openssl

27 commands

27 shown

Generate RSA private key Generate a 4096-bit RSA private key openssl genrsa -out private.key 4096 #openssl#security Generate Ed25519 key pair Modern Ed25519 key (smaller, faster than RSA) openssl genpkey -algorithm ed25519 -out private.key && openssl pkey -in private.key -pubout -out public.key #openssl#security Create CSR Certificate Signing Request for CA submission openssl req -new -key private.key -out request.csr -subj '/CN=example.com/O=MyOrg/C=RU' #openssl#security Self-signed certificate Generate self-signed cert + key in one command openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes -subj '/CN=localhost' #openssl#security View certificate details Show subject, issuer, validity dates, SANs openssl x509 -in cert.pem -noout -text | grep -E 'Subject:|Issuer:|Not (Before|After)|DNS:' #openssl#security#debug Check cert expiry Print notBefore and notAfter dates openssl x509 -in cert.pem -noout -dates #openssl#security Verify cert against CA Check certificate chain against a CA bundle openssl verify -CAfile ca.pem cert.pem #openssl#security#debug Check cert matches key Confirm the cert and private key are a pair diff <(openssl x509 -pubkey -noout -in cert.pem) <(openssl pkey -pubout -in key.pem) && echo 'MATCH' #openssl#security#debug Convert PEM to PKCS#12 Package cert + key + CA into a .p12 file openssl pkcs12 -export -in cert.pem -inkey key.pem -certfile ca.pem -out bundle.p12 -name myalias #openssl#security Extract cert from PKCS#12 Split .p12 into separate cert and key PEM files openssl pkcs12 -in bundle.p12 -nokeys -out cert.pem && openssl pkcs12 -in bundle.p12 -nocerts -nodes -out key.pem #openssl#security Check live TLS cert Show expiry and issuer of a live TLS certificate echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -dates -subject -issuer #openssl#security#network Check full cert chain Display full chain: leaf → intermediate → root openssl s_client -connect example.com:443 -showcerts 2>/dev/null | openssl crl2pkcs7 -nocrl | openssl pkcs7 -print_certs -noout -text | grep -E 'Subject:|Issuer:' #openssl#security#debug Encrypt file with AES-256 Password-encrypt a file with AES-256-CBC + PBKDF2 openssl enc -aes-256-cbc -pbkdf2 -in secret.txt -out secret.enc #openssl#security Decrypt AES-256 file Decrypt a file encrypted with the enc command above openssl enc -d -aes-256-cbc -pbkdf2 -in secret.enc -out secret.txt #openssl#security Generate random hex token Generate a 64-char hex random string (e.g. for API keys) openssl rand -hex 32 #openssl#security Full certificate inspect Dump all cert fields: subject, issuer, validity, extensions, SANs, key usage openssl x509 -in cert.pem -noout -text #openssl#tls#security#debug Cert expiry check (CI gate) Exit 0 if cert valid >24h; perfect for monitoring/CI alerts on expiry openssl x509 -in cert.pem -noout -checkend 86400 && echo OK || echo EXPIRING #openssl#monitoring#tls#ci Inspect live server chain Fetch full chain with SNI; -servername is mandatory for vhosts/SNI backends openssl s_client -connect <host>:443 -servername <host> -showcerts </dev/null 2>/dev/null #openssl#tls#network#debug Extract SAN list Show only SAN entries; modern browsers ignore CN, so SAN is what matters openssl x509 -in cert.pem -noout -ext subjectAltName #openssl#tls#dns#security Verify cert against CA chain Validate trust chain; note: -CAfile must hold intermediates+root in order openssl verify -CAfile ca-chain.pem cert.pem #openssl#tls#security#troubleshooting Match cert and private key Equal modulus hashes prove key matches cert; empty diff = match diff <(openssl x509 -in cert.pem -noout -modulus | md5sum) <(openssl rsa -in key.pem -noout -modulus | md5sum) #openssl#tls#security#troubleshooting CSR + key in one shot Generate key+CSR with SAN inline; -addext avoids editing openssl.cnf openssl req -new -newkey rsa:2048 -nodes -keyout key.pem -out req.csr -subj "/CN=<host>" -addext "subjectAltName=DNS:<host>" #openssl#tls#security Self-signed cert with SAN One-liner self-signed cert valid 1y; SAN required or TLS clients reject it openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 365 -subj "/CN=<host>" -addext "subjectAltName=DNS:<host>" #openssl#tls#security PEM to PKCS12 bundle Bundle cert+key+chain into .p12 for Java keystores / Windows imports openssl pkcs12 -export -in cert.pem -inkey key.pem -certfile ca-chain.pem -out bundle.p12 -name <name> #openssl#tls#security STARTTLS protocol probe Inspect TLS on STARTTLS services; swap postgres for smtp/imap/mysql/ldap openssl s_client -connect <host>:5432 -starttls postgres -showcerts </dev/null 2>/dev/null #openssl#tls#network#debug Generate Ed25519 key Modern: Ed25519 keys are tiny and fast vs RSA; use for signing/mTLS openssl genpkey -algorithm ed25519 -out ed25519.pem #openssl#security#tls Test specific TLS protocol Force a version to confirm support; use -tls1_3 / -no_tls1_2 to test policy openssl s_client -connect <host>:443 -tls1_2 </dev/null 2>&1 | grep -E 'Protocol|Cipher' #openssl#tls#security#troubleshooting
no commands match