In this tutorial we will cover different examples using openssl command, so in short let's get started with our openssl cheatsheet.
Generating Keys
1. RSA Keys
Generate a standard RSA key (2048 bits)
openssl genrsa -out rsa_private.key 2048Generate a stronger RSA key (4096 bits)
openssl genrsa -out rsa_private.key 4096Generate an RSA key with a custom exponent
openssl genrsa -out rsa_private.key 2048 -F42. EC (Elliptic Curve) Keys
Generate an EC key using a specific curve
openssl ecparam -name prime256v1 -genkey -out ec_private.keyList all available EC curves
openssl ecparam -list_curvesGenerate an EC key with explicit parameters
openssl ecparam -name secp384r1 -param_enc explicit -genkey -out ec_private_explicit.key3. DSA Keys
Generate a DSA key pair
openssl dsaparam -genkey 2048 -out dsa_private.key4. EdDSA Keys (such as Ed25519)
Generate an Ed25519 private key
openssl genpkey -algorithm Ed25519 -out ed25519_private.key5. Key with Encrypted Password Protection
Generate an RSA key encrypted with AES-256
openssl genrsa -aes256 -out rsa_private_encrypted.key 2048Generate an EC key with password protection
openssl ecparam -name prime256v1 -genkey -out ec_private_encrypted.key -aes2566. Convert Keys Between Formats
Convert a private key from PEM to DER format
openssl rsa -in rsa_private.key -outform DER -out rsa_private.derConvert a private key to PKCS#8 format
openssl pkcs8 -topk8 -inform PEM -outform PEM -in rsa_private.key -out rsa_private_pkcs8.pem -nocryptGenerate Private and Public Key
Generating an RSA Key Pair:
openssl genrsa -out private_key.pem 2048
openssl rsa -in private_key.pem -pubout -out public_key.pemGenerating an ECDSA Key Pair:
openssl ecparam -genkey -name prime256v1 -out private_key_ec.pem
openssl ec -in private_key_ec.pem -pubout -out public_key_ec.pemExtract public key from certificate:
openssl x509 -in domain_ecdsa.crt -pubkey -nooutGenerating CA certificate
1. Generate the Root Key
openssl genrsa -out ca.key 40962. Generate the Root Certificate
openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.crtNow you can use these ca.crt and ca.key to sign certificates.
Creating Certificates
1. Generate Private Keys
First, you need a private key. The type and size of the key can vary depending on your security requirement.
RSA Private Key
openssl genrsa -out rsa_private.key 2048ECDSA Private Key
openssl ecparam -name prime256v1 -genkey -out ecdsa_private.key2. Generate a Certificate Signing Request (CSR)
A CSR is what you submit to a Certificate Authority (CA) to apply for a digital identity certificate. It includes your public key and other identity information.
Using an RSA Key
openssl req -new -key rsa_private.key -out rsa_csr.csrUsing an ECDSA Key
openssl req -new -key ecdsa_private.key -out ecdsa_csr.csr3. Generating Self-Signed Certificates
Self-signed Certificate with RSA
openssl req -new -x509 -days 365 -key rsa_private.key -out rsa_certificate.crtSelf-signed Certificate with ECDSA
openssl req -new -x509 -days 365 -key ecdsa_private.key -out ecdsa_certificate.crt4. Signing a CSR with Your CA
If you act as your own certificate authority or have access to a CA, you can sign CSRs to generate certificates.
