OpenSSL Cheat Sheet

cheatsheet openssl linux powershell command

Checking Certificates

View Certificate Details

openssl x509 -in certificate.crt -text -noout

Check Expiration Date Only

openssl x509 -in certificate.crt -noout -enddate

Check Remote Server Certificate

openssl s_client -connect example.com:443 -servername example.com

Check Full Certificate Chain

openssl s_client -connect example.com:443 -servername example.com -showcerts

Verify Certificate Against CA

openssl verify -CAfile ca-bundle.crt certificate.crt

Building Certificates

Generate Private Key

openssl genrsa -out private.key 2048
# Or with passphrase
openssl genrsa -aes256 -out private.key 2048

Generate CSR (Certificate Signing Request)

openssl req -new -key private.key -out request.csr

Generate Key and CSR Together

openssl req -new -newkey rsa:2048 -nodes -keyout private.key -out request.csr

Self-Sign a Certificate

openssl x509 -req -days 365 -in request.csr -signkey private.key -out certificate.crt

Generate Self-Signed Certificate (One Command)

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout private.key -out certificate.crt

Extracting and Manipulating

Extract Public Key from Certificate

openssl x509 -pubkey -noout -in certificate.crt > public.key

Extract Private Key from PEM

openssl pkey -in file.pem -out private.key

Extract Certificate Chain from PFX/PKCS12

# Certificates only (no key)
openssl pkcs12 -in cert.pfx -out file.nokey.pem -nokeys -legacy
 
# Everything including key
openssl pkcs12 -in cert.pfx -out file.withkey.pem -legacy
 
# Extract just the private key
openssl rsa -in file.withkey.pem -out file.key

Rebuild PFX from PEM Files

Edit file.nokey.pem to ensure certificates are in order: server → intermediate → root

# Combine cert and key
cat file.nokey.pem file.key > file.combo.pem
 
# Create new PFX
openssl pkcs12 -export -in file.combo.pem -out file.combo.pfx

Format Conversion

FromToCommand
DERPEMopenssl x509 -inform der -in cert.cer -out cert.pem
PEMDERopenssl x509 -outform der -in cert.pem -out cert.der
PFXPEMopenssl pkcs12 -in cert.pfx -out cert.pem -nodes -legacy
PEMPFXopenssl pkcs12 -export -in cert.pem -inkey key.pem -out cert.pfx
PEMPKCS7openssl crl2pkcs7 -nocrl -certfile cert.pem -out cert.p7b
PKCS7PEMopenssl pkcs7 -in cert.p7b -print_certs -out cert.pem

Validation and Troubleshooting

Check if Key Matches Certificate

Compare the modulus hash - they should match:

openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in private.key | openssl md5

Check if CSR Matches Key

openssl req -noout -modulus -in request.csr | openssl md5
openssl rsa -noout -modulus -in private.key | openssl md5

Verify Private Key is Valid

openssl rsa -check -in private.key

Test SSL Connection with Specific Protocol

# Test TLS 1.2
openssl s_client -connect example.com:443 -tls1_2
 
# Test TLS 1.3
openssl s_client -connect example.com:443 -tls1_3

Check Supported Ciphers

openssl s_client -connect example.com:443 -cipher 'ECDHE-RSA-AES256-GCM-SHA384'

Debug Certificate Chain Issues

openssl s_client -connect example.com:443 -servername example.com -verify 5

Common Issues and Solutions

IssueLikely CauseSolution
unable to load certificateWrong formatConvert with appropriate command
key values mismatchWrong key for certCompare modulus hashes
certificate verify failedMissing intermediateInclude full chain
-legacy flag requiredOpenSSL 3.x with older PFXAdd -legacy flag
self signed certificateMissing CA certsSpecify CA bundle with -CAfile

Quick Reference

View Certificate Subject/Issuer

openssl x509 -in cert.crt -noout -subject -issuer

View Certificate Serial Number

openssl x509 -in cert.crt -noout -serial

View CSR Content

openssl req -in request.csr -text -noout

Remove Passphrase from Key

openssl rsa -in encrypted.key -out decrypted.key

Add Passphrase to Key

openssl rsa -aes256 -in decrypted.key -out encrypted.key

Generate Random Password

openssl rand -base64 32