pem

rsa -text

View RSA key details

openssl rsa -in key.pem -text -noout

ec -text

View EC key details

openssl ec -in key.pem -text -noout

rsa -pubout

Extract public key

openssl rsa -in key.pem -pubout -out pub.pem

rsa (remove passphrase)

Remove passphrase from key

openssl rsa -in encrypted.pem -out decrypted.pem

rsa -aes256

Add passphrase to key

openssl rsa -in key.pem -aes256 -out encrypted.pem

key-cert match

Check if key matches certificate

openssl x509 -in cert.pem -noout -modulus | openssl md5 && openssl rsa -in key.pem -noout -modulus | openssl md5

req -text (CSR)

Check CSR details

openssl req -in request.csr -text -noout

s_client

Test SSL/TLS connection

openssl s_client -connect host:443

s_client -showcerts

Show certificate chain

openssl s_client -connect host:443 -showcerts

s_client -tls1_2

Test connection with TLS 1.2

openssl s_client -connect host:443 -tls1_2

s_client -tls1_3

Test connection with TLS 1.3

openssl s_client -connect host:443 -tls1_3

s_client -cipher

Connect with specific cipher suite

openssl s_client -connect host:443 -cipher ECDHE-RSA-AES256-GCM-SHA384

s_client -servername

Connect with SNI

openssl s_client -connect host:443 -servername example.com

s_client STARTTLS SMTP

Connect with STARTTLS (SMTP)

openssl s_client -connect mail:25 -starttls smtp

s_client STARTTLS IMAP

Connect with STARTTLS (IMAP)

openssl s_client -connect mail:143 -starttls imap

s_client STARTTLS FTP

Connect with STARTTLS (FTP)

openssl s_client -connect ftp:21 -starttls ftp

s_client → x509

Get and display server certificate only

openssl s_client -connect host:443 2>/dev/null | openssl x509 -text -noout

s_client -status

Check OCSP stapling

openssl s_client -connect host:443 -status

dgst -sha256

Calculate SHA256 digest

openssl dgst -sha256 file.txt

dgst -sha512

Calculate SHA512 digest

openssl dgst -sha512 file.txt

dgst -md5

Calculate MD5 digest

openssl dgst -md5 file.txt

dgst -sign

Sign a file

openssl dgst -sha256 -sign key.pem -out sig.bin file.txt

dgst -verify

Verify a signature

openssl dgst -sha256 -verify pub.pem -signature sig.bin file.txt

dgst -hmac

Calculate HMAC-SHA256

openssl dgst -sha256 -hmac "secret" file.txt

list -digest-algorithms

List available digest algorithms

openssl list -digest-algorithms

base64

Base64 encode a file

openssl base64 -in file.bin -out file.b64

enc -aes-256-cbc

Encrypt file with AES-256-CBC

openssl enc -aes-256-cbc -salt -pbkdf2 -in plain.txt -out encrypted.bin

enc -d (decrypt)

Decrypt an encrypted file

openssl enc -d -aes-256-cbc -pbkdf2 -in encrypted.bin -out plain.txt

enc -a (Base64)

Encrypt with Base64 output

openssl enc -aes-256-cbc -salt -pbkdf2 -a -in plain.txt -out encrypted.txt

rand -hex

Generate random hex bytes

openssl rand -hex 32

rand -base64

Generate random Base64 bytes

openssl rand -base64 32

rand (password)

Generate random password

openssl rand -base64 24

list -cipher-algorithms

List available cipher algorithms

openssl list -cipher-algorithms

verify (chain)

Verify certificate with intermediate

openssl verify -CAfile ca.pem -untrusted intermediate.pem cert.pem

crl -text

Check Certificate Revocation List

openssl crl -in crl.pem -text -noout

speed

Benchmark cryptographic operations

openssl speed rsa2048

speed -multi

Multi-threaded benchmark

openssl speed -multi 4 aes-256-cbc

version -a

Show OpenSSL version information

openssl version -a

ciphers -v

List available cipher suites

openssl ciphers -v