Useful OpenSSL Commands
Useful OpenSSL Commands
Useful commands for creating and working with CSRs and certificates
You can use our SSL Certificate Discovery Tool to find and manage all the certificates on your network.
- Generate a key
- Generate a CSR
- View the contents of a CSR
- Verify the signature on a CSR
- Create a self-signed certificate
- View the contents of a certificate
- Convert a certificate from PEM to DER format
- Convert a certificate from DER to PEM format
- Convert a CSR from PEM to DER format
- Convert a CSR from DER to PEM format
- Get the SHA1 fingerprint of a certificate or CSR
- Get the MD5 fingerprint of a certificate or CSR
- Grab a website's SSL certificate
- Run an SSL server
- Run an SSL server that supports SNI
- Find out what version of OpenSSL you're running
Generate a Key
To generate an RSA key, use the genrsa option. The command below generates a 2048 bit RSA key and saves it to a file called key.pem
openssl genrsa -out key.pem 2048
If you require that your private key file is protected with a passphrase, use the command below.
openssl genrsa -des3 -out key.pem 2048
The file, key.pem, generated in the examples above actually contains both a private and public key. To view the public key you can use the following command:
openssl rsa -in key.pem -pubout
Generate a CSR
If you already have a key, the command below can be used to generates a CSR and save it to a file called req.pem
This is an interactive command that will prompt you for fields that make up the subject distinguished name of the CSR.
openssl req -new -key key.pem -out req.pem
If you do not have a key, the command below will generate a new private key and an associated CSR. If you wish to protect the private key with a passphrase, remove the -nodes option.
openssl req -new -newkey rsa:2048 -keyout key.pem -out req.pem -nodes
View the contents of a CSR
To view a CSR you can use our online CSR Decoder. However, if you prefer to decode your CSR locally use the command below.
openssl req -in req.pem -noout -text
Verify the signature on a CSR
To verify the signature on a CSR you can use our online CSR Decoder, or you can use the command below.
openssl req -in req.pem -noout -verify
Create a self-signed certificate
To create a self-signed certificate, sign the CSR with its associated private key
openssl x509 -req -days 365 -in req.pem -signkey key.pem -out cert.pem
To create a self-signed certificate with just one command use the command below. This generates a 2048 bit key and associated self-signed certificate with a one year validity period.
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365
If you don't want your private key encrypting with a password, add the -nodes option.
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes
If you do not wish to be prompted for anything, you can supply all the information on the command line.
openssl req \
-x509 \
-newkey rsa:2048 \
-keyout key.pem \
-out cert.pem \
-days 365 \
-subj "/C=GB/ST=Staffs/L=Stoke/O=RKC/CN=www.domain1.com" \
-nodes
View the contents of a certificate
To view a certificate you can use our online Certificate Decoder. However, if you prefer to decode your certificate locally use the command below.
openssl x509 -in cert.pem -noout -text
Convert a certificate from PEM to DER format
openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER
Convert a certificate from DER to PEM format
openssl x509 -in cert.der -inform DER -out cert.pem -outform PEM
Convert a CSR from PEM to DER format
openssl req -in csr.pem -out csr.der -outform DER
Convert a CSR from DER to PEM format
openssl req -in csr.der -inform DER -out csr.pem -outform PEM
Get the SHA-1 fingerprint of a certificate or CSR
You can use our CSR and Cert Decoder to get the SHA1 fingerprint of a certificate or CSR. The decoder converts the CSR/certificate to DER format before calculating the fingerprint.
To get the SHA1 fingerprint of a certificate using OpenSSL, use the command shown below.
openssl dgst -sha1 certificate.der
To get the SHA1 fingerprint of a CSR using OpenSSL, use the command shown below.
openssl dgst -sha1 csr.der
Get the MD5 fingerprint of a certificate or CSR
You can use our CSR and Cert Decoder to get the MD5 fingerprint of a certificate or CSR. The decoder converts the CSR/certificate to DER format before calculating the fingerprint.
To get the MD5 fingerprint of a certificate using OpenSSL, use the command shown below.
openssl dgst -md5 certificate.der
To get the MD5 fingerprint of a CSR using OpenSSL, use the command shown below.
openssl dgst -md5 csr.der
Grab a website's SSL certificate
openssl s_client -connect www.somesite.com:443 > cert.pem
Now edit the cert.pem file and delete everything except the PEM certificate.
The command below makes life even easier as it will automatically delete everything except the PEM certificate.
echo -n | openssl s_client -connect mysite.com:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > pem.certIf the webserver has several certificates on one IP address, then you will need to tell OpenSSL which certificate to request using Server Name Indication (SNI). This can be done by adding the -servername argument, which tells OpenSSL to negotiate SNI. The command below shows the previous command modified to use SNI.
echo -n | openssl s_client -connect mysite.com:443 -servername mysite.com | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > pem.certRun an SSL server
The OpenSSL s_server command below implements a generic SSL/TLS server. It should be used for test purposes only. The example below listens for connections on port 8080 and returns an HTML formatted status page that includes lots of information about ciphers.
openssl s_server -key key.pem -cert cert.pem -accept 8080 -www
Run an SSL server that supports SNI
The OpenSSL s_server command below implements an SSL/TLS server that supports SNI. It should be used for test purposes only. The command below will listen for connections on port 443 and requires 2 valid certs and private keys. When a client connects without indicating a hostname, the domain1 cert is returned, otherwise the cert requested (either domain1.com or domain2.com) is returned.
sudo openssl s_server -accept 443 -www -servername www.domain1.com -cert domain1.cert.pem -key domain1.key.pem -servername www.domain2.com -cert2 domain2.cert.pem -key2 domain2.key.pemFind out what version of OpenSSL you're running
Use the version command
openssl version
---
Feedback and suggestions about this article are appreciated and can
be emailed to the author
Phil Ratcliffe at phil at redkestrel.co.uk
Last modified:
8th September 2017
https://redkestrel.co.uk/articles/openssl-commands/
