OpenSSL Commands Reference

View certificate details (PEM format)

openssl x509 -in certificate.crt -text -noout

Displays all certificate information including subject, issuer, validity dates, and extensions.

View certificate details (DER format)

openssl x509 -in certificate.der -inform DER -text -noout

Check certificate expiration dates

openssl x509 -in certificate.crt -noout -dates

Shows notBefore and notAfter dates.

Check if certificate will expire within N seconds

openssl x509 -in certificate.crt -noout -checkend 86400

Returns exit code 0 if the certificate is valid for at least 86400 seconds (24 hours), or exit code 1 if it will expire sooner. Use 0 to check if it has already expired.

View certificate subject and issuer

openssl x509 -in certificate.crt -noout -subject -issuer

Check certificate fingerprint (SHA-256)

openssl x509 -in certificate.crt -noout -fingerprint -sha256

View certificate serial number

openssl x509 -in certificate.crt -noout -serial

View Subject Alternative Names (SANs)

openssl x509 -in certificate.crt -noout -ext subjectAltName

Requires OpenSSL 1.1.1 or later. Shows all DNS names and IP addresses the certificate covers.

View key usage and extended key usage

openssl x509 -in certificate.crt -noout -ext keyUsage,extendedKeyUsage

Requires OpenSSL 1.1.1 or later. Shows what the certificate is authorized to do (e.g., digital signature, key encipherment, server auth, client auth).

Decode certificate purpose

openssl x509 -in certificate.crt -noout -purpose

Lists whether the certificate is suitable for SSL client, SSL server, S/MIME, CRL signing, and other purposes.

View certificate public key

openssl x509 -in certificate.crt -noout -pubkey

View certificate modulus (RSA certificates)

openssl x509 -in certificate.crt -noout -modulus

Outputs the RSA modulus. Compare this with the modulus of a private key to verify they match.

Generate private key and CSR (RSA 2048-bit)

openssl req -newkey rsa:2048 -keyout private.key -out request.csr

Creates both a new private key and CSR in one step. You will be prompted for a passphrase and the certificate subject fields.

Generate private key and CSR without passphrase

openssl req -newkey rsa:2048 -nodes -keyout private.key -out request.csr \
  -subj "/C=US/ST=California/L=San Francisco/O=Example Inc/CN=example.com"

Non-interactive generation with subject provided on the command line. The -nodes flag skips key encryption. In OpenSSL 3.x, you can use -noenc instead.

Generate CSR from existing private key

openssl req -new -key private.key -out request.csr

Generate CSR with Subject Alternative Names (SANs)

openssl req -new -key private.key -out request.csr \
  -subj "/CN=example.com" \
  -addext "subjectAltName=DNS:example.com,DNS:www.example.com,DNS:api.example.com"

Requires OpenSSL 1.1.1 or later. Use IP:192.168.1.1 syntax for IP address SANs.

Generate CSR using a configuration file

openssl req -new -key private.key -out request.csr -config openssl.cnf

Uses a custom OpenSSL config file for complex CSR options including SANs, custom extensions, and policy constraints. Required for SANs on OpenSSL versions older than 1.1.1.

View CSR details

openssl req -in request.csr -text -noout

Verify CSR signature

openssl req -in request.csr -verify -noout

Confirms the CSR was signed with the corresponding private key and has not been tampered with.

Generate EC key and CSR in one step (P-256)

openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 \
  -nodes -keyout private.key -out request.csr

Generate RSA private key (2048-bit)

openssl genrsa -out private.key 2048

Generate RSA private key (4096-bit, encrypted)

openssl genrsa -aes256 -out private.key 4096

Encrypts the key with AES-256. You will be prompted for a passphrase.

Generate EC private key (P-256)

openssl ecparam -genkey -name prime256v1 -noout -out private.key

P-256 (also known as prime256v1 or secp256r1) is the most widely supported elliptic curve. The -noout flag suppresses the EC parameters from the output.

Generate EC private key (P-384)

openssl ecparam -genkey -name secp384r1 -noout -out private.key

Generate Ed25519 private key

openssl genpkey -algorithm Ed25519 -out private.key

Requires OpenSSL 1.1.1 or later. Ed25519 keys are always 256 bits and do not require parameter selection.

View RSA private key details

openssl rsa -in private.key -text -noout

View EC private key details

openssl ec -in private.key -text -noout

View any private key details (generic)

openssl pkey -in private.key -text -noout

Works with RSA, EC, and Ed25519 keys. Use this when the key type is unknown.

Check RSA key modulus

openssl rsa -in private.key -noout -modulus

Compare with the certificate modulus to verify the key and certificate match.

