India English
Kenya English
United Kingdom English
South Africa English
Nigeria English
United States English
United States Español
Indonesia English
Bangladesh English
Egypt العربية
Tanzania English
Ethiopia English
Uganda English
Congo - Kinshasa English
Ghana English
Côte d’Ivoire English
Zambia English
Cameroon English
Rwanda English
Germany Deutsch
France Français
Spain Català
Spain Español
Italy Italiano
Russia Русский
Japan English
Brazil Português
Brazil Português
Mexico Español
Philippines English
Pakistan English
Turkey Türkçe
Vietnam English
Thailand English
South Korea English
Australia English
China 中文
Somalia English
Canada English
Canada Français
Netherlands Nederlands

Master OpenSSL Commands for Certificate and Key Management

OpenSSL is the power user’s toolkit for all things SSL/TLS, cryptography, and X.509 certificates. It’s a staple for developers, system administrators, and security professionals working across various operating systems. Let’s explore some of the most common and useful OpenSSL commands.

Certificate Management

  • Generate a Certificate Signing Request (CSR): Bashopenssl req -new -newkey rsa:2048 -nodes -keyout private.key -out mycsr.csr
    • Initiates the process of obtaining a signed certificate, this creates a private key and CSR for submission to a Certificate Authority (CA).
  • View Certificate Information: Bashopenssl x509 -in certificate.crt -text -noout
    • Displays detailed contents of a certificate, including issuer, validity period, and subject.
  • Check Certificate Expiration: Bashopenssl x509 -in certificate.crt -checkend <seconds>
    • Verify if a certificate will be valid at a given time (replace <seconds> with seconds since the Unix Epoch).

Key Management

  • Generate a Private Key: Bashopenssl genrsa -out private.key 2048
    • Creates an RSA private key (adjust the key size as needed).
  • Extract Public Key from a Private Key: Bashopenssl rsa -in private.key -pubout -out public.key
    • Generates a corresponding public key from a private key file.


  • PEM to PKCS#12 (PFX): Bashopenssl pkcs12 -export -out bundle.pfx -inkey private.key -in certificate.crt -certfile ca_chain.crt
    • Bundles a private key, certificate, and optional intermediate CA chain into a password-protected PKCS#12 file.

More OpenSSL Functionality

  • Encryption & Decryption: OpenSSL supports symmetric and asymmetric encryption algorithms.
  • Hashing: Calculate hashes (e.g., MD5, SHA256) for file integrity.
  • Server Testing: Analyze SSL/TLS configurations with openssl s_client.

Let’s delve into a few practical examples of using OpenSSL for encryption, decryption, and SSL testing.

Encryption & Decryption

Symmetric Encryption (AES-256)


# Encryption openssl enc -aes-256-cbc -salt -in myfile.txt -out myfile.enc -k <password> # Decryption openssl enc -d -aes-256-cbc -in myfile.enc -out myfile-decrypted.txt -k <password>


enc: OpenSSL’s encryption/decryption command.

-aes-256-cbc: Specifies the AES-256 cipher in CBC mode.

-salt: Adds salt for stronger key derivation.

-in: Input file.

-out: Output file.

-k: Provides a password (Be cautious with hardcoded passwords!)

Asymmetric Encryption (RSA)


# Encrypt with a public key openssl rsautl -encrypt -inkey public.key -pubin -in data.txt -out data.enc # Decrypt with a private key openssl rsautl -decrypt -inkey private.key -in data.enc -out data-decrypted.txt


rsautl: Utility for RSA encryption/decryption.

-encrypt / -decrypt: Specifies the operation.

-inkey: Key file (public for encryption, private for decryption)

-pubin: Indicates that the input key is a public key.

SSL Testing with ‘s_client’


openssl s_client -connect -showcerts 
  • Explanation:
    • s_client: Establishes an SSL/TLS connection to a server.
    • -connect: Server hostname and port (443 is the standard HTTPS port).
    • -showcerts: Displays the server’s certificate chain.

Important Reminders

  • Key Security: Protect private keys with robust passwords and access controls.
  • Responsible Password Usage: Explore more secure key derivation methods (like KDFs) and password managers instead of directly embedding passwords in scripts.
  • Robust Testing: Analyze results from s_client carefully, including supported ciphers and protocol versions.

Key Points

  • Version: Check your OpenSSL version with openssl version.
  • Command Structure: Most commands follow the structure: openssl <command> <subcommand> <options> <arguments>
  • Man Pages: Leverage the built-in manual pages for detailed usage – man openssl and man <command>.

Summary of OpenSSL Commands

Here are some common OpenSSL commands:

  1. Generate a private key:
   openssl genpkey -algorithm RSA -out private_key.pem
  1. Generate a certificate signing request (CSR) using an existing private key:
   openssl req -new -key private_key.pem -out csr.pem
  1. Generate a self-signed certificate:
   openssl req -new -x509 -key private_key.pem -out self_signed_certificate.pem -days 365
  1. View the contents of a certificate:
   openssl x509 -in certificate.pem -text -noout
  1. Encrypt a file using a symmetric cipher:
   openssl enc -aes256 -salt -in plaintext.txt -out encrypted.txt
  1. Decrypt a file encrypted with a symmetric cipher:
   openssl enc -aes256 -d -in encrypted.txt -out decrypted.txt
  1. Encrypt a file using a public key:
   openssl rsautl -encrypt -pubin -inkey public_key.pem -in plaintext.txt -out encrypted.txt
  1. Decrypt a file encrypted with a public key:
   openssl rsautl -decrypt -inkey private_key.pem -in encrypted.txt -out decrypted.txt
  1. Generate a hash of a file using a specific algorithm:
   openssl dgst -sha256 file.txt
  1. Generate a Diffie-Hellman parameters file:
    openssl dhparam -out dhparams.pem 2048

These are just a few examples of what you can do with OpenSSL. The toolset is quite extensive and can be used for a wide range of cryptographic operations and tasks.

In Conclusion

Mastering these OpenSSL commands will give you control over certificate and key management tasks for secure communications. This is just a taste of OpenSSL’s vast capabilities!

Read also:


Enjoy this blog? Please spread the word :)