Useful OpenSSL Commands

• Generate a key
• Generate a CSR
• View the contents of a CSR
• View the contents of a certificate
• Convert a certifcate from PEM to DER format
• Get SHA1 fingerprint of a certificate or CSR

Generate a Key

To generate an RSA key, use the genrsa option. The command below generates a 2048 bit RSA key and saves it to a file called key.pem

openssl genrsa -out key.pem 2048 

If you require that your private key file is protected with a passphrase, use the command below.

openssl genrsa -des3 -out key.pem 2048 

Generate a CSR

If you already have a key, the command below can be used to generates a CSR and save it to a file called req.pem

This is an interactive command that will prompt you for fields that make up the subject distinguished name of the CSR.

openssl req -new -key key.pem -out req.pem

If you do not have a key, the command below will generate a new key and an associated CSR. The private key will not be protected by a passphrase.

openssl req \
     -new -newkey rsa:2048 -nodes \
     -keyout key.pem -out req.pem

View the contents of a CSR

To decode a CSR you can use our online CSR Decoder. However, if you prefer to decode your CSR locally use the command below.

openssl req -in req.pem -noout -text

View the contents of a certificate

To decode a certificate you can use our online Certificate Decoder. However, if you prefer to decode your certificate locally use the command below.

openssl x509 -text -in cert.pem

Convert a certifcate from PEM to DER format

openssl x509 -in cert.pem -out cert.der -outform DER 

Convert a CSR from PEM to DER format

openssl req -in csr.pem -out csr.der -outform DER

Get SHA-1 fingerprint of a certificate or CSR

You can use our CSR and Cert Decoder to get the SHA1 fingerprint of a certificate or CSR. The decoder converts the CSR/certificate to DER format before calculating the fingerprint.

To get the SHA1 fingerprint using OpenSSL, use the command shown below.

openssl dgst -sha1 certificate.der

openssl dgst -sha1 csr.der