Remove passphrase from private key

openssl rsa -in encrypted.key -out decrypted.key

Add passphrase to private key

openssl rsa -in private.key -aes256 -out encrypted.key

Convert private key to DER format

openssl pkey -in private.key -outform DER -out private.der

Convert private key to PKCS#8 format

openssl pkcs8 -topk8 -in private.key -out private-pkcs8.key -nocrypt

PKCS#8 is the modern key format used by Java and many other platforms. Remove -nocrypt to encrypt the output key.

Extract public key from private key

openssl pkey -in private.key -pubout -out public.key

List available EC curves

openssl ecparam -list_curves

Convert PEM to DER

openssl x509 -in certificate.crt -outform DER -out certificate.der

Convert DER to PEM

openssl x509 -in certificate.der -inform DER -out certificate.crt

Convert PEM to PKCS#12/PFX (certificate and key)

openssl pkcs12 -export -out certificate.pfx -inkey private.key -in certificate.crt

You will be prompted for an export password to protect the PFX file.

Convert PEM to PKCS#12/PFX (with certificate chain)

openssl pkcs12 -export -out certificate.pfx -inkey private.key \
  -in certificate.crt -certfile ca-chain.crt

Includes intermediate and root CA certificates in the PFX bundle.

Convert PKCS#12/PFX to PEM (certificate and key)

openssl pkcs12 -in certificate.pfx -out certificate.pem -nodes

Extracts both the certificate and private key into a single file. The -nodes flag outputs the key unencrypted. In OpenSSL 3.x, use -noenc instead.

Extract certificate only from PKCS#12/PFX

openssl pkcs12 -in certificate.pfx -clcerts -nokeys -out certificate.crt

Extract private key only from PKCS#12/PFX

openssl pkcs12 -in certificate.pfx -nocerts -nodes -out private.key

Extract CA certificates from PKCS#12/PFX

openssl pkcs12 -in certificate.pfx -cacerts -nokeys -out ca-certs.crt

Convert PEM to PKCS#7

openssl crl2pkcs7 -nocrl -certfile certificate.crt -out certificate.p7b

PKCS#7 (.p7b) is commonly used in Windows and Java environments. It contains only certificates and chain, not private keys.

Convert PEM to PKCS#7 (with chain)

openssl crl2pkcs7 -nocrl -certfile certificate.crt \
  -certfile ca-chain.crt -out certificate.p7b

Convert PKCS#7 to PEM

openssl pkcs7 -in certificate.p7b -print_certs -out certificates.crt

Extracts all certificates from the PKCS#7 bundle into PEM format.

Convert PKCS#7 (DER) to PEM

openssl pkcs7 -in certificate.p7b -inform DER -print_certs -out certificates.crt

Generate self-signed certificate (valid 365 days)

openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365

You will be prompted for a passphrase and certificate subject fields.

Generate self-signed certificate without passphrase

openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 \
  -nodes -subj "/CN=example.com"

Generate self-signed certificate with SANs

openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes \
  -subj "/CN=example.com" \
  -addext "subjectAltName=DNS:example.com,DNS:www.example.com"

Requires OpenSSL 1.1.1 or later. Modern browsers require SANs and ignore the CN field for domain validation.

Generate self-signed certificate from existing key

openssl req -x509 -key private.key -out cert.pem -days 365 \
  -subj "/CN=example.com"

Create a CA root certificate

openssl req -x509 -newkey rsa:4096 -keyout ca.key -out ca.crt -days 3650 -nodes \
  -subj "/C=US/O=My Organization/CN=My Root CA" \
  -addext "basicConstraints=critical,CA:TRUE" \
  -addext "keyUsage=critical,keyCertSign,cRLSign"

Creates a root CA certificate valid for 10 years. The basicConstraints extension marks it as a CA, and keyUsage restricts it to certificate and CRL signing. Requires OpenSSL 1.1.1 or later.

Sign a CSR with your CA

openssl x509 -req -in request.csr -CA ca.crt -CAkey ca.key \
  -CAcreateserial -out certificate.crt -days 365 -sha256

Issues a certificate from the CSR using your CA. The -CAcreateserial flag generates a serial number file automatically.

Sign a CSR with your CA (preserving SANs from CSR)

openssl x509 -req -in request.csr -CA ca.crt -CAkey ca.key \
  -CAcreateserial -out certificate.crt -days 365 -sha256 \
  -copy_extensions copyall

Requires OpenSSL 3.x. The -copy_extensions copyall flag copies all extensions (including SANs) from the CSR to the signed certificate.

