The Most Common OpenSSL Commands

OpenSSL is one of the most versatile SSL tool. It is an open source implementation of the SSL protocol. OpenSSL is usually used to create a CSR (Certificate Signing Request) and Private Keys. It also has a lot of different functions that allow you to view the details of a CSR, Key or Certificate and convert the certificate to different formats.

Listed below are the most common OpenSSL commands and their usage:

General OpenSSL Commands

These commands enable generation of Private Keys, CSRs and Certificates.

Generate a new Private Key and Certificate Signing Request

[root@server ~]# openssl req -out csr.csr -new -newkey rsa:2048 -nodes -keyout privatekey.key

Generate a self-signed certificate

[root@server ~]# openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privatekey.key -out certificate.crt

Generate a certificate signing request (CSR) for an existing private key

[root@server ~]# openssl req -out csr.csr -key privatekey.key -new

Generate a certificate signing request based on an existing certificate

[root@server ~]# openssl x509 -x509toreq -in certificate.crt -out csr.csr -signkey privatekey.key

Remove a passphrase from a private key

[root@server ~]# openssl rsa -in privatekey.pem -out newprivatekey.pem

Checking Using OpenSSL

These commands enable checking of information within a Private Key, CSR or Certificate.

Check a Certificate Signing Request (CSR)

[root@server ~]# openssl req -text -noout -verify -in csr.csr

Check a private key

[root@server ~]# openssl rsa -in privatekey.key -check

Check a certificate

[root@server ~]# openssl x509 -in certificate.crt -text -noout

Check a PKCS#12 file (.pfx or .p12)

[root@server ~]# openssl pkcs12 -info -in keystore.p12

Debugging Using OpenSSL

These commands enable debugging of Private Keys, CSRs and Certificates.

Check the MD5 hash of a Public Key to ensure it matches the contents of the CSR or Private Key

[root@server ~]# openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in privatekey.key | openssl md5
openssl req -noout -modulus -in csr.csr | openssl md5

Check an SSL connection. All the Certificates (including Intermediates) should be displayed

[root@server ~]# openssl s_client -connect www.google.com:443

Converting Using OpenSSL

These commands allow you to convert Keys and Certificates to different formats to make them compatible with specific types of servers or software. For example, you can convert a normal PEM file that would work with Apache to a PFX (PKCS#12) file and use it with Tomcat or IIS.

Convert a DER file (.crt .cer .der) to PEM

[root@server ~]# openssl x509 -inform der -in certificate.cer -out certificate.pem

Convert a PEM file to DER

[root@server ~]# openssl x509 -outform der -in certificate.pem -out certificate.der

Convert a PKCS#12 file (.pfx .p12) containing a Private Key and Certificates to PEM

[root@server ~]# openssl pkcs12 -in keystore.pfx -out keystore.pem -nodes

You can add -nocerts to only output the private key or add -nokeys to only output the certificates.

Convert a PEM Certificate file and a Private Key to PKCS#12 (.pfx .p12)

[root@server ~]# openssl pkcs12 -export -out certificate.pfx -inkey privatekey.key -in certificate.crt -certfile cacert.crt