The Most Useful OpenSSL Commands

Saturday, March 21, 2020 • edited Monday, February 22, 2021 • 7 minutes to read

OpenSSL is one of the most useful applications available on all major platforms. It is an open-source implementation of SSL and TLS protocols and cryptography algorithms. Useful on enterprise-level and for your personal needs. And this is my list of the most useful OpenSSL commands.

What are those all abbreviations?

This article is just a cheat sheet, a brief list of commands, not an introduction to cryptography. However, to clarify what those commands do, I need to introduce some abbreviations.

3DES - an encryption algorithm running three times DES algorithm; DES (Data Encryption Standard) is a symmetric-key encryption algorithm with a 56-bit key
RSA - Rivest–Shamir–Adleman algorithm - an asymmetric encryption algorithm with 1024 to 4096 bits key
PEM - Privacy-Enhanced Mail - a text format with base64 encoded keys/certificates
CSR - Certificate Signing Request
SHA-2 - a set of cryptographic hash functions
SSL - Secure Socket Layer - secured transport protocol
TLS - Transport Layer Security - secured transport protocol
X.509 - a standardized format of public-key certificates
DER - Distinguished Encoding Rules - a binary encoding
PKCS - similar to X.509 a one more standardized form of public-key certificates

The private key operations.

How to create a 2048-bits RSA private key and encrypt it with a 3DES algorithm?

$ openssl genrsa -des3 -out example.key 2048
Generating RSA private key, 2048 bit long modulus
.............................+++
.........................+++
e is 65537 (0x10001)
Enter pass phrase for example.key:
Verifying - Enter pass phrase for example.key:

How to decrypt an encrypted RSA private key?

You need to know the key’s passphrase to run this command.

$ openssl rsa -in example.key -out decrypted.key
Enter pass phrase for example.key:
writing RSA key

How to encrypt a decrypted RSA private key with a 3DES algorithm?

$ openssl rsa -des3 -in decrypted.key -out encrypted.key
writing RSA key
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

How to verify an RSA private key?

This command writes to the standard output your key in PEM encoding. You need to know the key’s passphrase to run this command if your private key is encrypted.

$ openssl rsa -check -in example.key
Enter pass phrase for example.key:
RSA key ok
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----

The Certificate Signing Request operations.

How to Create an RSA private key and a CSR?

The following command creates a new 2048-bits RSA private key without encryption and signs CSR with SHA-2.

$ openssl req -newkey rsa:2048 -nodes -keyout example.key -sha256 -out example.csr
Generating a 2048 bit RSA private key
....................+++
.............+++
writing new private key to 'example.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:City
Organization Name (eg, company) [Default Company Ltd]:Example Ltd
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:example.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

How to create a CSR from an existing RSA private key?

You need to fill out similar data like in the previous command - I did not include that part in the listing below. It also signs CSR with SHA-2.

$ openssl req -key example.key -new -sha256 -out example.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.

How to Create a CSR from an existing certificate and RSA private key?

In case you already have a certificate and want to create a CSR from it, the following command is enough.

$ openssl x509 -in example.crt -signkey example.key -x509toreq -out example.csr
Getting request Private Key
Generating certificate request

How to verify a CSR?

$ openssl req -verify -text -noout -in example.csr
verify OK
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=US, L=City, O=Example Ltd., CN=example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption

The SSL/TLS certificate operations.

In most cases, you will receive a certificate from a Certificate Authority. However, you can still self-sign the certificate.

How to create a certificate from an existing RSA private key and CSR?

Adding -days 365 makes the certificate valid for 365 days counting from today.

$ openssl x509 -signkey example.key -in example.csr -req -days 365 -out example.crt
Signature ok
subject=/C=US/L=City/O=Example Ltd./CN=example.com
Getting Private key

How to create a certificate from an existing RSA private key without CSR?

You need to include similar information when creating a CSR.

$ openssl req -key example.key -new -sha256 -x509 -days 365 -out example.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.

How to Create a certificate without a private key or CSR?

This command creates a 2048-bits RSA private key without encryption and a certificate valid for 365 days.

$ openssl req -newkey rsa:2048 -nodes -keyout example.key -x509 -sha256 -days 365 -out example.crt
Generating a 2048 bit RSA private key
................+++
..........................................................................+++
writing new private key to 'example.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:City
Organization Name (eg, company) [Default Company Ltd]:Example Ltd.
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:example.com
Email Address []:

How to view X.509 certificate entries?

This command prints on standard output information about certificate, including validity dates, subject, and signatures.

$ openssl x509 -text -noout -in example.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            a4:48:e5:90:4a:3e:17:c1
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, L=City, O=Example Ltd., CN=example.com
        Validity
            Not Before: Mar 21 21:15:04 2020 GMT
            Not After : Mar 21 21:15:04 2021 GMT
        Subject: C=US, L=City, O=Example Ltd., CN=example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                32:C1:57:AD:3F:11:6D:1D:C8:8A:E8:F4:1D:9C:4B:3D:5B:DB:24:2F
            X509v3 Authority Key Identifier:
                keyid:32:C1:57:AD:3F:11:6D:1D:C8:8A:E8:F4:1D:9C:4B:3D:5B:DB:24:2F

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption

How to view PKCS#12 certificate entries?

$ openssl pkcs12 -info -in example.pfx
Enter Import Password:
MAC Iteration 2048
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Bag Attributes
    localKeyID: A0 42 7B 57 A5 04 28 16 A1 82 3C 76 E1 E3 D4 2A 68 AD D6 58
subject=/C=US/L=City/O=Example Ltd./CN=example.com
issuer=/C=US/L=City/O=Example Ltd./CN=example.com
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Bag Attributes
    localKeyID: A0 42 7B 57 A5 04 28 16 A1 82 3C 76 E1 E3 D4 2A 68 AD D6 58
Key Attributes: <No Attributes>
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----BEGIN ENCRYPTED PRIVATE KEY-----
-----END ENCRYPTED PRIVATE KEY-----

How to verify a certificate?

$ openssl verify -verbose example.crt
example.crt: C = US, L = City, O = Example Ltd., CN = example.com
error 18 at 0 depth lookup:self signed certificate
OK

Conversions between certificate formats.

IIS or Tomcat use PKCS formats, Apache or NGINX use PEM encoded X.509 formats.

How to Convert from DER to PEM?

$ openssl x509 -inform der -in example.cer -out example.pem

How to convert from PEM o DER?

$ openssl x509 -outform der -in example.crt -out example.cer

How to convert PKCS#12 file containing a certificate and private file to PEM encoded X.509 format?

$ openssl pkcs12 -nodes -in example.pfx -out example.pem
Enter Import Password:
MAC verified OK

How to convert a PEM encoded certificate file and a private key to PKCS#12?

$ openssl pkcs12 -export -inkey example.key -in example.crt -out example.pfx
Enter Export Password:
Verifying - Enter Export Password:

devops cheat sheet openssl certificate encryption