Verify certificate against CA bundle

openssl verify -CAfile ca-bundle.crt certificate.crt

Verify certificate chain with intermediate certificates

openssl verify -CAfile root.crt -untrusted intermediate.crt certificate.crt

The -untrusted flag provides intermediate certificates that are not directly trusted but may complete the chain.

Verify certificate with verbose output

openssl verify -verbose -CAfile ca-bundle.crt certificate.crt

Check if certificate matches private key (RSA)

# Compare the modulus hashes - they should match
openssl x509 -noout -modulus -in certificate.crt | openssl sha256
openssl rsa -noout -modulus -in private.key | openssl sha256

Both commands should output the same SHA-256 hash if the certificate and key are a matching pair.

Check if CSR matches private key (RSA)

# Compare the modulus hashes - they should match
openssl req -noout -modulus -in request.csr | openssl sha256
openssl rsa -noout -modulus -in private.key | openssl sha256

Check if certificate, key, and CSR all match (RSA)

openssl x509 -noout -modulus -in certificate.crt | openssl sha256
openssl rsa -noout -modulus -in private.key | openssl sha256
openssl req -noout -modulus -in request.csr | openssl sha256

All three commands should produce the same hash. This verifies the entire set is consistent.

Verify certificate purpose

openssl verify -purpose sslserver -CAfile ca-bundle.crt certificate.crt

Validates the certificate is suitable for the specified purpose. Other values: sslclient, smimesign, smimeencrypt.

Connect to server and show certificate details

echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -text -noout

Connects, retrieves the server certificate, and displays its full details. The echo | prefix closes the connection immediately after the handshake.

Show full certificate chain

openssl s_client -connect example.com:443 -showcerts

Displays all certificates sent by the server, including intermediate certificates in the chain.

Connect with specific TLS version

openssl s_client -connect example.com:443 -tls1_2

Forces a specific TLS version. Available options: -tls1, -tls1_1, -tls1_2, -tls1_3. Useful for testing if a server supports or rejects specific protocol versions.

Connect with specific cipher suite

openssl s_client -connect example.com:443 -cipher ECDHE-RSA-AES256-GCM-SHA384

Tests whether the server accepts a specific cipher suite. For TLS 1.3 ciphers, use -ciphersuites instead (e.g., -ciphersuites TLS_AES_256_GCM_SHA384).

Test with SNI (Server Name Indication)

openssl s_client -connect example.com:443 -servername example.com

Required when a server hosts multiple certificates on the same IP address. Without SNI, you may receive the default certificate instead.

Check OCSP stapling

openssl s_client -connect example.com:443 -status

Requests the OCSP staple response from the server. Look for "OCSP Response Status: successful" in the output.

Test client certificate authentication

openssl s_client -connect example.com:443 -cert client.crt -key client.key

Show TLS protocol messages and trusted CA DNs

openssl s_client -connect example.com:443 -msg

Displays all TLS protocol messages. Useful for debugging handshake failures and seeing which CAs the server trusts for client authentication.

Download server certificate to file

echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null \
  | openssl x509 -out server.crt

Test SMTP STARTTLS

openssl s_client -connect mail.example.com:587 -starttls smtp

Test IMAP STARTTLS

openssl s_client -connect mail.example.com:143 -starttls imap

Test FTP STARTTLS

openssl s_client -connect ftp.example.com:21 -starttls ftp

Other supported STARTTLS protocols: pop3, xmpp, ldap, postgres, mysql.

Check if a specific TLS version is supported

# Check if TLS 1.3 is supported
echo | openssl s_client -connect example.com:443 -tls1_3 2>&1 | head -5

# Check if TLS 1.1 is still enabled (it should not be)
echo | openssl s_client -connect example.com:443 -tls1_1 2>&1 | head -5

A successful handshake means the protocol is supported. An error indicates the server rejects that version.

Connect with custom CA trust store

openssl s_client -connect example.com:443 -CAfile ca-bundle.crt

Verifies the server certificate against a specific CA bundle instead of the system default trust store.

Display the full certificate chain from a server

echo | openssl s_client -connect example.com:443 -showcerts 2>/dev/null

Save all certificates from a server chain to a file

echo | openssl s_client -connect example.com:443 -showcerts 2>/dev/null \
  | sed -n '/BEGIN CERTIFICATE/,/END CERTIFICATE/p' > chain.pem

Verify chain order in a bundle file

openssl crl2pkcs7 -nocrl -certfile chain.pem | openssl pkcs7 -print_certs -noout

Lists all certificates in order with their subject and issuer. The leaf certificate should be first, followed by intermediates, ending with the root.