openssl x509 -req -days 365 -in csr.csr -signkey ca.key -out signed_certificate.crt5. Verify a Certificate
Verify a Certificate
openssl x509 -in certificate.crt -text -nooutEncrypting and Decrypting Files
1. Encrypting Files
Encrypt a file using AES-256 in CBC mode
openssl enc -aes-256-cbc -salt -in plainfile.txt -out encryptedfile.enc -k PASSWORDEncrypt a file using AES-256 in GCM mode
openssl enc -aes-256-gcm -in plainfile.txt -out encryptedfile.enc -k PASSWORDEncrypt a file using 3DES
openssl enc -des-ede3-cbc -salt -in plainfile.txt -out encryptedfile.enc -k PASSWORD2. Decrypting Files
Decrypt a file using AES-256 in CBC mode
openssl enc -d -aes-256-cbc -in encryptedfile.enc -out decryptedfile.txt -k PASSWORDDecrypt a file using AES-256 in GCM mode
openssl enc -d -aes-256-gcm -in encryptedfile.enc -out decryptedfile.txt -k PASSWORDDecrypt a file using 3DES
openssl enc -d -des-ede3-cbc -in encryptedfile.enc -out decryptedfile.txt -k PASSWORD3. Encrypting Files with a Key and IV (Initialization Vector)
Generate a random key and IV for AES-256
openssl enc -aes-256-cbc -k secret -P -md sha1Encrypt a file using the generated key and IV
openssl enc -aes-256-cbc -in plainfile.txt -out encryptedfile.enc -K [HEX_KEY] -iv [HEX_IV]Decrypt a file using the generated key and IV
openssl enc -d -aes-256-cbc -in encryptedfile.enc -out decryptedfile.txt -K [HEX_KEY] -iv [HEX_IV]4. Encrypting and Decrypting with Public and Private Keys
Encrypt a file with RSA public key
openssl rsautl -encrypt -inkey public.pem -pubin -in file.txt -out file.encDecrypt a file with RSA private key
openssl rsautl -decrypt -inkey private.pem -in file.enc -out file_decrypted.txtChecking and Verifying Certificates
1. Viewing Certificate Details
openssl x509 -in certificate.crt -text -noout2. Verifying a Certificate Against a Trusted CA
openssl verify -CAfile ca.crt certificate.crt3. Checking a Certificate's Expiration Date
openssl x509 -in certificate.crt -noout -enddateopenssl verify -CAfile ca.crt -untrusted intermediate.crt server.crt5. Checking for a Certificate Revocation List (CRL)
openssl verify -crl_check -CAfile ca.crt -CRLfile crl.pem server.crt6. Checking Certificate Serial Number
openssl x509 -in certificate.crt -noout -serial7. Checking Certificate's Signature Algorithm
openssl x509 -in certificate.crt -noout -text | grep "Signature Algorithm"Generate certificate with SAN Field
Create a file called san.cnf with the following content:
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
C = US
ST = New York
L = Rochester
O = Example Corp
OU = IT
CN = www.example.com
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = www.example.com
DNS.2 = example.com
DNS.3 = subdomain.example.com
IP.1 = 192.168.0.1Generate your private key using the following command:
openssl genrsa -out example.key 2048Using the configuration file and the private key, generate your CSR:
openssl req -new -key example.key -out example.csr -config san.cnfOr to generate CSR using single line openssl command
openssl req -new -key example.key -out example.csr -subj "/C=US/ST=New York/L=Rochester/O=Example Corp/OU=IT/CN=www.example.com" -addext "subjectAltName=DNS:www.example.com,DNS:example.com,IP:192.168.0.1"Generate the self-signed certificate using the CSR:
openssl x509 -req -days 365 -in example.csr -signkey example.key -out example.crt -extensions req_ext -extfile san.cnfIf you wish to sign using your ca.crt and ca.key then you can use:
openssl x509 -req -days 365 -in example.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out example.crt -extensions v3_ca -extfile <(echo -e "[v3_ca]\nsubjectAltName=DNS:www.example.com,DNS:example.com,IP:192.168.0.1")Verify that your certificate contains the SAN fields:
openssl x509 -in example.crt -text -noout | grep -A 1 "Subject Alternative Name"Creating and Managing CRLs
Generate a CRL
openssl ca -gencrl -keyfile ca.key -cert ca.crt -out ca.crlRevoke a Certificate
