Exclusive Offer view
10%
Discount
on first purchase
valid for all products
PrimeSSL Buy Now
Standard Certificate @ $5.99
Wildcard Certificate @ $26.00
Home OpenSSL Commands – Simplify SSL/TLS and S/MIME Certificate Management

OpenSSL Commands – Simplify SSL/TLS and S/MIME Certificate Management

By Nikita Gupta

The Set of Common OpenSSL Commands for Key Generation, CSR Creation, and Creating Private Keys

OpenSSL is a popular open-source toolkit that enables users to implement SSL/TLS protocols for their websites. Whether you need to create a digital certificate, check your SSL configuration, or convert certificate formats, OpenSSL offers important tools for securing communications.

This guide provides essential information about commonly used OpenSSL commands including CSR generation and certificate management guidance.

The most common OpenSSL commands

OpenSSL provides a variety of commands for generating keys like creating certificate signing requests (CSRs), verifying certificates, and managing SSL/TLS security. Below are some of the most frequently used OpenSSL commands:

Command 1: Generate a hash of a file

When verifying file integrity, generating a hash assures that the file has not been tampered with. This is commonly used for verifying software downloads or ensuring data consistency.

openssl dgst -sha256 file.txt

Command 2: Generate a random AES-256 key

For symmetric encryption, you need a strong key. This command generates a secure, random key that can be used for encrypting files or data securely.

openssl rand -hex 32

Command 3: Generating a self-signed certificate

Self-signed certificates are useful for internal testing and secure local communication. They allow encryption without requiring a Certificate Authority (CA).

openssl req -x509 -newkey rsa:4096 -keyout private_key.pem -out certificate.pem -days 365

Command 4 : Generate a self-signed certificate with a password-protected private key

To enhance security, protect your private key with a password. It works as an additional layer of security in case the key is exposed.

openssl req -x509 -newkey rsa:2048 -keyout private_key.pem -out certificate.pem -days 365 -passout pass:mysecretpassword

Replace “mysecretpassword” with your own password

Command 5 : Generate a self-signed certificate with a custom subject

If you want to include specific subject details in your certificate such as company name and location, then you can specify them directly in the command.

openssl req -x509 -newkey rsa:2048 -keyout private_key.pem -out certificate.pem -days 365 -subj "/C=IN/ST=Delhi/L=Delhi/O=IOPSHub/CN=iopshub.com"

Command 6 : Generate a self-signed certificate with SAN extensions

Note: Make sure that OpenSSL is properly configured to support SAN extensions. If not, you may need to use an external configuration file to include these extensions.
openssl req -x509 -newkey rsa:2048 -keyout private_key.pem -out certificate.pem -days 365 -subj "/CN=iopshub.com" -reqexts SAN -config <(printf "[req]\ndistinguished_name=dn\n[SAN]\nsubjectAltName=DNS:iopshub.com,DNS:www.iopshub.com\n[dn]\nCN=iopshub.com")

Command 7 : Generate a new private key

To generate a standalone private key, which is the foundation of any certificate setup, use the following command.

openssl genpkey -algorithm RSA -out private_key.pem -aes256

Command 8 : Extract the public key from a certificate

To extract the public key from a given certificate, which can be useful for verification or encryption purposes, use:

openssl x509 -in certificate.pem -pubkey -noout > public_key.pem

Command 9 : Encrypt a file using AES-256 CBC

security

Security Tip:

Avoid passing the password directly in the command to prevent exposure. Instead, you can use an environment variable or an interactive prompt for better security.

openssl enc -aes-256-cbc -salt -in file.txt -out file.enc

Command 10 : Decrypt a file encrypted with AES-256 CBC

To decrypt a file that was encrypted using AES-256 CBC, use the following command.

openssl enc -aes-256-cbc -d -in file.enc -out file.txt

How to Check Your OpenSSL Version?

Before exploring advanced commands, you must determine what version of OpenSSL you are working with. This confirms compatibility and helps you identify potential security vulnerabilities. Use the following command:

openssl version -a

This command displays detailed information about your OpenSSL installation, including build date and platform.

