JustGeek.dev Tech, simplified.

OpenSSL Commands for Everyday Use

OpenSSL is a powerful open-source toolkit that implements the SSL and TLS protocols. Whether you’re a system administrator, developer, or security professional, these essential OpenSSL commands will help you manage certificates and secure connections effectively.

1. Decoding and Examining Certificates

View Certificate Details

This command decodes a certificate file and displays all its information, including expiry date, issuer, and subject:

openssl x509 -in certificate.crt -text -noout

Check Certificate Expiration Date

If you only need to know when a certificate expires, use:

openssl x509 -in certificate.crt -noout -enddate

Quick Certificate Overview

For a summary of the certificate’s key information:

openssl x509 -in certificate.crt -noout -subject -issuer -dates

2. Verifying Certificate and Key Matching

Check if a Certificate and Private Key Match

Compare the output of these two commands. If the hash values are identical, the private key matches the certificate:

openssl pkey -in privateKey.key -pubout -outform pem | sha256sum
openssl x509 -in certificate.crt -pubkey -noout -outform pem | sha256sum

Verify a Private Key

Check if a private key is valid and not corrupted:

openssl rsa -in server.key -check

3. Working with Certificate Signing Requests (CSRs)

Create a New CSR with a New Private Key

Generate a new CSR and 2048-bit private key:

openssl req -newkey rsa:2048 -nodes -keyout domain.key -out domain.csr

Verify a CSR

Examine the contents of a CSR to ensure it’s correct:

openssl req -in domain.csr -noout -text

Create a CSR from an Existing Private Key

If you already have a private key and need to create a new CSR:

openssl req -new -key existing.key -out domain.csr

4. Testing SSL/TLS Connections

Check a Remote SSL/TLS Connection

View the certificate chain presented by a server:

openssl s_client -connect example.com:443

Check for Specific SSL/TLS Protocol Support

Test if a server supports TLS 1.2:

openssl s_client -connect example.com:443 -tls1_2

Display the Full Certificate Chain

Show all certificates in the chain including intermediates:

openssl s_client -connect example.com:443 -showcerts

5. Converting Certificate Formats

Convert PEM to DER Format

openssl x509 -in cert.pem -outform der -out cert.der

Convert DER to PEM Format

openssl x509 -in cert.der -inform der -outform pem -out cert.pem

Convert PEM to PKCS#12 (PFX)

Combine certificate and key into a single PKCS#12 file (often used with Windows):

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile ca-chain.crt

6. Creating Self-Signed Certificates

Generate a Self-Signed Certificate

Create a self-signed certificate valid for 365 days:

openssl req -x509 -newkey rsa:2048 -nodes -keyout self-signed.key -out self-signed.crt -days 365

7. Certificate Chain Verification

Verify a Certificate Against a CA Bundle

Check if a certificate is trusted based on a CA bundle:

openssl verify -CAfile ca-bundle.crt certificate.crt

Practical Tips

  • Always back up your private keys before making changes
  • Keep private keys secure and limit access to authorized personnel only
  • Set calendar reminders for certificate expiration dates
  • Consider using automated certificate management tools for larger deployments

OpenSSL is an essential tool for managing SSL/TLS certificates. Bookmark this page for quick reference when working with certificates in your daily operations.

Written on April 13th, 2025 by Mohammed
Feel free to share!

You may also enjoy: