OpenSSL Cheat Sheet

The popular OpenSSL toolkit is the Swiss Army Knife of cryptography tools. Whenever you're dealing with certificates, hashes, keys and that sort of thing, OpenSSL is probably what you need.

This page is just a collection of some commands that I've found useful over time, so will probably grow.

Doing

Create and transform keys, CSRs and certificates:

New 2048 (or 4096) bit RSA private key

openssl genrsa 2048 > mysite.rsa2048.key
openssl genrsa 4096 > mysite.rsa4096.key

New ECDSA private key

openssl ecparam -genkey -name secp256r1 > mysite.ecdsa.key

Remove a passphrase from a private key

openssl rsa -in private.key -out privateNew.key

Generate a new RSA private key and CSR

openssl req -out mycsr.csr -new -newkey rsa:2048 -nodes -keyout private.key

Generate a CSR using an existing private key

openssl req -out mycsr.csr -new -key private.key

Create PKCS#12 (.pfx .p12) from PEM (.pem .cer .crt)

openssl pkcs12 -export -out mypfx.p12 -inkey private.key -in cert.crt

Extract encrypted private key from PKCS#12 file

openssl pkcs12 -in mypfx.p12 -out private.key -nocerts

Extract plaintext private key from PKCS#12 file

openssl pkcs12 -in mypfx.p12 -out private.key -nodes -nocerts

Extract certificate file from PKCS#12 file

openssl pkcs12 -in mypfx.p12 -out mycert.crt -nokeys

Checking

Use these commands to check the contents of CSRs, certificates and keys:

Check Certificate Signing Request (CSR)

openssl req -text -noout -verify -in mycsr.csr

Check a certificate

openssl x509 -text -noout -in mycert.crt

Check a PKCS#12 file

openssl pkcs12 -info -in mypfx.p12

Get expiry date (and start date) for a website's certificate

echo | openssl s_client -servername bytes.fyi -connect bytes.fyi:443 2>/dev/null | openssl x509 -noout -dates

Expiry (and start) date for a local certificate file

openssl x509 -noout -dates -in bytes_fyi.crt

subjectAltName (SAN) certificates

Using SAN entries, a certificate can cover multiple separate domains, or multiple subdomains of the same domain, or a mixture of both.

To create a CSR for a SAN certificate, you need to pass a config file in to openssl.

Create a config file (e.g. mysanconfig.cnf) with the list of domains at the bottom, like this:

[ req ]
default_bits             = 2048
distinguished_name       = req_distinguished_name
req_extensions           = req_ext
prompt                   = no

[ req_distinguished_name ]
countryName              = GB
stateOrProvinceName      = Nottinghamshire
localityName             = Nottingham
organizationName         = Chicken McChicken Face
organizationalUnitName   = IT
commonName               = www.mysite.com

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = www.mysite.com
DNS.2 = mysite.com
DNS.3 = email.mysite.com
DNS.4 = otherplace.net
DNS.5 = ftp.otherplace.net

Then create the CSR using the config:

Generate a new RSA private key and SAN CSR

openssl req -out mycsr.csr -new -newkey rsa:2048 -nodes -keyout private.key -config mysanconfig.cnf

Generate a SAN CSR using an existing private key

openssl req -out mycsr.csr -new -key private.key -config mysanconfig.cnf

Please let me know via the comments if you have any other suggestions for this list.

Photo by MILKOVÍ on Unsplash