OpenSSL - useful commands

Last updated on 28 Sep 2023, 10:31:41.
Category: All about SSL certificates | SSL configuration


Openssl commands

How to use OpenSSL?

OpenSSL is the true Swiss Army knife of certificate management, and just like with the real McCoy, you spend more time extracting the nail file when what you really want is the inflatable hacksaw. You'll find an overview of the most commonly used commands below.

Certificate requests and key generation

Typically, when you ordered a new SSL certificate you must generate a CSR or certificate signing request, with a new private key:

openssl req -sha256 -nodes -newkey rsa:2048 -keyout -out

Alternatively, use the Kinamo CSR Generator for easy CSR creation.

Generate a new certificate request using an existing private key:

openssl req -new -sha256 -key -out

Generate a certificate request starting from an existing certificate:

openssl x509 -x509toreq -in -out -signkey

Generate a new RSA private key:

openssl genrsa -out 2048

Encrypt a private key with a passphrase:

openssl rsa -in -out -des3

Remove a passphrase from an encrypted private key:

openssl rsa -in -out

Generate a new ECC private key:

openssl ecparam -out server.key -name prime256v1 -genkey

Create a self-signed certificate

Generate a self-signed certificate for testing purposes with one year validity period, together with a new 2048-bit key:

openssl req -x509 -newkey rsa:2048 -nodes -keyout -out -days 365

View and verify certificates

Check and display a certificate request (CSR):

openssl req -noout -text -verify -in

Verify and display a key pair:

openssl rsa -noout -text -check -in

View a PEM-encoded certificate:

openssl x509 -noout -text -in

View a certificate encoded in PKCS#7 format:

openssl pkcs7 -print_certs -in

View a certificate and key pair encoded in PKCS#12 format:

openssl pkcs12 -info -in

Verify an SSL connection and display all certificates in the chain:

openssl s_client -connect
Control whether a certificate, a certificate request and a private key have the same public key:
openssl x509 -noout -modulus -in | openssl sha256
openssl req -noout -modulus -in | openssl sha256
openssl rsa -noout -modulus -in | openssl sha256

Check a certificate and its intermediate certificate chain for web server purposes:

openssl verify -purpose sslserver -CAfile certificatebundle.pem -verbose

Certificate conversion

Conversion of PKCS#12 ( .pfx .p12, typically used on Microsoft Windows) files with private key and certificate to PEM (typically used on Linux):

openssl pkcs12 -nodes -in -out

Conversion of PEM to PKCS#12:

openssl pkcs12 -export -in -inkey -out

Conversion of PKCS#7 format ( .p7b .p7c ) to PEM:

openssl pkcs7 -print_certs -in -out 

Conversion of PEM format to PKCS#7:

openssl crl2pkcs7 -nocrl -certfile -out

Conversion of DER (.crt .cer or .der) to PEM:

openssl x509 -inform der -in certificate.cer -out certificate.pem

Conversion from PEM to DER format:

openssl x509 -outform der -in certificate.pem -out certificate.cer

Checking SSL Connections

This will output the website's certificate, including any intermediate certificates

openssl s_client -connect

Related articles

Kinamo mail server settings (mail server cheat sheet)

The following article provides the basic settings and server names (domain names) for the Kinamo mail infrastructure. These settings allow...

Read more

Create an automatic SPAM filter in the Kinamo Webmail

This article explains how you may create a filter that will automatically place SPAM messages in a special folder, so...

Read more

Order an SSL certificate? What is an SSL certificate?

You need to order an SSL certificate? But what is an SSL certificate? And why is everyone saying that it...

Read more

Need extra help?

Were not all your questions answered?
Don't worry, we will be happy to help you via a support request!

Select your language

All languages: