Articles

OpenSSL Cheatsheet: Commands for Keys, Certs, and Debug (2026)

April 6, 2026 4 min read

The openssl command is less a single tool and more a Swiss Army knife for cryptography, capable of generating keys, signing certificates, and inspecting their contents.

Let’s see it in action. Imagine you need to create a self-signed certificate for local development.

# Generate a private key
openssl genpkey -algorithm RSA -out private.key -pkeyopt rsa_keygen_bits:2048

# Create a Certificate Signing Request (CSR)
openssl req -new -key private.key -out server.csr -subj "/C=US/ST=California/L=San Francisco/O=MyOrg/OU=Dev/CN=localhost"

# Sign the CSR to create a self-signed certificate
openssl x509 -req -days 365 -in server.csr -signkey private.key -out server.crt

This sequence first generates a private key, then uses that key to create a Certificate Signing Request (CSR) containing your organization’s details, and finally signs the CSR with the private key to produce a certificate that’s valid for a year.

The core problem openssl solves is enabling secure communication and identity verification without relying on external, trusted Certificate Authorities (CAs) for every single interaction. It gives you the power to manage your own cryptographic identity. Internally, it leverages a vast library of cryptographic algorithms and protocols to perform these operations. The -algorithm RSA, -days 365, and -subj flags are your primary levers for controlling key strength, certificate validity, and identifying information, respectively.

Here are some essential commands you’ll use frequently:

Generating Keys:

  • RSA Private Key:

    openssl genpkey -algorithm RSA -out rsa_private_key.pem -pkeyopt rsa_keygen_bits:4096

    This creates a 4096-bit RSA private key, providing a strong level of security. genpkey is the modern, preferred way to generate keys, offering more flexibility than older commands like genrsa.

  • ECDSA Private Key:

    openssl ecparam -genkey -name prime256v1 -out ec_private_key.pem

    This generates an Elliptic Curve Digital Signature Algorithm (ECDSA) private key using the prime256v1 curve, which is more efficient than RSA for equivalent security levels.

  • Public Key from Private Key:

    openssl pkey -in rsa_private_key.pem -pubout -out rsa_public_key.pem

    Extracts the public key corresponding to your private key. This public key can be shared freely.

Managing Certificates:

  • Create a Self-Signed Certificate:

    openssl req -x509 -newkey rsa:4096 -keyout selfsigned.key -out selfsigned.crt -days 730 -nodes -subj "/CN=mydomain.com"

    This command is a shortcut to generate both a private key and a self-signed certificate in one go. -days 730 makes it valid for two years. -nodes means "no DES encryption" for the private key, so it won’t prompt for a passphrase on generation (useful for automation, but less secure if the key file is compromised).

  • Inspect a Certificate:

    openssl x509 -in server.crt -text -noout

    Displays all information contained within a certificate, including issuer, subject, validity dates, public key details, and extensions. -text shows human-readable details, and -noout prevents printing the encoded certificate itself.

  • Inspect a Certificate Signing Request (CSR):

    openssl req -in server.csr -text -noout

    Similar to inspecting a certificate, this reveals the information provided when the CSR was generated.

  • Convert PEM to DER format:

    openssl x509 -in server.crt -outform DER -out server.der

    Converts the Base64 encoded PEM format to the binary DER format, often required by specific applications.

  • Convert DER to PEM format:

    openssl x509 -in server.der -inform DER -outform PEM -out server.pem

    The reverse operation, converting DER back to PEM.

Debugging and Verification:

  • Verify a Certificate Chain:

    openssl verify -CAfile intermediate.crt -untrusted root.crt server.crt

    Checks if a certificate is trusted by a given set of CA certificates. This is crucial for understanding why a connection might be failing due to an untrusted certificate.

  • View SSL/TLS Connection Details:

    openssl s_client -connect example.com:443 -servername example.com

    This command establishes a TLS connection to a server and dumps all the SSL/TLS handshake information, including the certificate presented by the server and the cipher suite negotiated. It’s invaluable for diagnosing TLS handshake failures.

  • Convert PKCS#12 (.p12/.pfx) to PEM:

    openssl pkcs12 -in client.p12 -out client.pem -nodes

    PKCS#12 files often bundle a private key and certificate. This command extracts them into separate PEM files. The -nodes flag skips password protection on the output private key.

When you’re dealing with certificate chains, especially in complex environments, it’s easy to get confused about which file is the actual certificate you’re trying to verify and which files constitute the intermediate and root CAs. The openssl verify command, when used with -CAfile and -untrusted flags, allows you to explicitly define the trust anchor and any intermediate certificates that should be used to build the chain of trust back to that anchor. This granular control is what makes it so powerful for debugging.

The next hurdle you’ll likely face is understanding and configuring TLS cipher suites for optimal security and compatibility.

More Deep Dives in Tls Ssl

Want structured learning?

Take the full Tls-ssl course →