Generating a CSR with OpenSSL

A Certificate Signing Request (CSR) is a key step when obtaining an SSL certificate. This section covers the steps for generating and managing a CSR.

Step 1: Choosing the Right Key Generation Method

When you are generating a key, you need to consider three important factors: the algorithm, the key size and whether a passphrase should be used or not.   The RSA algorithm is widely used due to its compatibility with ECDSA (Elliptic Curve Digital Signature Algorithm) and can be an option for specific use cases.

A key size of at least 2048 bits is suggested for RSA and 256 bits for ECDSA. Additionally, using a passphrase encrypts the private key and provides extra protection but requires careful management. Selecting the correct combination of these factors results in a secure and reliable SSL/TLS setup.

Step 2: Generating a Secure Private Key

For RSA (Recommended for Compatibility)

To generate an RSA private key, use:

openssl genpkey -algorithm RSA -out private_key.pem -keyopt rsa_keygen_bits:2048

To generate an RSA key with passphrase encryption (AES-256):

openssl genpkey -algorithm RSA -aes256 -out private_key.pem -keyopt rsa_keygen_bits:2048

For ECDSA (Stronger Security, Shorter Key Length)

To generate an ECDSA private key using the prime256v1 curve:

openssl ecparam -genkey -name prime256v1 -out ecdsa_private_key.pem

Step 3: Getting Your Public Key

Once the private key is generated, you can extract public key using:

For RSA

openssl rsa -in private_key.pem -pubout -out public_key.pem

For ECDSA

openssl ec -in ecdsa_private_key.pem -pubout -out ecdsa_public_key.pem

Step 4: Initiating the CSR Creation Process

Once you have the private key, create a CSR by running:

For RSA

openssl req -new -key private_key.pem -out csr.pem

For ECDSA

openssl req -new -key ecdsa_private_key.pem -out ecdsa_csr.pem

You will need to enter specific details like Country (C), State (ST), Organization (O), and Common Name (CN – your domain name).

Method 1 : Configuring with the -subj Command

To create a CSR without being prompted for details, use the -subj flag:

openssl req -new -key private_key.pem -out csr.pem -subj "/C=US/ST=California/L=San Francisco/O=MyCompany/OU=IT/CN=example.com"

Method 2 : Create Your CSR in One Simple Command

You can generate a private key and CSR in one step:

For RSA

openssl req -new -newkey rsa:2048 -nodes -keyout private_key.pem -out csr.pem

For ECDSA

openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -nodes -keyout ecdsa_private_key.pem -out ecdsa_csr.pem

Step 5 : Confirming CSR Data

To check the contents of a CSR before submitting it to a Certificate Authority (CA), run:

openssl req -in csr.pem -noout -text

Step 6 : Submitting the CSR to the Certificate Authority

After generating and verifying your CSR, you need to send it to your chosen CA to obtain an SSL certificate. When submitting the CSR, check whether your CA supports the key algorithm that you used (RSA or ECDSA) to avoid compatibility issues during certificate issuance.

security

Reminder:

Keep your private key secure and do not share it with anyone, including the CA.

To view the raw CSR output, use the command given below.

cat yourdomain.csr

Now, you can copy the entire output, including the —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—– lines, and paste it into the CA’s order form.

Also Read: step-by-step guide on creating a Certificate Signing Request (CSR) key.

Viewing and Managing Certificates using OpenSSL Command Lines

Once you receive your SSL certificate, you may need to check its details or verify its validity. This confirms that the certificate was issued correctly and matches the private key. Regular validation helps prevent issues when installing or renewing the certificate. You can also verify the expiry date and confirm that the certificate chain is intact to avoid trust errors.

Step 1: Reviewing Certificate Data

When you get your certificate from the CA, it’s important to verify that the certificate details are correct and match your private key. To display detailed information about a certificate, use:

openssl x509 -text -in yourdomain.crt -noout

To verify the certificate chain and check if it is properly linked to a trusted CA, run the following code:

openssl verify -CAfile ca_bundle.crt certificate.crt

Step 2: Validating Your Key Pair

Making sure that a private key matches a certificate is crucial. To confirm that the public key and private key are paired, you have to extract the public key from each file i.e. certificate file and private key file and compute its hash.

