Skip to main content

Common OpenSSL Commands

·487 words·3 mins

The Most Common OpenSSL Commands #

OpenSSL is one of the most versatile SSL tool. It is an open source implementation of the SSL protocol. OpenSSL is usually used to create a CSR (Certificate Signing Request) and Private Keys. It also has a lot of different functions that allow you to view the details of a CSR, Key or Certificate and convert the certificate to different formats.

Listed below are the most common OpenSSL commands and their usage:

General OpenSSL Commands #

These commands enable generation of Private Keys, CSRs and Certificates.

Generate a new Private Key and Certificate Signing Request #

[root@server ~]# openssl req -out csr.csr -new -newkey rsa:2048 -nodes -keyout privatekey.key

Generate a self-signed certificate #

[root@server ~]# openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privatekey.key -out certificate.crt

Generate a certificate signing request (CSR) for an existing private key #

[root@server ~]# openssl req -out csr.csr -key privatekey.key -new

Generate a certificate signing request based on an existing certificate #

[root@server ~]# openssl x509 -x509toreq -in certificate.crt -out csr.csr -signkey privatekey.key

Remove a passphrase from a private key #

[root@server ~]# openssl rsa -in privatekey.pem -out newprivatekey.pem

Checking Using OpenSSL #

These commands enable checking of information within a Private Key, CSR or Certificate.

Check a Certificate Signing Request (CSR) #

[root@server ~]# openssl req -text -noout -verify -in csr.csr

Check a private key #

[root@server ~]# openssl rsa -in privatekey.key -check

Check a certificate #

[root@server ~]# openssl x509 -in certificate.crt -text -noout

Check a PKCS#12 file (.pfx or .p12) #

[root@server ~]# openssl pkcs12 -info -in keystore.p12

Debugging Using OpenSSL #

These commands enable debugging of Private Keys, CSRs and Certificates.

Check the MD5 hash of a Public Key to ensure it matches the contents of the CSR or Private Key #

[root@server ~]# openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in privatekey.key | openssl md5
openssl req -noout -modulus -in csr.csr | openssl md5

Check an SSL connection. All the Certificates (including Intermediates) should be displayed #

[root@server ~]# openssl s_client -connect www.google.com:443

Converting Using OpenSSL #

These commands allow you to convert Keys and Certificates to different formats to make them compatible with specific types of servers or software. For example, you can convert a normal PEM file that would work with Apache to a PFX (PKCS#12) file and use it with Tomcat or IIS.

Convert a DER file (.crt .cer .der) to PEM #

[root@server ~]# openssl x509 -inform der -in certificate.cer -out certificate.pem

Convert a PEM file to DER #

[root@server ~]# openssl x509 -outform der -in certificate.pem -out certificate.der

Convert a PKCS#12 file (.pfx .p12) containing a Private Key and Certificates to PEM #

[root@server ~]# openssl pkcs12 -in keystore.pfx -out keystore.pem -nodes

You can add -nocerts to only output the private key or add -nokeys to only output the certificates.

Convert a PEM Certificate file and a Private Key to PKCS#12 (.pfx .p12) #

[root@server ~]# openssl pkcs12 -export -out certificate.pfx -inkey privatekey.key -in certificate.crt -certfile cacert.crt