OpenSSL Commands Reference

View certificate details (PEM format)

openssl x509 -in certificate.crt -text -noout

Displays all certificate information including subject, issuer, validity dates, and extensions.

View certificate details (DER format)

openssl x509 -in certificate.der -inform DER -text -noout

Check certificate expiration date

openssl x509 -in certificate.crt -noout -dates

View certificate subject and issuer

openssl x509 -in certificate.crt -noout -subject -issuer

Check certificate fingerprint (SHA256)

openssl x509 -in certificate.crt -noout -fingerprint -sha256

Generate private key and CSR (RSA 2048-bit)

openssl req -newkey rsa:2048 -keyout private.key -out request.csr

Creates both a new private key and CSR. You'll be prompted for information and a passphrase.

Generate CSR from existing private key

openssl req -new -key private.key -out request.csr

View CSR details

openssl req -in request.csr -text -noout

Verify CSR signature

openssl req -in request.csr -verify -noout

Convert PEM to DER

openssl x509 -in certificate.crt -outform DER -out certificate.der

Convert DER to PEM

openssl x509 -in certificate.der -inform DER -out certificate.crt

Convert PFX to PEM (certificate and key)

openssl pkcs12 -in certificate.pfx -out certificate.pem -nodes

Extract both certificate and private key. Remove -nodes to encrypt the private key.

Convert PFX to PEM (certificate only)

openssl pkcs12 -in certificate.pfx -clcerts -nokeys -out certificate.crt

Convert PFX to PEM (private key only)

openssl pkcs12 -in certificate.pfx -nocerts -out private.key

Create PFX from PEM certificate and key

openssl pkcs12 -export -out certificate.pfx -inkey private.key -in certificate.crt

Generate RSA private key (2048-bit)

openssl genrsa -out private.key 2048

Generate encrypted RSA private key (4096-bit)

openssl genrsa -aes256 -out private.key 4096

Generate EC private key (P-256)

openssl ecparam -genkey -name prime256v1 -out private.key

Remove passphrase from private key

openssl rsa -in encrypted.key -out decrypted.key

Add passphrase to private key

openssl rsa -in private.key -aes256 -out encrypted.key

View private key details

openssl rsa -in private.key -text -noout

Test SSL/TLS connection and view certificate

openssl s_client -connect example.com:443 -showcerts

Test with specific TLS version

openssl s_client -connect example.com:443 -tls1_2

Replace -tls1_2 with -tls1_3 for TLS 1.3

Download server certificate

echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 > server.crt

Check certificate with SNI (Server Name Indication)

openssl s_client -connect example.com:443 -servername example.com

Show protocol messages and DNs (Distinguished Names)

openssl s_client -connect example.com:443 -msg

Displays all TLS protocol messages including certificate request DNs. Useful for debugging client certificate authentication and seeing which CAs the server trusts.

Test SMTP STARTTLS

openssl s_client -connect mail.example.com:25 -starttls smtp

Verify certificate matches private key

openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in private.key | openssl md5

Both commands should output the same MD5 hash if they match.

Verify certificate chain

openssl verify -CAfile ca-bundle.crt certificate.crt

Verify certificate chain with intermediate certificates

openssl verify -CAfile root.crt -untrusted intermediate.crt certificate.crt

Generate self-signed certificate (valid 365 days)

openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365

Generate self-signed certificate with no password

openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes

Generate self-signed certificate with SAN (Subject Alternative Names)

openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes \
  -subj "/CN=example.com" \
  -addext "subjectAltName=DNS:example.com,DNS:www.example.com"