The private key and certificate file should have the same public key and produce an identical hash value. If the outputs match, the private key will align with the associated certificate.

openssl rsa -noout -modulus -in private_key.pem | openssl md5
openssl x509 -noout -modulus -in certificate.crt | openssl md5

To verify that the CSR also matches the private key, run:

openssl verify -CAfile ca_bundle.crt certificate.crt

If there is a mismatch, the keys do not correspond, and the certificate cannot be installed. Key mismatch errors usually occur when a certificate is installed on a different machine than the one where the CSR was generated. If you’re unsure where your private key is stored, refer to this article on finding the private key for an SSL certificate.

To resolve a key mismatch error, you can:

  1. Transfer the private key from the original machine (where the CSR was generated) to the one where you’re installing the certificate.
  2. Install the certificate on the machine that holds the private key.
  3. Generate a new key and create a new CSR on the machine where the certificate will be used.

OpenSSL Commands to Convert SSL Certificate Formats

Different applications require SSL certificates in various formats. OpenSSL allows you to convert certificates as needed.

  1. Convert PEM to DER

    • If you want to convert a PEM-encoded certificate into a DER-encoded certificate, then: 
      openssl x509 -inform PEM -in yourdomain.crt -outform DER -out yourdomain.der
    • If you want to convert a PEM-encoded private key into a DER-encoded private key, then: 
      openssl rsa -inform PEM -in yourdomain.key -outform DER -out yourdomain_key.der

  2. Convert DER to PEM

    • If you want to convert a DER-encoded certificate into a PEM-encoded certificate, then: 
      openssl x509 -inform DER -in yourdomain.der -outform PEM -out yourdomain.crt
    • If you want to convert a DER-encoded private key into a PEM-encoded private key, then: 
      openssl rsa -inform DER -in yourdomain_key.der -outform PEM -out yourdomain.key

  3. Convert PFX to PEM

    By default, the PFX format has the certificate and the private key together. Hence, two separate commands need to be used to convert the PFX file to a PEM file.

    • The below command extracts the private key from the .pfx file and converts it to a PEM private key. 
      openssl pkcs12 -in yourdomain.pfx -nocerts -out yourdomain.key -nodes
    • The below command extracts the certificate file from the .pfx file and converts it to a PEM certificate file. 
      openssl pkcs12 -in yourdomain.pfx -nokeys -clcerts -out yourdomain.crt

Final words

OpenSSL is an important toolkit for managing SSL/TLS encryption. It offers a wide range of commands for key generation, CSR creation, certificate management, and encryption. Whether you’re securing web servers or verifying certificate authenticity, knowing these commands will help you streamline security processes. For those looking to enhance security, it’s important to buy SSL certificates from trusted providers. Using the best security practices such as strong keys, checking certificate information, and updating OpenSSL will protect your system effectively from threats. To explore OpenSSL further, you can refer to the official OpenSSL documentation or check out the OpenSSL GitHub repository for source code and updates. Learning how to use OpenSSL enhances both your security skills and makes SSL/TLS management simpler across your systems.

Save up to 85% + 10% OFF
About the Author
Nikita Gupta

Nikita Gupta

Nikita Gupta is a seasoned professional with a master's degree in Computer Applications. She brings over 10 years of profound experience to the realm of technology. Her exceptional expertise spans software security, data security, and mastery in SSL/TLS. When it comes to cutting-edge solutions for securing digital assets, Nikita is a dedicated pro.

Trusted by Millions

SSL2BUY delivers highly trusted security products from globally reputed top 5 Certificate Authorities. The digital certificates available in our store are trusted by millions – eCommerce, Enterprise, Government, Inc. 500, and more.
PayPal
Verizon
2Checkout
Lenovo
Forbes
Walmart
Dribbble
cPanel
Toyota
Pearson
The Guardian
SpaceX