In this tutorial we will cover different examples using openssl command, so in short let's get started with our openssl cheatsheet. On Ubuntu, confirm the CLI is installed with install OpenSSL on Ubuntu.
Generating Keys
1. RSA Keys
Generate a standard RSA key (2048 bits)
openssl genrsa -out rsa_private.key 2048Generate a stronger RSA key (4096 bits)
openssl genrsa -out rsa_private.key 4096Generate an RSA key with a custom exponent
openssl genrsa -out rsa_private.key 2048 -F42. EC (Elliptic Curve) Keys
Generate an EC key using a specific curve
openssl ecparam -name prime256v1 -genkey -out ec_private.keyList all available EC curves
openssl ecparam -list_curvesGenerate an EC key with explicit parameters
openssl ecparam -name secp384r1 -param_enc explicit -genkey -out ec_private_explicit.key3. DSA Keys
Generate a DSA key pair
openssl dsaparam -genkey 2048 -out dsa_private.key4. EdDSA Keys (such as Ed25519)
Generate an Ed25519 private key
openssl genpkey -algorithm Ed25519 -out ed25519_private.key5. Key with Encrypted Password Protection
Generate an RSA key encrypted with AES-256
openssl genrsa -aes256 -out rsa_private_encrypted.key 2048Generate an EC key with password protection
openssl ecparam -name prime256v1 -genkey -out ec_private_encrypted.key -aes2566. Convert Keys Between Formats
Convert a private key from PEM to DER format
openssl rsa -in rsa_private.key -outform DER -out rsa_private.derConvert a private key to PKCS#8 format
openssl pkcs8 -topk8 -inform PEM -outform PEM -in rsa_private.key -out rsa_private_pkcs8.pem -nocryptGenerate Private and Public Key
Generating an RSA Key Pair:
openssl genrsa -out private_key.pem 2048
openssl rsa -in private_key.pem -pubout -out public_key.pemGenerating an ECDSA Key Pair:
openssl ecparam -genkey -name prime256v1 -out private_key_ec.pem
openssl ec -in private_key_ec.pem -pubout -out public_key_ec.pemExtract public key from certificate:
openssl x509 -in domain_ecdsa.crt -pubkey -nooutGenerating CA certificate
1. Generate the Root Key
openssl genrsa -out ca.key 40962. Generate the Root Certificate
openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.crtNow you can use these ca.crt and ca.key to sign certificates.
Creating Certificates
1. Generate Private Keys
First, you need a private key. The type and size of the key can vary depending on your security requirement.
RSA Private Key
openssl genrsa -out rsa_private.key 2048ECDSA Private Key
openssl ecparam -name prime256v1 -genkey -out ecdsa_private.key2. Generate a Certificate Signing Request (CSR)
A CSR is what you submit to a Certificate Authority (CA) to apply for a digital identity certificate. It includes your public key and other identity information.
Using an RSA Key
openssl req -new -key rsa_private.key -out rsa_csr.csrUsing an ECDSA Key
openssl req -new -key ecdsa_private.key -out ecdsa_csr.csr3. Generating Self-Signed Certificates
Self-signed Certificate with RSA
openssl req -new -x509 -days 365 -key rsa_private.key -out rsa_certificate.crtSelf-signed Certificate with ECDSA
openssl req -new -x509 -days 365 -key ecdsa_private.key -out ecdsa_certificate.crt4. Signing a CSR with Your CA
If you act as your own certificate authority or have access to a CA, you can sign CSRs to generate certificates.
