Security

OpenSSL CLI

OpenSSL commands for encryption, certificates, and SSL/TLS.

32 commands

Windows MacOS Linux

#encryption #certificates

Download PDF

Certificate Generation

Generate self-signed certificate

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes

Generate a 4096-bit RSA private key

openssl genrsa -out private.key 4096

Generate an EC private key

openssl ecparam -genkey -name prime256v1 -out ec_key.pem

Self-signed EC cert

openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:P-256 -keyout k.pem -out c.pem -days 365 -nodes

Generate cert from existing key

openssl req -new -x509 -key private.key -out cert.pem -days 730

CSR Management

Generate a CSR from an existing key

openssl req -new -key private.key -out request.csr

Generate key and CSR together

openssl req -new -newkey rsa:2048 -nodes -keyout key.pem -out req.csr

Verify and display CSR contents

openssl req -verify -in request.csr -text -noout

Show the subject of a CSR

openssl req -in request.csr -subject -noout

Certificate Inspection

Display full certificate details

openssl x509 -in cert.pem -text -noout

Show certificate validity dates

openssl x509 -in cert.pem -dates -noout

Show SHA-256 fingerprint of a cert

openssl x509 -in cert.pem -fingerprint -sha256 -noout

Inspect a remote SSL certificate

openssl s_client -connect example.com:443 -servername example.com

Show the issuer of a certificate

openssl x509 -in cert.pem -issuer -noout

Verify a certificate against a CA

openssl verify -CAfile ca.pem cert.pem

Encryption

Encrypt a file with AES-256-CBC

openssl enc -aes-256-cbc -salt -in file.txt -out file.enc -pbkdf2

Decrypt an AES-256-CBC encrypted file

openssl enc -d -aes-256-cbc -in file.enc -out file.txt -pbkdf2

Encrypt with RSA public key

openssl rsautl -encrypt -inkey pub.pem -pubin -in msg.txt -out msg.enc

Decrypt with RSA private key

openssl rsautl -decrypt -inkey priv.pem -in msg.enc -out msg.txt

Generate 32 bytes of random data

openssl rand -base64 32

Hashing

Compute SHA-256 hash of a file

openssl dgst -sha256 file.txt

Compute SHA-512 hash of a file

openssl dgst -sha512 file.txt

Compute MD5 hash of a file

openssl dgst -md5 file.txt

Sign a file with SHA-256

openssl dgst -sha256 -sign priv.pem -out sig.bin file.txt

Verify a SHA-256 signature

openssl dgst -sha256 -verify pub.pem -signature sig.bin file.txt

S/MIME

Encrypt an email with S/MIME

openssl smime -encrypt -aes256 -in msg.txt -out msg.enc cert.pem

Decrypt an S/MIME encrypted email

openssl smime -decrypt -in msg.enc -inkey priv.pem -out msg.txt

Sign an email with S/MIME

openssl smime -sign -in msg.txt -signer cert.pem -inkey priv.pem -out msg.sig

Verify an S/MIME signed email

openssl smime -verify -in msg.sig -CAfile ca.pem

Quick Commands

Generate a self-signed TLS certificate

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes

Display full details of a certificate

openssl x509 -in cert.pem -text -noout

Inspect the SSL certificate of a remote server

openssl s_client -connect example.com:443

Back to Cheatsheets Download PDF