OpenSSL Commands Cheat Sheet

• Updated August 15, 2022

The openssl command has a vast array of uses and functions.

This post will be an ever growing list of various, useful OpenSSL commands.

View an SSL Certificate

View the SSL Certificate for any protocol using SSL with the following command:

openssl s_client -showcerts -connect FQDN:PORT

To see more documentation on s_client run the following command:

man s_client

View the Contents of an SSL Certificate

openssl x509 -text -noout -in server.crt

View the Contents of a Certificate Signing Request

openssl req -text -noout -in server.csr

Verify SSL Certificate Chain

openssl verify -CAfile <(cat private.key intermediate.crt) signed.crt

Verify an SSL Certificate was Generated from a Certificate Authority

openssl verify -verbose -CAFile ca.crt server.crt

Verify a Private Key Matches an SSL Certificate

If the MD5 hash of each command matches, there is a very high probability the SSL Certificate was signed by the Private Key.

openssl x509 -modulus -noout -in server.crt | openssl md5

openssl rsa -modulus -noout -in server.key | openssl md5

Shell Script to Quickly Check SSL Certificate Serial Number, Subject, Issuer, and Issue and Expiry Dates

Create file with the following contents:



echo | openssl s_client -showcerts -servername "$hostname" -connect "$hostname":443 2>/dev/null | openssl x509 -serial -subject -issuer -dates -noout

Set the executable permission:

chmod +x

Run the script with the following command:


Convert Java Keystore Public and Private Keys to X509

openssl pkcs12 -in keystore.(p12 | pfx) -out private.key -nodes

Convert PKCS7 to X509

openssl pkcs7 -in cert.pkcs7 -print_certs -out cert.crt

Create a Private Key

The following command will create a 2048 bit Private Key:

openssl genrsa -out server.key 2048

Create a Certificate Authority

The following command will create a Certificate Authority that will expire in 5 years:

openssl req -new -x509 -extensions v3_ca -keyout myca.key -out myca.crt -days 1825

Create an Apache Formatted Certificate Signing Request

openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

Create a Self-Signed SSL Certificate

Create the Private Key and the Certificate Signing Request:

openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

Create the SSL Certificate from the Certificate Signing Request and sign it with the Private Key:

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Generate Diffie-Hellman Keys

The following command may take a few minutes to complete.

Change 2048 to 4096 if you want a stronger key size.

openssl dhparam -out dhparam.pem 2048