openssl x509 -req -days 365 -in csr.csr -signkey ca.key -out signed_certificate.crt5. Verify a Certificate
Verify a Certificate
openssl x509 -in certificate.crt -text -nooutEncrypting and Decrypting Files
1. Encrypting Files
Encrypt a file using AES-256 in CBC mode
openssl enc -aes-256-cbc -salt -in plainfile.txt -out encryptedfile.enc -k PASSWORDEncrypt a file using AES-256 in GCM mode
openssl enc -aes-256-gcm -in plainfile.txt -out encryptedfile.enc -k PASSWORDEncrypt a file using 3DES
openssl enc -des-ede3-cbc -salt -in plainfile.txt -out encryptedfile.enc -k PASSWORD2. Decrypting Files
Decrypt a file using AES-256 in CBC mode
openssl enc -d -aes-256-cbc -in encryptedfile.enc -out decryptedfile.txt -k PASSWORDDecrypt a file using AES-256 in GCM mode
openssl enc -d -aes-256-gcm -in encryptedfile.enc -out decryptedfile.txt -k PASSWORDDecrypt a file using 3DES
openssl enc -d -des-ede3-cbc -in encryptedfile.enc -out decryptedfile.txt -k PASSWORD3. Encrypting Files with a Key and IV (Initialization Vector)
Generate a random key and IV for AES-256
openssl enc -aes-256-cbc -k secret -P -md sha1Encrypt a file using the generated key and IV
openssl enc -aes-256-cbc -in plainfile.txt -out encryptedfile.enc -K [HEX_KEY] -iv [HEX_IV]Decrypt a file using the generated key and IV
openssl enc -d -aes-256-cbc -in encryptedfile.enc -out decryptedfile.txt -K [HEX_KEY] -iv [HEX_IV]4. Encrypting and Decrypting with Public and Private Keys
Encrypt a file with RSA public key
openssl rsautl -encrypt -inkey public.pem -pubin -in file.txt -out file.encDecrypt a file with RSA private key
openssl rsautl -decrypt -inkey private.pem -in file.enc -out file_decrypted.txtChecking and Verifying Certificates
1. Viewing Certificate Details
openssl x509 -in certificate.crt -text -noout2. Verifying a Certificate Against a Trusted CA
openssl verify -CAfile ca.crt certificate.crt3. Checking a Certificate's Expiration Date
openssl x509 -in certificate.crt -noout -enddateopenssl verify -CAfile ca.crt -untrusted intermediate.crt server.crt5. Checking for a Certificate Revocation List (CRL)
openssl verify -crl_check -CAfile ca.crt -CRLfile crl.pem server.crt6. Checking Certificate Serial Number
openssl x509 -in certificate.crt -noout -serial7. Checking Certificate's Signature Algorithm
openssl x509 -in certificate.crt -noout -text | grep "Signature Algorithm"Generate certificate with SAN Field
Create a file called san.cnf with the following content:
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
C = US
ST = New York
L = Rochester
O = Example Corp
OU = IT
CN = www.example.com
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = www.example.com
DNS.2 = example.com
DNS.3 = subdomain.example.com
IP.1 = 192.168.0.1Generate your private key using the following command:
openssl genrsa -out example.key 2048Using the configuration file and the private key, generate your CSR:
openssl req -new -key example.key -out example.csr -config san.cnfOr to generate CSR using single line openssl command
openssl req -new -key example.key -out example.csr -subj "/C=US/ST=New York/L=Rochester/O=Example Corp/OU=IT/CN=www.example.com" -addext "subjectAltName=DNS:www.example.com,DNS:example.com,IP:192.168.0.1"Generate the self-signed certificate using the CSR:
openssl x509 -req -days 365 -in example.csr -signkey example.key -out example.crt -extensions req_ext -extfile san.cnfIf you wish to sign using your ca.crt and ca.key then you can use:
openssl x509 -req -days 365 -in example.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out example.crt -extensions v3_ca -extfile <(echo -e "[v3_ca]\nsubjectAltName=DNS:www.example.com,DNS:example.com,IP:192.168.0.1")Verify that your certificate contains the SAN fields:
openssl x509 -in example.crt -text -noout | grep -A 1 "Subject Alternative Name"Creating and Managing CRLs
Generate a CRL
openssl ca -gencrl -keyfile ca.key -cert ca.crt -out ca.crlRevoke a Certificate
