OpenSSL Commands Cheatsheet

Searchable openssl subcommand reference for certs, keys, digests and TLS testing

OpenSSL CLI cheatsheet covering req, x509, s_client, genrsa/genpkey, rsa, pkcs12, dgst and enc subcommands — each with a ready-to-run example for generating keys, CSRs, certificates and testing TLS endpoints. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

How do I generate a private key and CSR with openssl?

Generate a key with openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out key.pem, then create a CSR with openssl req -new -key key.pem -out req.csr and answer the prompts (or pass -subj to fill them inline). Send the CSR to your certificate authority; keep key.pem secret.

OpenSSL is the Swiss-army knife for TLS and cryptography on the command line: generating keys, creating certificate signing requests, inspecting and converting certificates, computing digests, encrypting files and probing live TLS servers. This cheatsheet collects the subcommands you reach for most, each with a runnable example.

Subcommand map

SubcommandPurpose
genpkeyGenerate a private key (RSA, EC, Ed25519, …) — modern replacement for genrsa
genrsaGenerate an RSA private key (older command, still widely used)
reqCreate a CSR or self-signed certificate; inspect a CSR
x509Read, sign, convert, and display certificates
s_clientOpen a TLS connection to a server; inspect its certificate chain
verifyVerify a certificate against a CA bundle
dgstCompute hashes (SHA-256, SHA-512, …) and HMAC/RSA signatures
encSymmetric encryption and decryption (AES, etc.)
pkcs12Bundle/unbundle keys and certs into .p12/.pfx files
pkcs8Convert private keys between PKCS#1 and PKCS#8 format
rsaInspect and convert RSA keys
ecInspect and convert EC keys
randGenerate random bytes
ciphersList TLS cipher suites available in your OpenSSL build

Common recipes

# Generate a 2048-bit RSA key (modern command)
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out key.pem

# Create a CSR from an existing key
openssl req -new -key key.pem -out req.csr \
  -subj "/C=US/ST=Oregon/L=Portland/O=Acme/CN=example.com"

# Key + self-signed cert in one step (10 years)
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem \
  -days 3650 -nodes -subj "/CN=example.com"

# Show certificate details, subject, issuer, SAN, and validity dates
openssl x509 -in cert.pem -noout -text

# Show only validity dates
openssl x509 -in cert.pem -noout -dates

# Fingerprint (SHA-256)
openssl x509 -in cert.pem -noout -fingerprint -sha256

# Test a live TLS endpoint and see the full chain
openssl s_client -connect example.com:443 -servername example.com

# Check what protocol and cipher were negotiated
openssl s_client -connect example.com:443 -servername example.com 2>&1 \
  | grep -E "Protocol|Cipher"

# Compute SHA-256 hash of a file
openssl dgst -sha256 file.tar.gz

# Export key + cert to PKCS#12
openssl pkcs12 -export -in cert.pem -inkey key.pem -out bundle.p12

# Inspect a PKCS#12 bundle
openssl pkcs12 -in bundle.p12 -nokeys -clcerts

Notes and tips

-nodes (no DES) leaves the private key unencrypted — convenient for servers but keep the file permissions tight (chmod 600 key.pem). Use -subj "/CN=…" to fill CSR fields non-interactively in scripts. PEM is the Base64 -----BEGIN----- format; add -inform DER/-outform DER to work with binary DER files.

When testing TLS, always pass -servername so SNI selects the right certificate on shared hosting — omitting it on a shared IP returns the default certificate, not necessarily the one you want to inspect.

Prefer genpkey over the older genrsa for new keys. It supports RSA, EC (-pkeyopt ec_paramgen_curve:P-256), and Ed25519 with a consistent flag set, while genrsa is RSA-only.

For checking whether a certificate and key match, compare their public-key moduli:

openssl x509 -noout -modulus -in cert.pem | openssl dgst -sha256
openssl rsa  -noout -modulus -in key.pem  | openssl dgst -sha256
# identical hashes = they match