Useful OpenSSL Commands

Useful OpenSSL Commands

Useful commands for creating and working with CSRs and certificates

You can use our SSL Certificate Discovery Tool to find and manage all the certificates on your network.

• Generate a key
• Generate a CSR
• View the contents of a CSR
• Verify the signature on a CSR
• Create a self-signed certificate
• View the contents of a certificate
• Convert a certificate from PEM to DER format
• Convert a certificate from DER to PEM format
• Convert a CSR from PEM to DER format
• Convert a CSR from DER to PEM format
• Get the SHA1 fingerprint of a certificate or CSR
• Get the MD5 fingerprint of a certificate or CSR
• Grab a website's SSL certificate
• Run an SSL server
• Run an SSL server that supports SNI
• Find out what version of OpenSSL you're running

---

Generate a Key

To generate an RSA key, use the genrsa option. The command below generates a 2048 bit RSA key and saves it to a file called key.pem

openssl genrsa -out key.pem 2048 

If you require that your private key file is protected with a passphrase, use the command below.

openssl genrsa -des3 -out key.pem 2048 

The file, key.pem, generated in the examples above actually contains both a private and public key. To view the public key you can use the following command:

openssl rsa -in key.pem -pubout

---

Generate a CSR

If you already have a key, the command below can be used to generates a CSR and save it to a file called req.pem

This is an interactive command that will prompt you for fields that make up the subject distinguished name of the CSR.

openssl req -new -key key.pem -out req.pem

If you do not have a key, the command below will generate a new private key and an associated CSR. If you wish to protect the private key with a passphrase, remove the -nodes option.

openssl req -new -newkey rsa:2048 -keyout key.pem -out req.pem -nodes

---

View the contents of a CSR

To view a CSR you can use our online CSR Decoder. However, if you prefer to decode your CSR locally use the command below.

openssl req -in req.pem -noout -text

---

Verify the signature on a CSR

To verify the signature on a CSR you can use our online CSR Decoder, or you can use the command below.

openssl req -in req.pem -noout -verify

---

Create a self-signed certificate

To create a self-signed certificate, sign the CSR with its associated private key

openssl x509 -req -days 365 -in req.pem -signkey key.pem -out cert.pem

To create a self-signed certificate with just one command use the command below. This generates a 2048 bit key and associated self-signed certificate with a one year validity period.

openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365

If you don't want your private key encrypting with a password, add the -nodes option.

openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes

If you do not wish to be prompted for anything, you can supply all the information on the command line.

openssl req                                                                    
    -x509                                                                      
    -newkey rsa:2048                                                           
    -keyout key.pem                                                            
    -out cert.pem                                                              
    -days 365                                                                  
    -subj "/C=GB/ST=Staffs/L=Stoke/O=RKC/CN=www.domain1.com"                   
    -nodes
    

---

View the contents of a certificate

To view a certificate you can use our online Certificate Decoder. However, if you prefer to decode your certificate locally use the command below.

openssl x509 -in cert.pem -noout -text

---

---

Convert a certificate from PEM to DER format

openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER 

---

Convert a certificate from DER to PEM format

openssl x509 -in cert.der -inform DER -out cert.pem -outform PEM 

---

Convert a CSR from PEM to DER format

openssl req -in csr.pem -out csr.der -outform DER

---

Convert a CSR from DER to PEM format

openssl req -in csr.der -inform DER -out csr.pem -outform PEM

---

Get the SHA-1 fingerprint of a certificate or CSR

You can use our CSR and Cert Decoder to get the SHA1 fingerprint of a certificate or CSR. The decoder converts the CSR/certificate to DER format before calculating the fingerprint.

To get the SHA1 fingerprint of a certificate using OpenSSL, use the command shown below.

openssl dgst -sha1 certificate.der

To get the SHA1 fingerprint of a CSR using OpenSSL, use the command shown below.

openssl dgst -sha1 csr.der

---

Get the MD5 fingerprint of a certificate or CSR

You can use our CSR and Cert Decoder to get the MD5 fingerprint of a certificate or CSR. The decoder converts the CSR/certificate to DER format before calculating the fingerprint.

To get the MD5 fingerprint of a certificate using OpenSSL, use the command shown below.

openssl dgst -md5 certificate.der

To get the MD5 fingerprint of a CSR using OpenSSL, use the command shown below.

openssl dgst -md5 csr.der

---

Grab a website's SSL certificate

openssl s_client -connect www.somesite.com:443 > cert.pem

Now edit the cert.pem file and delete everything except the PEM certificate.

The command below makes life even easier as it will automatically delete everything except the PEM certificate.

echo -n | openssl s_client -connect mysite.com:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > pem.cert

If the webserver has several certificates on one IP address, then you will need to tell OpenSSL which certificate to request using Server Name Indication (SNI). This can be done by adding the -servername argument, which tells OpenSSL to negotiate SNI. The command below shows the previous command modified to use SNI.

echo -n | openssl s_client -connect mysite.com:443 -servername mysite.com | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > pem.cert

Run an SSL server

The OpenSSL s_server command below implements a generic SSL/TLS server. It should be used for test purposes only. The example below listens for connections on port 8080 and returns an HTML formatted status page that includes lots of information about ciphers.

openssl s_server -key key.pem -cert cert.pem -accept 8080 -www

---

Run an SSL server that supports SNI

The OpenSSL s_server command below implements an SSL/TLS server that supports SNI. It should be used for test purposes only. The command below will listen for connections on port 443 and requires 2 valid certs and private keys. When a client connects without indicating a hostname, the domain1 cert is returned, otherwise the cert requested (either domain1.com or domain2.com) is returned.

sudo openssl s_server -accept 443 -www -servername www.domain1.com -cert domain1.cert.pem -key domain1.key.pem -servername www.domain2.com -cert2 domain2.cert.pem -key2 domain2.key.pem

---

Find out what version of OpenSSL you're running

Use the version command

openssl version

---
Feedback and suggestions about this article are appreciated and can
be emailed to the author Phil Ratcliffe at phil at redkestrel.co.uk
Last modified: 8th September 2017

https://redkestrel.co.uk/articles/openssl-commands/