OpenSSL Commands Cheat Sheet

Published May 18, 2014 • Updated June 16, 2017

The openssl command has a vast array of uses and functions.

This post will be an ever growing list of various, useful OpenSSL commands.

View an SSL Certificate

View the SSL Certificate for any protocol using SSL with the following command:

openssl s_client -showcerts -connect FQDN:PORT

To see more documentation on s_client run the following command:

man s_client

openssl x509 -text -noout -in server.crt

openssl req -text -noout -in server.csr

openssl verify -CAfile <(cat private.key intermediate.crt) signed.crt

openssl verify -verbose -CAFile ca.crt server.crt

If the MD5 hash of each command matches, there is a very high probability the SSL Certificate was signed by the Private Key.

openssl x509 -modulus -noout -in server.crt | openssl md5

openssl rsa -modulus -noout -in server.key | openssl md5

openssl pkcs12 -in keystore.(p12 | pfx) -out private.key -nodes

openssl pkcs7 -in cert.pkcs7 -print_certs -out cert.crt

The following command will create a 2048 bit Private Key:

openssl genrsa -out server.key 2048

The following command will create a Certificate Authority that will expire in 5 years:

openssl req -new -x509 -extensions v3_ca -keyout myca.key -out myca.crt -days 1825

openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

Create the Private Key and the Certificate Signing Request:

openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

Create the SSL Certificate from the Certificate Signing Request and sign it with the Private Key:

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

The following command may take a few minutes to complete.

Change 2048 to 4096 if you want a stronger key size.

openssl dhparam -out dhparam.pem 2048