Cheat sheet

OpenSSL

Inspect certificates, generate keys and CSRs, test TLS, and convert formats.

Inspect certificates

# Inspect a certificate file
openssl x509 -in cert.pem -text -noout

# Check expiry date only
openssl x509 -in cert.pem -noout -dates

# Check subject and issuer
openssl x509 -in cert.pem -noout -subject -issuer

# Check certificate fingerprint (SHA-256)
openssl x509 -in cert.pem -noout -fingerprint -sha256

# Inspect a remote server's certificate
openssl s_client -connect example.com:443 </dev/null 2>/dev/null \
  | openssl x509 -noout -text

# Check expiry of a remote certificate
openssl s_client -connect example.com:443 </dev/null 2>/dev/null \
  | openssl x509 -noout -dates

Generate keys & CSRs

# Generate RSA private key (4096-bit)
openssl genrsa -out private.key 4096

# Generate EC private key (P-256) — modern approach
openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 -out ec.key

# Generate CSR from existing key
openssl req -new -key private.key -out request.csr \
  -subj "/CN=example.com/O=My Org/C=US"

# Generate key + CSR in one step
openssl req -newkey rsa:4096 -keyout private.key -noenc \
  -out request.csr \
  -subj "/CN=example.com"

# Inspect a CSR
openssl req -in request.csr -text -noout

Self-signed certificates

# Self-signed cert (dev/testing)
openssl req -x509 -newkey rsa:4096 -keyout key.pem \
  -out cert.pem -sha256 -days 365 -noenc \
  -subj "/CN=localhost"

# Self-signed with SANs (Subject Alternative Names)
openssl req -x509 -newkey rsa:4096 -keyout key.pem \
  -out cert.pem -sha256 -days 365 -noenc \
  -subj "/CN=localhost" \
  -addext "subjectAltName=DNS:localhost,DNS:*.local,IP:127.0.0.1"

# Sign a CSR with your own CA
openssl x509 -req -in request.csr \
  -CA ca.crt -CAkey ca.key -CAcreateserial \
  -out cert.pem -days 365 -sha256

Verify & test

# Verify cert matches private key
openssl x509 -noout -modulus -in cert.pem | md5sum
openssl rsa -noout -modulus -in private.key | md5sum
# (outputs must match)

# Verify cert chain
openssl verify -CAfile ca.pem cert.pem

# Test TLS connection
openssl s_client -connect example.com:443

# Test with SNI (Server Name Indication)
openssl s_client -connect example.com:443 -servername example.com

# Test specific TLS version
openssl s_client -tls1_3 -connect example.com:443

# Check which cipher was negotiated
openssl s_client -connect example.com:443 </dev/null 2>/dev/null \
  | grep "Cipher is"

Format conversion

# PEM → DER (binary)
openssl x509 -in cert.pem -outform der -out cert.der

# DER → PEM
openssl x509 -in cert.der -inform der -out cert.pem

# PEM → PKCS#12 (.pfx / .p12)
openssl pkcs12 -export -out cert.pfx \
  -inkey private.key -in cert.pem -certfile ca.pem

# PKCS#12 → PEM
openssl pkcs12 -in cert.pfx -out cert.pem -noenc

# Extract just the certificate from PKCS#12
openssl pkcs12 -in cert.pfx -nokeys -out cert.pem

# Check if a .pfx is password-protected
openssl pkcs12 -info -in cert.pfx -noout

Hashing & encoding

# Hash a file (SHA-256)
openssl dgst -sha256 file.txt

# HMAC
openssl dgst -sha256 -hmac "secret" file.txt

# Base64 encode
openssl base64 -in file.bin -out file.b64

# Base64 decode
openssl base64 -d -in file.b64 -out file.bin

# Generate random bytes (hex)
openssl rand -hex 32

# Generate random base64 string (for secrets)
openssl rand -base64 32

# Inspect a certificate file openssl x509 -in cert.pem -text -noout # Check expiry date only openssl x509 -in cert.pem -noout -dates # Check subject and issuer openssl x509 -in cert.pem -noout -subject -issuer # Check certificate fingerprint (SHA-256) openssl x509 -in cert.pem -noout -fingerprint -sha256 # Inspect a remote server's certificate openssl s_client -connect example.com:443 </dev/null 2>/dev/null \ | openssl x509 -noout -text # Check expiry of a remote certificate openssl s_client -connect example.com:443 </dev/null 2>/dev/null \ | openssl x509 -noout -dates

# Generate RSA private key (4096-bit) openssl genrsa -out private.key 4096 # Generate EC private key (P-256) — modern approach openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 -out ec.key # Generate CSR from existing key openssl req -new -key private.key -out request.csr \ -subj "/CN=example.com/O=My Org/C=US" # Generate key + CSR in one step openssl req -newkey rsa:4096 -keyout private.key -noenc \ -out request.csr \ -subj "/CN=example.com" # Inspect a CSR openssl req -in request.csr -text -noout

# Self-signed cert (dev/testing) openssl req -x509 -newkey rsa:4096 -keyout key.pem \ -out cert.pem -sha256 -days 365 -noenc \ -subj "/CN=localhost" # Self-signed with SANs (Subject Alternative Names) openssl req -x509 -newkey rsa:4096 -keyout key.pem \ -out cert.pem -sha256 -days 365 -noenc \ -subj "/CN=localhost" \ -addext "subjectAltName=DNS:localhost,DNS:*.local,IP:127.0.0.1" # Sign a CSR with your own CA openssl x509 -req -in request.csr \ -CA ca.crt -CAkey ca.key -CAcreateserial \ -out cert.pem -days 365 -sha256

# Verify cert matches private key openssl x509 -noout -modulus -in cert.pem | md5sum openssl rsa -noout -modulus -in private.key | md5sum # (outputs must match) # Verify cert chain openssl verify -CAfile ca.pem cert.pem # Test TLS connection openssl s_client -connect example.com:443 # Test with SNI (Server Name Indication) openssl s_client -connect example.com:443 -servername example.com # Test specific TLS version openssl s_client -tls1_3 -connect example.com:443 # Check which cipher was negotiated openssl s_client -connect example.com:443 </dev/null 2>/dev/null \ | grep "Cipher is"

# PEM → DER (binary) openssl x509 -in cert.pem -outform der -out cert.der # DER → PEM openssl x509 -in cert.der -inform der -out cert.pem # PEM → PKCS#12 (.pfx / .p12) openssl pkcs12 -export -out cert.pfx \ -inkey private.key -in cert.pem -certfile ca.pem # PKCS#12 → PEM openssl pkcs12 -in cert.pfx -out cert.pem -noenc # Extract just the certificate from PKCS#12 openssl pkcs12 -in cert.pfx -nokeys -out cert.pem # Check if a .pfx is password-protected openssl pkcs12 -info -in cert.pfx -noout

# Hash a file (SHA-256) openssl dgst -sha256 file.txt # HMAC openssl dgst -sha256 -hmac "secret" file.txt # Base64 encode openssl base64 -in file.bin -out file.b64 # Base64 decode openssl base64 -d -in file.b64 -out file.bin # Generate random bytes (hex) openssl rand -hex 32 # Generate random base64 string (for secrets) openssl rand -base64 32