openssl ca -revoke client.crt -keyfile ca.key -cert ca.crtUpdate a CRL
openssl ca -gencrl -keyfile ca.key -cert ca.crt -out ca.crlCheck Certificate Against CRL
openssl verify -crl_check -CRLfile ca.crl -CAfile ca.crt client.crtUsing OCSP to Check Certificate Status
openssl ocsp -CAfile ca.crt -url http://ocsp.server.com -issuer ca.crt -cert client.crtConfiguring OpenSSL for OCSP: Add the following to your openssl.cnf
configuration file under the relevant CA section:
[ ca ]
# OCSP responder URL
authorityInfoAccess = OCSP;URI:http://ocsp.server.com
[ ocsp ]
# OCSP signing configuration
default_ca = OCSP_signingConvert CRL to Human-Readable Format
openssl crl -in ca.crl -inform DER -text -nooutConverting Certificate Formats
1. PEM to DER
openssl x509 -in certificate.pem -outform der -out certificate.der2. DER to PEM
openssl x509 -in certificate.der -inform der -out certificate.pem3. PEM to PKCS#12
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.pem -certfile CAcert.pem4. PKCS#12 to PEM
openssl pkcs12 -in certificate.pfx -out certificate.pem -nodesWorking with SSL Connections
Test SSL Connection:
openssl s_client -connect www.example.com:443View Server Certificate Details:
openssl s_client -connect www.example.com:443 -showcertsCheck SSL/TLS Protocols and Ciphers:
openssl s_client -connect www.example.com:443 -tls1_2Print List all ciphers:
openssl s_client -connect www.example.com:443 -cipher 'ALL'Managing Passwords and Hashes
1. Generating Secure Passwords
openssl rand -base64 162. Creating Cryptographic Hashes
openssl dgst -sha256 filename.txt
echo -n "password" | openssl dgst -sha2563. Password-Based Key Derivation Functions
openssl enc -pbkdf2 -k password -S salt -iter 10000 -md sha2564. Hash a Password with a Salt
echo -n "passwordSALT" | openssl dgst -sha256One liner OpenSSL commands
1. Generate an RSA Key and Extract Its Public Key
openssl genrsa -out private.key 2048 && openssl rsa -in private.key -pubout -out public.key2. Generate a Self-Signed Certificate with an RSA Private Key
openssl req -x509 -newkey rsa:2048 -nodes -keyout server.key -out server.crt -days 365 -subj "/C=US/ST=State/L=City/O=Organization/OU=Department/CN=www.example.com"3. Generate a Self-Signed Certificate with an ECC Private Key
openssl req -newkey ec:<(openssl ecparam -name prime256v1 -genkey) -nodes -x509 -days 365 -keyout domain_ecdsa.key -out domain_ecdsa.crt -subj "/C=US/ST=State/L=City/O=Organization/OU=Department/CN=www.example.com"4. Create a CSR, Self-Sign it, and Verify the Signature
openssl req -newkey rsa:2048 -nodes -keyout server.key -out server.csr -subj "/C=US/ST=State/L=City/O=Company/OU=Department/CN=www.example.com"
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
openssl verify -CAfile server.crt server.crt5. Encrypt a File and Then Decrypt It
openssl enc -aes-256-cbc -salt -in plaintext.txt -out encrypted.enc -k secretkey
openssl enc -d -aes-256-cbc -in encrypted.enc -out decrypted.txt -k secretkey6. Generate ECDSA Key Pair and Check the Key
openssl ecparam -name prime256v1 -genkey -out private_ec.key
openssl ec -in private_ec.key -pubout -out public_ec.key
openssl ec -in private_ec.key -text -noout7. Create a PKCS#12 File from PEM files and Then Extract the Contents
openssl pkcs12 -export -out certificate.p12 -inkey privateKey.key -in certificate.crt -certfile CACert.crt -password pass:yourpassword
openssl pkcs12 -in certificate.p12 -out extractedContents.pem -nodes -password pass:yourpassword8. Hash a File and Verify the Hash
openssl dgst -sha256 -out hash.txt file.txt
openssl dgst -sha256 -verify pubkey.pem -signature hash.txt file.txt9. Generate CA certificate and sign Certificate
openssl req -newkey rsa:2048 -nodes -x509 -days 365 -keyout ca.key -out ca.crt -subj "/C=US/ST=State/L=City/O=Organization/CN=CA"
openssl req -newkey rsa:2048 -nodes -keyout client.key -out client.csr -subj "/C=US/ST=State/L=City/O=Organization/CN=Client"
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt