OpenSSL Cheat Sheet
cheatsheet openssl linux powershell command
Checking Certificates
View Certificate Details
openssl x509 -in certificate.crt -text -nooutCheck Expiration Date Only
openssl x509 -in certificate.crt -noout -enddateCheck Remote Server Certificate
openssl s_client -connect example.com:443 -servername example.comCheck Full Certificate Chain
openssl s_client -connect example.com:443 -servername example.com -showcertsVerify Certificate Against CA
openssl verify -CAfile ca-bundle.crt certificate.crtBuilding Certificates
Generate Private Key
openssl genrsa -out private.key 2048
# Or with passphrase
openssl genrsa -aes256 -out private.key 2048Generate CSR (Certificate Signing Request)
openssl req -new -key private.key -out request.csrGenerate Key and CSR Together
openssl req -new -newkey rsa:2048 -nodes -keyout private.key -out request.csrSelf-Sign a Certificate
openssl x509 -req -days 365 -in request.csr -signkey private.key -out certificate.crtGenerate Self-Signed Certificate (One Command)
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout private.key -out certificate.crtExtracting and Manipulating
Extract Public Key from Certificate
openssl x509 -pubkey -noout -in certificate.crt > public.keyExtract Private Key from PEM
openssl pkey -in file.pem -out private.keyExtract Certificate Chain from PFX/PKCS12
# Certificates only (no key)
openssl pkcs12 -in cert.pfx -out file.nokey.pem -nokeys -legacy
# Everything including key
openssl pkcs12 -in cert.pfx -out file.withkey.pem -legacy
# Extract just the private key
openssl rsa -in file.withkey.pem -out file.keyRebuild PFX from PEM Files
Edit file.nokey.pem to ensure certificates are in order: server → intermediate → root
# Combine cert and key
cat file.nokey.pem file.key > file.combo.pem
# Create new PFX
openssl pkcs12 -export -in file.combo.pem -out file.combo.pfxFormat Conversion
| From | To | Command |
|---|---|---|
| DER | PEM | openssl x509 -inform der -in cert.cer -out cert.pem |
| PEM | DER | openssl x509 -outform der -in cert.pem -out cert.der |
| PFX | PEM | openssl pkcs12 -in cert.pfx -out cert.pem -nodes -legacy |
| PEM | PFX | openssl pkcs12 -export -in cert.pem -inkey key.pem -out cert.pfx |
| PEM | PKCS7 | openssl crl2pkcs7 -nocrl -certfile cert.pem -out cert.p7b |
| PKCS7 | PEM | openssl pkcs7 -in cert.p7b -print_certs -out cert.pem |
Validation and Troubleshooting
Check if Key Matches Certificate
Compare the modulus hash - they should match:
openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in private.key | openssl md5Check if CSR Matches Key
openssl req -noout -modulus -in request.csr | openssl md5
openssl rsa -noout -modulus -in private.key | openssl md5Verify Private Key is Valid
openssl rsa -check -in private.keyTest SSL Connection with Specific Protocol
# Test TLS 1.2
openssl s_client -connect example.com:443 -tls1_2
# Test TLS 1.3
openssl s_client -connect example.com:443 -tls1_3Check Supported Ciphers
openssl s_client -connect example.com:443 -cipher 'ECDHE-RSA-AES256-GCM-SHA384'Debug Certificate Chain Issues
openssl s_client -connect example.com:443 -servername example.com -verify 5Common Issues and Solutions
| Issue | Likely Cause | Solution |
|---|---|---|
unable to load certificate | Wrong format | Convert with appropriate command |
key values mismatch | Wrong key for cert | Compare modulus hashes |
certificate verify failed | Missing intermediate | Include full chain |
-legacy flag required | OpenSSL 3.x with older PFX | Add -legacy flag |
self signed certificate | Missing CA certs | Specify CA bundle with -CAfile |
Quick Reference
View Certificate Subject/Issuer
openssl x509 -in cert.crt -noout -subject -issuerView Certificate Serial Number
openssl x509 -in cert.crt -noout -serialView CSR Content
openssl req -in request.csr -text -nooutRemove Passphrase from Key
openssl rsa -in encrypted.key -out decrypted.keyAdd Passphrase to Key
openssl rsa -aes256 -in decrypted.key -out encrypted.keyGenerate Random Password
openssl rand -base64 32