OpenSSL
OpenSSL operations for certificate management, key generation, and TLS diagnostics.
Certificate Inspection
View full certificate details — subject, SAN, dates, extensions
openssl x509 -in cert.pem -text -nooutQuick summary — subject, issuer, validity dates
openssl x509 -in cert.pem -subject -issuer -dates -nooutSHA-256 fingerprint of certificate
openssl x509 -in cert.pem -fingerprint -sha256 -nooutCheck if cert expires within 30 days — exit code 1 means expiring
openssl x509 -in cert.pem -enddate -noout -checkend 2592000Extract only the SAN extension from certificate
openssl x509 -in cert.pem -noout -ext subjectAltNameChain Verification
Verify full certificate chain
openssl verify -CAfile ca.pem -untrusted intermediate.pem cert.pemTLS Connection Testing
Test TLS connection with SNI
openssl s_client -connect host:443 -servername host </dev/nullDump full certificate chain from server
openssl s_client -connect host:443 -showcerts </dev/null 2>/dev/nullTest STARTTLS for SMTP/IMAP/FTP protocols
openssl s_client -connect host:443 -starttls smtp </dev/nullTest LDAPS connection against custom CA
openssl s_client -connect host:636 -CAfile ca.pem </dev/nullOne-liner: check remote cert expiry dates
echo | openssl s_client -connect host:443 2>/dev/null | openssl x509 -noout -datesKey Generation
Generate 4096-bit RSA private key
openssl genrsa -out key.pem 4096Generate Ed25519 private key
openssl genpkey -algorithm ed25519 -out key.pemGenerate P-256 ECDSA private key
openssl ecparam -genkey -name prime256v1 -noout -out key.pemCSR and Signing
Generate CSR with subject on command line
openssl req -new -key key.pem -out req.csr -subj "/CN=host.domain"Generate CSR with SAN from config file
openssl req -new -key key.pem -out req.csr -config san.cnfCreate self-signed CA certificate
openssl req -new -x509 -nodes -days 3650 -keyout ca.key -out ca.pem -subj "/CN=My CA"Sign CSR with CA — issue certificate
openssl x509 -req -in req.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out cert.pem -days 365Key Management
Verify RSA private key integrity
openssl rsa -in key.pem -check -nooutRemove passphrase from encrypted private key
openssl rsa -in enc.key -out dec.keyFormat Conversion
Create PKCS12 with cert + key + CA chain
openssl pkcs12 -export -in cert.pem -inkey key.pem -certfile ca.pem -out bundle.p12Extract everything from PKCS12
openssl pkcs12 -in bundle.p12 -out all.pem -nodesConvert PEM to DER format
openssl x509 -in cert.pem -outform DER -out cert.derConvert DER to PEM format
openssl x509 -in cert.der -inform DER -outform PEM -out cert.pemHashing and Random
SHA-256 hash of file
openssl dgst -sha256 fileGenerate 32-byte random hex string
openssl rand -hex 32Generate 24-byte random base64 string
openssl rand -base64 24Encryption
Encrypt file with AES-256-CBC and PBKDF2
openssl enc -aes-256-cbc -salt -pbkdf2 -in file -out file.encCipher Suites
List available TLS 1.3 cipher suites
openssl ciphers -v 'TLSv1.3' | awk '{print $1}'