🛠️ToolsShed

OpenSSL Commands Reference

Common OpenSSL commands for certificates, keys, and encryption.

Generate RSA-2048 Private Key

Generate a 2048-bit RSA private key in PEM format.

openssl genrsa -out private.pem 2048

Generate RSA-4096 Private Key

Generate a 4096-bit RSA private key in PEM format.

openssl genrsa -out private.pem 4096

Generate EC Private Key (P-256)

Generate an Elliptic Curve private key using P-256 curve.

openssl ecparam -name prime256v1 -genkey -noout -out ec_private.pem

Extract Public Key from Private Key

Extract the public key from an existing RSA private key.

openssl rsa -in private.pem -pubout -out public.pem

Generate AES-256 Random Key

Generate a random 256-bit (32-byte) key in hex.

openssl rand -hex 32

Generate Random Base64 String

Generate a random 32-byte string encoded as Base64.

openssl rand -base64 32

Generate Self-Signed Certificate

Create a self-signed certificate valid for 365 days.

openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes

Generate CSR (Certificate Signing Request)

Create a CSR for submission to a Certificate Authority.

openssl req -new -key private.pem -out request.csr

Generate CSR with Subject (one-liner)

Create a CSR with subject info in one command.

openssl req -new -key private.pem -out req.csr -subj "/C=US/ST=CA/L=San Francisco/O=My Org/CN=example.com"

View Certificate Details

Display detailed information about a PEM certificate.

openssl x509 -in cert.pem -text -noout

Check Certificate Expiry

Show only the validity dates of a certificate.

openssl x509 -in cert.pem -noout -dates

Verify Certificate Against CA

Verify that a certificate was signed by a given CA.

openssl verify -CAfile ca.pem cert.pem

Encrypt File with AES-256-CBC

Encrypt a file using AES-256-CBC symmetric encryption.

openssl enc -aes-256-cbc -salt -in plaintext.txt -out encrypted.enc -k mypassword

Decrypt File with AES-256-CBC

Decrypt a file encrypted with AES-256-CBC.

openssl enc -aes-256-cbc -d -in encrypted.enc -out decrypted.txt -k mypassword

Encrypt with RSA Public Key

Encrypt a small file using an RSA public key.

openssl rsautl -encrypt -inkey public.pem -pubin -in plaintext.txt -out encrypted.bin

Decrypt with RSA Private Key

Decrypt a file encrypted with the corresponding public key.

openssl rsautl -decrypt -inkey private.pem -in encrypted.bin -out decrypted.txt

Sign a File with Private Key

Create a digital signature for a file.

openssl dgst -sha256 -sign private.pem -out signature.bin input.txt

Verify a Digital Signature

Verify a digital signature using the public key.

openssl dgst -sha256 -verify public.pem -signature signature.bin input.txt

View Private Key Info

Display information about an RSA private key.

openssl rsa -in private.pem -text -noout

Check CSR Details

Display the details in a Certificate Signing Request.

openssl req -in request.csr -text -noout

Check Remote SSL Certificate

View the SSL certificate of a remote server.

openssl s_client -connect example.com:443 -showcerts

Get Remote Certificate Expiry

Check expiry date of a remote server's certificate.

echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -dates

Compute SHA-256 Hash of File

Calculate the SHA-256 hash of a file.

openssl dgst -sha256 file.txt

Compute MD5 Hash of File

Calculate the MD5 hash of a file.

openssl dgst -md5 file.txt

Convert PEM to DER

Convert a PEM certificate to DER binary format.

openssl x509 -in cert.pem -outform DER -out cert.der

Convert DER to PEM

Convert a DER certificate to PEM text format.

openssl x509 -inform DER -in cert.der -outform PEM -out cert.pem

Convert PFX/P12 to PEM

Extract certificate and key from a PKCS#12 file.

openssl pkcs12 -in archive.pfx -out certs.pem -nodes

Convert PEM to PFX/P12

Package certificate and key into a PKCS#12 file.

openssl pkcs12 -export -out archive.pfx -inkey private.pem -in cert.pem -certfile ca.pem

Convert PKCS8 to RSA Private Key

Convert a PKCS#8 private key to traditional RSA format.

openssl pkcs8 -in pkcs8.pem -out rsa.pem

Frequently Asked Questions

Code Implementation

import subprocess

def run_openssl(args: list[str]) -> str:
    """Run an openssl command and return stdout."""
    result = subprocess.run(
        ["openssl"] + args,
        capture_output=True, text=True, check=True
    )
    return result.stdout

# Generate a self-signed certificate using subprocess
def generate_self_signed_cert(
    key_path: str = "key.pem",
    cert_path: str = "cert.pem",
    days: int = 365,
    cn: str = "localhost",
    bits: int = 4096,
) -> None:
    # Step 1: generate private key
    subprocess.run(
        ["openssl", "genrsa", "-out", key_path, str(bits)],
        check=True
    )
    # Step 2: generate self-signed cert
    subprocess.run(
        [
            "openssl", "req", "-x509",
            "-key", key_path,
            "-out", cert_path,
            "-days", str(days),
            "-subj", f"/CN={cn}",
        ],
        check=True
    )
    print(f"Certificate written to {cert_path}")

# Read certificate info using cryptography library (pip install cryptography)
from cryptography import x509
from cryptography.hazmat.backends import default_backend
from datetime import datetime, timezone

def inspect_cert(pem_path: str) -> dict:
    with open(pem_path, "rb") as f:
        cert = x509.load_pem_x509_certificate(f.read(), default_backend())
    now = datetime.now(timezone.utc)
    san = cert.extensions.get_extension_for_class(x509.SubjectAlternativeName)
    return {
        "subject": cert.subject.rfc4514_string(),
        "issuer": cert.issuer.rfc4514_string(),
        "not_before": cert.not_valid_before_utc.isoformat(),
        "not_after": cert.not_valid_after_utc.isoformat(),
        "is_expired": cert.not_valid_after_utc < now,
        "serial": cert.serial_number,
        "san": san.value.get_values_for_type(x509.DNSName) if san else [],
    }

Comments & Feedback

Comments are powered by Giscus. Sign in with GitHub to leave a comment.