OpenSSL Commands Cheat Sheet

• Updated August 26, 2022

A list of my commonly used openssl commands.

View the SSL Certificate of a Remote Server

View the SSL certificate for any protocol using SSL/TLS with the following command:

openssl s_client -showcerts -connect FQDN:PORT

To see more documentation on s_client run the following command:

man s_client

View the Contents of an SSL Certificate

openssl x509 -text -noout -in cert.pem

Verify SSL Certificate Chain

bundle.pem could contain Intermediate Certificate(s) and/or a Root Certificate provided by your Certificate Authority.

openssl verify -CAfile bundle.pem cert.pem

Verify a Private Key is Valid

Output will be RSA key ok if the Private Key is valid.

openssl rsa -check -noout -in key.pem

Verify a Private Key Matches the Signed SSL Certificate

If the hash outputted by each of the following commands match, then the Private Key signed the SSL certificate.

openssl x509 -modulus -noout -in cert.pem | openssl sha256

openssl rsa -modulus -noout -in key.pem | openssl sha256

Same commands but in a single line with string matching:

[[ "$(openssl x509 -modulus -noout -in cert.pem | openssl sha256)" == "$(openssl rsa -modulus -noout -in key.pem | openssl sha256)" ]] && echo "MATCH" || echo "NO MATCH"

Shell Script to Quickly Check SSL Certificate Serial Number, Issuer, Issue and Expiry Dates, Subject, and Subject Alternate Names

Create file with the following content:



echo | openssl s_client -showcerts -servername "$hostname" -connect "$hostname":443 2>/dev/null | openssl x509 -serial -issuer -dates -subject -ext subjectAltName -noout

Set the executable permission:

chmod +x

Run the script with the following command:


Extract the Private Key from a PFX File

openssl pkcs12 -in file.pfx -nocerts -out key.pem

If the Private Key is password protected, remove the password with the following command:

openssl rsa -in key.pem -out key-nopass.pem

Extract the Public Certificate Chain from a PFX File

openssl pkcs12 -in file.pfx -nokeys -out certs.pem

Create a Self-Signed SSL Certificate

Create the Private Key and the Certificate Signing Request:

openssl req -new -newkey rsa:2048 -nodes -keyout key.pem -out server.csr

Create the SSL Certificate from the Certificate Signing Request and sign it with the Private Key:

openssl x509 -req -days 365 -in server.csr -signkey key.pem -out cert.pem


If you found this post useful and would like to help support this site - and get something for yourself - sign up for any of the services listed below through the provided affiliate links. I will receive a referral payment from any of the services you sign-up for.

Get faster shipping and more with Amazon Prime: About to order something from Amazon but want to get more value out of the money you would normally pay for shipping? Sign-up for a free 30-day trial of Amazon Prime to get free two-day shipping, access to thousands of movies and TV shows, and more.

Thanks for reading and take care.