openssl ca -revoke client.crt -keyfile ca.key -cert ca.crtUpdate a CRL
openssl ca -gencrl -keyfile ca.key -cert ca.crt -out ca.crlCheck Certificate Against CRL
openssl verify -crl_check -CRLfile ca.crl -CAfile ca.crt client.crtUsing OCSP to Check Certificate Status
openssl ocsp -CAfile ca.crt -url http://ocsp.server.com -issuer ca.crt -cert client.crtConfiguring OpenSSL for OCSP: Add the following to your openssl.cnf
configuration file under the relevant CA section:
[ ca ]
# OCSP responder URL
authorityInfoAccess = OCSP;URI:http://ocsp.server.com
[ ocsp ]
# OCSP signing configuration
default_ca = OCSP_signingConvert CRL to Human-Readable Format
openssl crl -in ca.crl -inform DER -text -nooutConverting Certificate Formats
1. PEM to DER
openssl x509 -in certificate.pem -outform der -out certificate.der2. DER to PEM
openssl x509 -in certificate.der -inform der -out certificate.pem3. PEM to PKCS#12
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.pem -certfile CAcert.pem4. PKCS#12 to PEM
openssl pkcs12 -in certificate.pfx -out certificate.pem -nodesWorking with SSL Connections
Test SSL Connection:
openssl s_client -connect www.example.com:443View Server Certificate Details:
openssl s_client -connect www.example.com:443 -showcertsCheck SSL/TLS Protocols and Ciphers:
openssl s_client -connect www.example.com:443 -tls1_2Print List all ciphers:
openssl s_client -connect www.example.com:443 -cipher 'ALL'Managing Passwords and Hashes
1. Generating Secure Passwords
openssl rand -base64 162. Creating Cryptographic Hashes
openssl dgst -sha256 filename.txt
echo -n "password" | openssl dgst -sha2563. Password-Based Key Derivation Functions
openssl enc -pbkdf2 -k password -S salt -iter 10000 -md sha2564. Hash a Password with a Salt
echo -n "passwordSALT" | openssl dgst -sha256One liner OpenSSL commands
1. Generate an RSA Key and Extract Its Public Key
openssl genrsa -out private.key 2048 && openssl rsa -in private.key -pubout -out public.key2. Generate a Self-Signed Certificate with an RSA Private Key
openssl req -x509 -newkey rsa:2048 -nodes -keyout server.key -out server.crt -days 365 -subj "/C=US/ST=State/L=City/O=Organization/OU=Department/CN=www.example.com"3. Generate a Self-Signed Certificate with an ECC Private Key
openssl req -newkey ec:<(openssl ecparam -name prime256v1 -genkey) -nodes -x509 -days 365 -keyout domain_ecdsa.key -out domain_ecdsa.crt -subj "/C=US/ST=State/L=City/O=Organization/OU=Department/CN=www.example.com"4. Create a CSR, Self-Sign it, and Verify the Signature
openssl req -newkey rsa:2048 -nodes -keyout server.key -out server.csr -subj "/C=US/ST=State/L=City/O=Company/OU=Department/CN=www.example.com"
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
openssl verify -CAfile server.crt server.crt5. Encrypt a File and Then Decrypt It
openssl enc -aes-256-cbc -salt -in plaintext.txt -out encrypted.enc -k secretkey
openssl enc -d -aes-256-cbc -in encrypted.enc -out decrypted.txt -k secretkey6. Generate ECDSA Key Pair and Check the Key
openssl ecparam -name prime256v1 -genkey -out private_ec.key
openssl ec -in private_ec.key -pubout -out public_ec.key
openssl ec -in private_ec.key -text -noout7. Create a PKCS#12 File from PEM files and Then Extract the Contents
openssl pkcs12 -export -out certificate.p12 -inkey privateKey.key -in certificate.crt -certfile CACert.crt -password pass:yourpassword
openssl pkcs12 -in certificate.p12 -out extractedContents.pem -nodes -password pass:yourpassword8. Hash a File and Verify the Hash
openssl dgst -sha256 -out hash.txt file.txt
openssl dgst -sha256 -verify pubkey.pem -signature hash.txt file.txt9. Generate CA certificate and sign Certificate
openssl req -newkey rsa:2048 -nodes -x509 -days 365 -keyout ca.key -out ca.crt -subj "/C=US/ST=State/L=City/O=Organization/CN=CA"
openssl req -newkey rsa:2048 -nodes -keyout client.key -out client.csr -subj "/C=US/ST=State/L=City/O=Organization/CN=Client"
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt