OpenSSL is the Swiss-army knife for TLS and cryptography on the command line: generating keys, creating certificate signing requests, inspecting and converting certificates, computing digests, encrypting files and probing live TLS servers. This cheatsheet collects the subcommands you reach for most, each with a runnable example.
Subcommand map
| Subcommand | Purpose |
|---|---|
genpkey | Generate a private key (RSA, EC, Ed25519, …) — modern replacement for genrsa |
genrsa | Generate an RSA private key (older command, still widely used) |
req | Create a CSR or self-signed certificate; inspect a CSR |
x509 | Read, sign, convert, and display certificates |
s_client | Open a TLS connection to a server; inspect its certificate chain |
verify | Verify a certificate against a CA bundle |
dgst | Compute hashes (SHA-256, SHA-512, …) and HMAC/RSA signatures |
enc | Symmetric encryption and decryption (AES, etc.) |
pkcs12 | Bundle/unbundle keys and certs into .p12/.pfx files |
pkcs8 | Convert private keys between PKCS#1 and PKCS#8 format |
rsa | Inspect and convert RSA keys |
ec | Inspect and convert EC keys |
rand | Generate random bytes |
ciphers | List TLS cipher suites available in your OpenSSL build |
Common recipes
# Generate a 2048-bit RSA key (modern command)
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out key.pem
# Create a CSR from an existing key
openssl req -new -key key.pem -out req.csr \
-subj "/C=US/ST=Oregon/L=Portland/O=Acme/CN=example.com"
# Key + self-signed cert in one step (10 years)
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem \
-days 3650 -nodes -subj "/CN=example.com"
# Show certificate details, subject, issuer, SAN, and validity dates
openssl x509 -in cert.pem -noout -text
# Show only validity dates
openssl x509 -in cert.pem -noout -dates
# Fingerprint (SHA-256)
openssl x509 -in cert.pem -noout -fingerprint -sha256
# Test a live TLS endpoint and see the full chain
openssl s_client -connect example.com:443 -servername example.com
# Check what protocol and cipher were negotiated
openssl s_client -connect example.com:443 -servername example.com 2>&1 \
| grep -E "Protocol|Cipher"
# Compute SHA-256 hash of a file
openssl dgst -sha256 file.tar.gz
# Export key + cert to PKCS#12
openssl pkcs12 -export -in cert.pem -inkey key.pem -out bundle.p12
# Inspect a PKCS#12 bundle
openssl pkcs12 -in bundle.p12 -nokeys -clcerts
Notes and tips
-nodes (no DES) leaves the private key unencrypted — convenient for servers but
keep the file permissions tight (chmod 600 key.pem). Use -subj "/CN=…" to
fill CSR fields non-interactively in scripts. PEM is the Base64 -----BEGIN-----
format; add -inform DER/-outform DER to work with binary DER files.
When testing TLS, always pass -servername so SNI selects the right certificate
on shared hosting — omitting it on a shared IP returns the default certificate,
not necessarily the one you want to inspect.
Prefer genpkey over the older genrsa for new keys. It supports RSA, EC
(-pkeyopt ec_paramgen_curve:P-256), and Ed25519 with a consistent flag set,
while genrsa is RSA-only.
For checking whether a certificate and key match, compare their public-key moduli:
openssl x509 -noout -modulus -in cert.pem | openssl dgst -sha256
openssl rsa -noout -modulus -in key.pem | openssl dgst -sha256
# identical hashes = they match