OpenSSL Commands Cheat Sheet

• Updated June 16, 2017

The openssl command has a vast array of uses and functions.

This post will be an ever growing list of various, useful OpenSSL commands.

View an SSL Certificate

View the SSL Certificate for any protocol using SSL with the following command:

openssl s_client -showcerts -connect FQDN:PORT

To see more documentation on s_client run the following command:

man s_client

View the Contents of an SSL Certificate

openssl x509 -text -noout -in server.crt

View the Contents of a Certificate Signing Request

openssl req -text -noout -in server.csr

Verify SSL Certificate Chain

openssl verify -CAfile <(cat private.key intermediate.crt) signed.crt

Verify an SSL Certificate was Generated from a Certificate Authority

openssl verify -verbose -CAFile ca.crt server.crt

Verify a Private Key Matches an SSL Certificate

If the MD5 hash of each command matches, there is a very high probability the SSL Certificate was signed by the Private Key.

openssl x509 -modulus -noout -in server.crt | openssl md5

openssl rsa -modulus -noout -in server.key | openssl md5

Convert Java Keystore Public and Private Keys to X509

openssl pkcs12 -in keystore.(p12 | pfx) -out private.key -nodes

Convert PKCS7 to X509

openssl pkcs7 -in cert.pkcs7 -print_certs -out cert.crt

Create a Private Key

The following command will create a 2048 bit Private Key:

openssl genrsa -out server.key 2048

Create a Certificate Authority

The following command will create a Certificate Authority that will expire in 5 years:

openssl req -new -x509 -extensions v3_ca -keyout myca.key -out myca.crt -days 1825

Create an Apache Formatted Certificate Signing Request

openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

Create a Self-Signed SSL Certificate

Create the Private Key and the Certificate Signing Request:

openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

Create the SSL Certificate from the Certificate Signing Request and sign it with the Private Key:

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Generate Diffie-Hellman Keys

The following command may take a few minutes to complete.

Change 2048 to 4096 if you want a stronger key size.

openssl dhparam -out dhparam.pem 2048


If you found this post useful and would like to help support this site - and get something for yourself - sign up for any of the services listed below through the provided links.

The following links are part of affiliate programs, and I will receive a referral payment from any of the services you sign-up for.

  • Get Faster Shipping: About to order some stuff on Amazon but want to get more value out of the money you would normally pay for shipping? Sign-up for a free, 30-day trial of Amazon Prime to get free two-day shipping, access to thousands of movies and TV shows, and more.
  • Start Investing Now: Looking to start investing some of your saved income? Get started by opening an account with Webull, where upon sign-up and opening a brokerage account with an initial deposit of $100 or more you will receive free stock(s). The promotions are always changing, so be sure to click the link to see the latest.

Thanks for reading and take care.