Essential commands for working with certificates, keys, and CSRs
OpenSSL is a powerful command-line tool for creating and managing certificates, keys, and certificate signing requests (CSRs). This reference guide provides the most commonly used commands for SSL/TLS certificate operations.
For automated certificate discovery and management, consider using our CertAlert tool to find and monitor all certificates on your network.
To generate an RSA key, use the genrsa option. The command below generates a 2048 bit RSA key and saves it to a file called key.pem
openssl genrsa -out key.pem 2048
If you require that your private key file is protected with a passphrase, use the command below.
openssl genrsa -des3 -out key.pem 2048
The file, key.pem, generated in the examples above actually contains both a private and public key. To view the public key you can use the following command:
openssl rsa -in key.pem -pubout
If you already have a key, the command below can be used to generates a CSR and save it to a file called req.pem
This is an interactive command that will prompt you for fields that make up the subject distinguished name of the CSR.
openssl req -new -key key.pem -out req.pem
If you do not have a key, the command below will generate a new private key and an associated CSR. If you wish to protect the private key with a passphrase, remove the -nodes option.
openssl req -new -newkey rsa:2048 -keyout key.pem -out req.pem -nodes
To view a CSR you can use our online CSR Decoder. However, if you prefer to decode your CSR locally use the command below.
openssl req -in req.pem -noout -text
To verify the signature on a CSR you can use our online CSR Decoder, or you can use the command below.
openssl req -in req.pem -noout -verify
To create a self-signed certificate, sign the CSR with its associated private key
openssl x509 -req -days 365 -in req.pem -signkey key.pem -out cert.pem
To create a self-signed certificate with just one command use the command below. This generates a 2048 bit key and associated self-signed certificate with a one year validity period.
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365
If you don't want your private key encrypting with a password, add the -nodes option.
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes
If you do not wish to be prompted for anything, you can supply all the information on the command line.
openssl req \
    -x509 \
    -newkey rsa:2048 \
    -keyout key.pem \
    -out cert.pem \
    -days 365 \
    -subj "/C=GB/ST=Staffs/L=Stoke/O=RKC/CN=www.domain1.com" \
    -nodes
            To view a certificate you can use our online Certificate Decoder. However, if you prefer to decode your certificate locally use the command below.
openssl x509 -in cert.pem -noout -text
openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER
openssl x509 -in cert.der -inform DER -out cert.pem -outform PEM
openssl req -in csr.pem -out csr.der -outform DER
openssl req -in csr.der -inform DER -out csr.pem -outform PEM
You can use our CSR and Certificate Decoder to get the SHA1 fingerprint of a certificate or CSR. The decoder converts the CSR/certificate to DER format before calculating the fingerprint.
To get the SHA1 fingerprint of a certificate using OpenSSL, use the command shown below.
openssl dgst -sha1 certificate.der
To get the SHA1 fingerprint of a CSR using OpenSSL, use the command shown below.
openssl dgst -sha1 csr.der
You can use our CSR and Certificate Decoder to get the MD5 fingerprint of a certificate or CSR. The decoder converts the CSR/certificate to DER format before calculating the fingerprint.
To get the MD5 fingerprint of a certificate using OpenSSL, use the command shown below.
openssl dgst -md5 certificate.der
To get the MD5 fingerprint of a CSR using OpenSSL, use the command shown below.
openssl dgst -md5 csr.der
openssl s_client -connect www.somesite.com:443 > cert.pem
Now edit the cert.pem file and delete everything except the PEM certificate.
The command below makes life even easier as it will automatically delete everything except the PEM certificate.
echo -n | openssl s_client -connect mysite.com:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > pem.cert
If the webserver has several certificates on one IP address, then you will need to tell OpenSSL which certificate to request using Server Name Indication (SNI). This can be done by adding the -servername argument, which tells OpenSSL to negotiate SNI. The command below shows the previous command modified to use SNI.
echo -n | openssl s_client -connect mysite.com:443 -servername mysite.com | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > pem.cert
The OpenSSL s_server command below implements a generic SSL/TLS server. It should be used for test purposes only. The example below listens for connections on port 8080 and returns an HTML formatted status page that includes lots of information about ciphers.
openssl s_server -key key.pem -cert cert.pem -accept 8080 -www
The OpenSSL s_server command below implements an SSL/TLS server that supports SNI. It should be used for test purposes only. The command below will listen for connections on port 443 and requires 2 valid certs and private keys. When a client connects without indicating a hostname, the domain1 cert is returned, otherwise the cert requested (either domain1.com or domain2.com) is returned.
sudo openssl s_server -accept 443 -www -servername www.domain1.com -cert domain1.cert.pem -key domain1.key.pem -servername www.domain2.com -cert2 domain2.cert.pem -key2 domain2.key.pem
Use the version command:
openssl version
Discover how CertAlert can help you monitor and manage certificates across your network.