OpenSSL is an open-source implementation of the SSL protocol. The OpenSSL commands are supported on almost all platforms including Windows, Mac OSX, and Linux operating systems. The OpenSSL can be used for generating CSR for the certificate installation process in servers. So, today we are going to list some of the most popular and widely used OpenSSL commands. These examples will probably include those ones which you are looking for. So, have a look at these best OpenSSL Commands Examples.
What are OpenSSL Commands?
OpenSSL commands are functions provided by OpenSSL to perform various operations such as generating and managing cryptographic keys and certificates and performing encryption and decryption operations.
These commands make it extremely easy to work with your certificates. If you are familiar with the basics of the terminal, you can easily understand the OpenSSL commands and their usage.
Common OpenSSL Commands
There are some random Open SSL commands which allow completing various tasks such as generating CSR and private keys. Let’s have a look at them.
Generate new private key and CSR (Certificate Signing Request)
openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.keyGenerate self-signed certificate
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crtThis will generate a self-signed SSL certificate valid for 1 year. The 2048-bit RSA alongside the sha256 will provide the maximum possible security to the certificate.
Generate a CSR for an existing private key in the server
openssl req -out CSR.csr -key privateKey.key -newGenerate a CSR for an existing certificate
openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.keyGenerate an RSA key
openssl genrsaGenerate an RSA Private key
openssl genrsa -out private.key 2048
Generate a DSA key
openssl dsaparam -noout -out dsakey.pem -genkey 1024Remove a passphrase from private key
openssl rsa -in privateKey.pem -out newPrivateKey.pemConnect to a web server using SNI
openssl s_client -connect www.massivehost.com:443 -servername www.myhost.comBase64-encode
openssl enc -base64 -in filename.txtEncrypt a file
openssl enc -aes-256-cbc -salt -in filename.txt -out filename.encDecrypt a file
openssl enc -d -aes-256-cbc -in filename.encCheck Using OpenSSL
Instead of performing the operations such as generating and removing keys and certificates, you could easily check the information using the OpenSSL commands. Here are a few examples.
Check a CSR (Certificate Signing Request)
openssl req -text -noout -verify -in CSR.csrCheck a private key
openssl rsa -in privateKey.key -checkCheck a certificate
openssl x509 -in certificate.crt -text -nooutCheck a PKCS#12 file with extension .pfx or .p12
openssl pkcs12 -info -in keyStore.p12Test SSL certificate of particular URL
openssl s_client -connect yoururl.com:443 –showcertsCheck the Certificate Signer Authority
openssl x509 -in certfile.pem -noout -issuer -issuer_hashCheck PEM File Certificate Expiration Date
openssl x509 -noout -in certificate.pem -datesCheck OpenSSL version
openssl versionCheck Certificate Expiration Date of SSL URL
openssl s_client -connect secureurl.com:443 2>/dev/null | openssl x509 -noout –enddateCheck if particular cipher is accepted on URL
openssl s_client -cipher 'ECDHE-ECDSA-AES256-SHA' -connect secureurl:443Check Hash Value of A Certificate
openssl x509 -noout -hash -in bestflare.pem
Check contents of PKCS12 format cert
openssl pkcs12 –info –nodes –in cert.p12
Debugg Using OpenSSL
Often times, you may face errors such as the private key doesn’t match the certificate. In such situations, the following commands will be helpful.
Check MD5 hash of the public key to check it matches with a CSR or private key
openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in privateKey.key | openssl md5
openssl req -noout -modulus -in CSR.csr | openssl md5Check an SSL connection
openssl s_client -connect www.paypal.com:443Benchmark using OpenSSL
The OpenSSL commands are also available for benchmarking needs. You could benchmark your server performance and connection stability using the commands.
Benchmark my system’s performance
openssl speedBenchmark remote connections
openssl s_time -connect remote.host:443Convert Operations using OpenSSL
To convert the SSL certificates or keys from one format to another, you could utilize the following commands. You can change the format from one to another to make the certificates compatible with the server.
Convert a PEM file to DER
openssl x509 -outform der -in certificate.pem -out certificate.derConvert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM
openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodesYou can add -nocerts to only output the private key or add -nokeys to only output the certificates.
Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crtConvert a DER file (.crt .cer .der) to PEM
openssl x509 -inform der -in certificate.cer -out certificate.pemThe list of all available OpenSSL commands
If you don’t know, the command line itself can tell you the complete available OpenSSL commands. To do this, the best option is to input an invalid command to the command line. For example, you could use this command.
$ openssl helpIt will display the list of available commands like this
$ openssl help
openssl:Error: 'help' is an invalid command.
Standard commands
asn1parse ca ciphers cms
crl crl2pkcs7 dgst dh
dhparam dsa dsaparam ec
ecparam enc engine errstr
gendh gendsa genpkey genrsa
nseq ocsp passwd pkcs12
pkcs7 pkcs8 pkey pkeyparam
pkeyutl prime rand req
rsa rsautl s_client s_server
s_time sess_id smime speed
spkac ts verify version
x509
Message Digest commands (see the `dgst' command for more details)
md2 md4 md5 rmd160
sha sha1
Cipher commands (see the `enc' command for more details)
aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb
aes-256-cbc aes-256-ecb base64 bf
bf-cbc bf-cfb bf-ecb bf-ofb
camellia-128-cbc camellia-128-ecb camellia-192-cbc camellia-192-ecb
camellia-256-cbc camellia-256-ecb cast cast-cbc
cast5-cbc cast5-cfb cast5-ecb cast5-ofb
des des-cbc des-cfb des-ecb
des-ede des-ede-cbc des-ede-cfb des-ede-ofb
des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb
des-ofb des3 desx idea
idea-cbc idea-cfb idea-ecb idea-ofb
rc2 rc2-40-cbc rc2-64-cbc rc2-cbc
rc2-cfb rc2-ecb rc2-ofb rc4
rc4-40 seed seed-cbc seed-cfb
seed-ecb seed-ofb zlib
There you can find out all the possible commands recognized by your command line. In addition, you could also find out a list of the arguments by using an incorrect argument like this.
$ openssl dgst -h
unknown option '-h'
options are
-c to output the digest with separating colons
-r to output the digest in coreutils format
-d to output debug info
-hex output as hex dump
-binary output in binary form
-sign file sign digest using private key in file
-verify file verify a signature using public key in file
-prverify file verify a signature using private key in file
-keyform arg key file format (PEM or ENGINE)
-out filename output to filename rather than stdout
-signature file signature to verify
-sigopt nm:v signature parameter
-hmac key create hashed MAC with key
-mac algorithm create MAC (not neccessarily HMAC)
-macopt nm:v MAC algorithm parameters or key
-engine e use engine e, possibly a hardware device.
-md4 to use the md4 message digest algorithm
-md5 to use the md5 message digest algorithm
-ripemd160 to use the ripemd160 message digest algorithm
-sha to use the sha message digest algorithm
-sha1 to use the sha1 message digest algorithm
-sha224 to use the sha224 message digest algorithm
-sha256 to use the sha256 message digest algorithm
-sha384 to use the sha384 message digest algorithm
-sha512 to use the sha512 message digest algorithm
-whirlpool to use the whirlpool message digest algorithmNow you know a bunch of useful commands for the OpenSSL. Go and try them yourself.