openssl
27 commands
27 shown
Generate RSA private key
Generate a 4096-bit RSA private key
openssl genrsa -out private.key 4096
Generate Ed25519 key pair
Modern Ed25519 key (smaller, faster than RSA)
openssl genpkey -algorithm ed25519 -out private.key && openssl pkey -in private.key -pubout -out public.key
Create CSR
Certificate Signing Request for CA submission
openssl req -new -key private.key -out request.csr -subj '/CN=example.com/O=MyOrg/C=RU'
Self-signed certificate
Generate self-signed cert + key in one command
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes -subj '/CN=localhost'
View certificate details
Show subject, issuer, validity dates, SANs
openssl x509 -in cert.pem -noout -text | grep -E 'Subject:|Issuer:|Not (Before|After)|DNS:'
Check cert expiry
Print notBefore and notAfter dates
openssl x509 -in cert.pem -noout -dates
Verify cert against CA
Check certificate chain against a CA bundle
openssl verify -CAfile ca.pem cert.pem
Check cert matches key
Confirm the cert and private key are a pair
diff <(openssl x509 -pubkey -noout -in cert.pem) <(openssl pkey -pubout -in key.pem) && echo 'MATCH'
Convert PEM to PKCS#12
Package cert + key + CA into a .p12 file
openssl pkcs12 -export -in cert.pem -inkey key.pem -certfile ca.pem -out bundle.p12 -name myalias
Extract cert from PKCS#12
Split .p12 into separate cert and key PEM files
openssl pkcs12 -in bundle.p12 -nokeys -out cert.pem && openssl pkcs12 -in bundle.p12 -nocerts -nodes -out key.pem
Check live TLS cert
Show expiry and issuer of a live TLS certificate
echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -dates -subject -issuer
Check full cert chain
Display full chain: leaf → intermediate → root
openssl s_client -connect example.com:443 -showcerts 2>/dev/null | openssl crl2pkcs7 -nocrl | openssl pkcs7 -print_certs -noout -text | grep -E 'Subject:|Issuer:'
Encrypt file with AES-256
Password-encrypt a file with AES-256-CBC + PBKDF2
openssl enc -aes-256-cbc -pbkdf2 -in secret.txt -out secret.enc
Decrypt AES-256 file
Decrypt a file encrypted with the enc command above
openssl enc -d -aes-256-cbc -pbkdf2 -in secret.enc -out secret.txt
Generate random hex token
Generate a 64-char hex random string (e.g. for API keys)
openssl rand -hex 32
Full certificate inspect
Dump all cert fields: subject, issuer, validity, extensions, SANs, key usage
openssl x509 -in cert.pem -noout -text
Cert expiry check (CI gate)
Exit 0 if cert valid >24h; perfect for monitoring/CI alerts on expiry
openssl x509 -in cert.pem -noout -checkend 86400 && echo OK || echo EXPIRING
Inspect live server chain
Fetch full chain with SNI; -servername is mandatory for vhosts/SNI backends
openssl s_client -connect <host>:443 -servername <host> -showcerts </dev/null 2>/dev/null
Extract SAN list
Show only SAN entries; modern browsers ignore CN, so SAN is what matters
openssl x509 -in cert.pem -noout -ext subjectAltName
Verify cert against CA chain
Validate trust chain; note: -CAfile must hold intermediates+root in order
openssl verify -CAfile ca-chain.pem cert.pem
Match cert and private key
Equal modulus hashes prove key matches cert; empty diff = match
diff <(openssl x509 -in cert.pem -noout -modulus | md5sum) <(openssl rsa -in key.pem -noout -modulus | md5sum)
CSR + key in one shot
Generate key+CSR with SAN inline; -addext avoids editing openssl.cnf
openssl req -new -newkey rsa:2048 -nodes -keyout key.pem -out req.csr -subj "/CN=<host>" -addext "subjectAltName=DNS:<host>"
Self-signed cert with SAN
One-liner self-signed cert valid 1y; SAN required or TLS clients reject it
openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 365 -subj "/CN=<host>" -addext "subjectAltName=DNS:<host>"
PEM to PKCS12 bundle
Bundle cert+key+chain into .p12 for Java keystores / Windows imports
openssl pkcs12 -export -in cert.pem -inkey key.pem -certfile ca-chain.pem -out bundle.p12 -name <name>
STARTTLS protocol probe
Inspect TLS on STARTTLS services; swap postgres for smtp/imap/mysql/ldap
openssl s_client -connect <host>:5432 -starttls postgres -showcerts </dev/null 2>/dev/null
Generate Ed25519 key
Modern: Ed25519 keys are tiny and fast vs RSA; use for signing/mTLS
openssl genpkey -algorithm ed25519 -out ed25519.pem
Test specific TLS protocol
Force a version to confirm support; use -tls1_3 / -no_tls1_2 to test policy
openssl s_client -connect <host>:443 -tls1_2 </dev/null 2>&1 | grep -E 'Protocol|Cipher'
no commands match