Build a certificate bundle from separate files

# Concatenate in order: leaf, intermediate(s), root
cat certificate.crt intermediate.crt root.crt > bundle.pem

Web servers typically need the leaf certificate followed by intermediates. The root certificate is usually omitted since clients already have it in their trust store.

Find the CA Issuers URL (AIA extension)

openssl x509 -in certificate.crt -noout -text | grep "CA Issuers"

The Authority Information Access (AIA) extension contains a URL where the issuer certificate can be downloaded to build the chain.

View CRL details (PEM format)

openssl crl -in crl.pem -text -noout

Displays the CRL issuer, last update, next update, and all revoked certificate serial numbers.

View CRL details (DER format)

openssl crl -in crl.der -inform DER -text -noout

Convert CRL from DER to PEM

openssl crl -in crl.der -inform DER -out crl.pem -outform PEM

Verify a certificate against a CRL

# Combine the CA certificate and CRL, then verify
cat ca.crt crl.pem > ca-crl.pem
openssl verify -crl_check -CAfile ca-crl.pem certificate.crt

The CA file must contain both the CA certificate and the CRL for revocation checking to work.

Verify checking all CRLs in the chain

openssl verify -crl_check_all -CAfile ca-crl-bundle.pem certificate.crt

Find CRL distribution point in a certificate

openssl x509 -in certificate.crt -noout -text | grep -A 4 "CRL Distribution"

Generate a CRL (as a CA)

openssl ca -gencrl -keyfile ca.key -cert ca.crt -out crl.pem -config openssl.cnf

Requires a properly configured openssl.cnf file with CA directory structure and database files.

Find the OCSP responder URL

openssl x509 -in certificate.crt -noout -ocsp_uri

Check certificate revocation status via OCSP

openssl ocsp -issuer issuer.crt -cert certificate.crt \
  -url http://ocsp.example.com -resp_text

Sends an OCSP request and displays the response. Look for "Cert Status: good" in the output. A status of "revoked" means the certificate has been revoked.

Create an OCSP request file

openssl ocsp -issuer issuer.crt -cert certificate.crt \
  -reqout ocsp-request.der

Verify an OCSP response with CA validation

openssl ocsp -issuer issuer.crt -cert certificate.crt \
  -url http://ocsp.example.com -CAfile ca-bundle.crt -resp_text

The -CAfile flag enables full verification of the OCSP response signature chain.

Check OCSP stapling on a live server

echo | openssl s_client -connect example.com:443 -status 2>/dev/null \
  | grep -A 20 "OCSP Response"

If the server supports OCSP stapling, you will see the stapled OCSP response. If not, the section will be empty or absent.

Encrypt a file with AES-256-CBC

openssl enc -aes-256-cbc -salt -pbkdf2 -in plaintext.txt -out encrypted.enc

You will be prompted for a password. The -pbkdf2 flag uses the modern key derivation function (OpenSSL 1.1.1+). The -salt flag adds randomness to prevent dictionary attacks.

Decrypt a file

openssl enc -d -aes-256-cbc -pbkdf2 -in encrypted.enc -out decrypted.txt

Encrypt a file with Base64 output

openssl enc -aes-256-cbc -salt -pbkdf2 -a -in plaintext.txt -out encrypted.txt

The -a flag Base64-encodes the output, making it safe for text transport.

Sign a file with a private key

openssl dgst -sha256 -sign private.key -out signature.bin file.txt

Verify a file signature

openssl dgst -sha256 -verify public.key -signature signature.bin file.txt

Returns "Verified OK" if the signature matches the file contents.

Generate SHA-256 hash of a file

openssl dgst -sha256 file.txt

Check OpenSSL version

openssl version -a

Shows version, build date, compiler flags, and default directories.

Generate random bytes (hex)

openssl rand -hex 32

Generates 32 random bytes as hexadecimal (64 hex characters). Uses cryptographically secure randomness.

Generate random bytes (Base64)

openssl rand -base64 32

Useful for generating random passwords, tokens, and secrets.

List available cipher suites

openssl ciphers -v

List TLS 1.3 cipher suites

openssl ciphers -v -tls1_3

List available digest algorithms

openssl list -digest-algorithms

List available cipher algorithms

openssl list -cipher-algorithms

List available public key algorithms

openssl list -public-key-algorithms

Benchmark cryptographic performance

openssl speed

Benchmarks all algorithms. Test a specific algorithm with openssl speed aes-256-cbc or openssl speed rsa2048.

Base64 encode a file

openssl base64 -in file.bin -out file.b64

Base64 decode a file

openssl base64 -d -in file.b64 -out file.bin

Parse ASN.1 structure of a certificate

openssl asn1parse -in certificate.crt

Useful for debugging certificate encoding issues. Works with any PEM or DER encoded file.