Categories: Internet

OpenSSL Commands Examples

OpenSSL is an open-source implementation of the SSL protocol. The OpenSSL commands are supported on almost all platforms including Windows, Mac OSx, and Linux operating systems. The OpenSSL can be used for generating CSR for the certificate installation process in servers. So, today we are going to list some of the most popular and widely used OpenSSL commands. These examples will probably include those ones which you are looking for. So, have a look at these best OpenSSL Commands Examples.

Common OpenSSL Commands

There are some random Open SSL commands which allows completing various tasks such as generating CSR and private keys. Let’s have a look at them.

Generate new private key and CSR (Certificate Signing Request)

openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key

Generate self-signed certificate

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt

This will generate a self-signed SSL certificate valid for 1 year. The 2048-bit RSA alongside the sha256 will provide the maximum possible security to the certificate.

Generate a CSR for an existing private key in the server

openssl req -out CSR.csr -key privateKey.key -new

Generate a CSR for an existing certificate

openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key

Generate an RSA key

openssl genrsa

Generate a DSA key

openssl dsaparam -noout -out dsakey.pem -genkey 1024

Remove a passphrase from private key

openssl rsa -in privateKey.pem -out newPrivateKey.pem

Connect to a web server using SNI

openssl s_client -connect www.massivehost.com:443 -servername www.myhost.com


openssl enc -base64 -in filename.txt

Encrypt a file

openssl enc -aes-256-cbc -salt -in filename.txt -out filename.enc

Decrypt a file

openssl enc -d -aes-256-cbc -in filename.enc

Check Using OpenSSL

Instead of performing the operations such as generating and removing keys and certificates, you could easily check the information using the OpenSSL commands. Here are few examples.

Check a CSR (Certificate Signing Request)

openssl req -text -noout -verify -in CSR.csr

Check a private key

openssl rsa -in privateKey.key -check

Check a certificate

openssl x509 -in certificate.crt -text -noout

Check a PKCS#12 file with extension .pfx or .p12

openssl pkcs12 -info -in keyStore.p12

Test SSL certificate of particular URL

openssl s_client -connect yoururl.com:443 –showcerts

Check the Certificate Signer Authority

openssl x509 -in certfile.pem -noout -issuer -issuer_hash

Check PEM File Certificate Expiration Date

openssl x509 -noout -in certificate.pem -dates

Check OpenSSL version

openssl version

Check Certificate Expiration Date of SSL URL

openssl s_client -connect secureurl.com:443 2>/dev/null | openssl x509 -noout –enddate

Check if particular cipher is accepted on URL

openssl s_client -cipher 'ECDHE-ECDSA-AES256-SHA' -connect secureurl:443

Debugg Using OpenSSL

Often times, you may face errors such as the private key doesn’t match the certificate. In such situations, the following commands will be helpful.

Check MD5 hash of the public key to check it matches with a CSR or private key.

openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in privateKey.key | openssl md5
openssl req -noout -modulus -in CSR.csr | openssl md5

Check an SSL connection.

openssl s_client -connect www.paypal.com:443

Benchmark using OpenSSL

The OpenSSL commands are also available for benchmarking needs. You could benchmark your server performance and connection stability using the commands.

Benchmark my system’s performance

openssl speed

Benchmark remote connections

openssl s_time -connect remote.host:443

Convert Operations using OpenSSL

To convert the SSL certificates or keys from one format to another, you could utilize the following commands. You can change the format from one to another to make the certificates compatible with the server.

Convert a PEM file to DER

openssl x509 -outform der -in certificate.pem -out certificate.der

Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM

openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes

You can add -nocerts to only output the private key or add -nokeys to only output the certificates.

Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

Convert a DER file (.crt .cer .der) to PEM

openssl x509 -inform der -in certificate.cer -out certificate.pem

The list of all available OpenSSL commands

If you don’t know, the command line itself can tell you the complete available OpenSSL commands. To do this, the best option is inputting an invalid command to the command line. For example, you could use this command.

$ openssl help

It will display the list of available commands like this

$ openssl help
openssl:Error: 'help' is an invalid command.

Standard commands
asn1parse         ca                ciphers           cms
crl               crl2pkcs7         dgst              dh
dhparam           dsa               dsaparam          ec
ecparam           enc               engine            errstr
gendh             gendsa            genpkey           genrsa
nseq              ocsp              passwd            pkcs12
pkcs7             pkcs8             pkey              pkeyparam
pkeyutl           prime             rand              req
rsa               rsautl            s_client          s_server
s_time            sess_id           smime             speed
spkac             ts                verify            version

Message Digest commands (see the `dgst' command for more details)
md2               md4               md5               rmd160
sha               sha1

Cipher commands (see the `enc' command for more details)
aes-128-cbc       aes-128-ecb       aes-192-cbc       aes-192-ecb
aes-256-cbc       aes-256-ecb       base64            bf
bf-cbc            bf-cfb            bf-ecb            bf-ofb
camellia-128-cbc  camellia-128-ecb  camellia-192-cbc  camellia-192-ecb
camellia-256-cbc  camellia-256-ecb  cast              cast-cbc
cast5-cbc         cast5-cfb         cast5-ecb         cast5-ofb
des               des-cbc           des-cfb           des-ecb
des-ede           des-ede-cbc       des-ede-cfb       des-ede-ofb
des-ede3          des-ede3-cbc      des-ede3-cfb      des-ede3-ofb
des-ofb           des3              desx              idea
idea-cbc          idea-cfb          idea-ecb          idea-ofb
rc2               rc2-40-cbc        rc2-64-cbc        rc2-cbc
rc2-cfb           rc2-ecb           rc2-ofb           rc4
rc4-40            seed              seed-cbc          seed-cfb
seed-ecb          seed-ofb          zlib

There you can find out all the possible commands recognized by your command line. In addition, you could also find out a list of the sub commands by using an incorrect subcommand like this.

$ openssl dgst -h
unknown option '-h'
options are
-c              to output the digest with separating colons
-r              to output the digest in coreutils format
-d              to output debug info
-hex            output as hex dump
-binary         output in binary form
-sign   file    sign digest using private key in file
-verify file    verify a signature using public key in file
-prverify file  verify a signature using private key in file
-keyform arg    key file format (PEM or ENGINE)
-out filename   output to filename rather than stdout
-signature file signature to verify
-sigopt nm:v    signature parameter
-hmac key       create hashed MAC with key
-mac algorithm  create MAC (not neccessarily HMAC)
-macopt nm:v    MAC algorithm parameters or key
-engine e       use engine e, possibly a hardware device.
-md4            to use the md4 message digest algorithm
-md5            to use the md5 message digest algorithm
-ripemd160      to use the ripemd160 message digest algorithm
-sha            to use the sha message digest algorithm
-sha1           to use the sha1 message digest algorithm
-sha224         to use the sha224 message digest algorithm
-sha256         to use the sha256 message digest algorithm
-sha384         to use the sha384 message digest algorithm
-sha512         to use the sha512 message digest algorithm
-whirlpool      to use the whirlpool message digest algorithm

Now you know a bunch of useful commands for the OpenSSL. Go and try them yourself.

This website uses cookies.