OpenSSL Command Cheatsheet
OpenSSL is a robust open-source cryptography toolkit widely used for SSL/TLS certificate management, key generation, encryption/decryption, and SSL testing. This cheatsheet summarizes the most commonly used OpenSSL commands for daily operations.
Updated: 2026-07-17·33 commands
Overview
OpenSSL is a robust, full-featured open-source toolkit implementing the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. This cheatsheet covers key generation, certificates, and SSL testing.
Quick Start
``bash
openssl version # Check OpenSSL version
openssl help # List available commands
``
Refer to the command table below for detailed usage.
Key Mgmt(10)
| Command | Level | ||
|---|---|---|---|
openssl genrsa [numbits]Generate an RSA private key file, defaults to 2048 bits | Basic | openssl genrsa -out key.pem 4096 | |
openssl ecparam -genkey -name [curve]Generate an elliptic curve (EC) private key, common curves: prime256v1, secp384r1 | Intermediate | openssl ecparam -genkey -name prime256v1 -out ec-key.pem | |
openssl genpkey -algorithm [algo]Generic private key generation tool supporting RSA, EC, ED25519, and more | Intermediate | openssl genpkey -algorithm ED25519 -out ed-key.pem | |
openssl pkey [options]General-purpose private key processing tool for format conversion, inspection, etc. | Intermediate | openssl pkey -in key.pem -pubout -out pub.pem | |
openssl pkeyutl [options]Perform low-level sign, verify, encrypt, and decrypt operations using private/public keys | Expert | openssl pkeyutl -sign -in data.bin -inkey key.pem -out sig.bin | |
openssl ec [options]EC key processing tool for inspection and format conversion | Intermediate | openssl ec -in ec-key.pem -text -noout | |
openssl rsa [options]RSA key processing tool for inspection, format conversion, and public key extraction | Intermediate | openssl rsa -in key.pem -pubout -out public.pem | |
openssl pkcs8 [options]PKCS#8 private key format converter supporting encrypted and unencrypted formats | Intermediate | openssl pkcs8 -topk8 -in key.pem -out pk8.pem -nocrypt | |
openssl dsaparam [numbits]Generate DSA parameter files for DSA key generation | Intermediate | openssl dsaparam -out dsa-params.pem 2048 | |
openssl dhparam [numbits]Generate Diffie-Hellman parameters for perfect forward secrecy key exchange | Intermediate | openssl dhparam -out dhparams.pem 2048 |
CSR(3)
| Command | Level | ||
|---|---|---|---|
openssl req -new -key [keyfile] -out [csr]Generate a new Certificate Signing Request (CSR) from an existing private key | Basic | openssl req -new -key key.pem -out request.csr -subj "/CN=example.com/O=MyOrg" | |
openssl req -x509 -newkey [type] -days [n]Generate a self-signed certificate (with private key), ideal for dev and testing | Intermediate | openssl req -x509 -newkey rsa:4096 -days 365 -keyout key.pem -out cert.pem | |
openssl req -text -noout -in [csr]View the detailed content of a CSR file | Basic | openssl req -text -noout -in request.csr |
Certificates(8)
| Command | Level | ||
|---|---|---|---|
openssl x509 -in [cert] -text -nooutView detailed X.509 certificate information, including issuer, validity, SAN, etc. | Intermediate | openssl x509 -in cert.pem -text -noout | |
openssl x509 -req -in [csr] -CA [ca] -CAkey [key]Sign a CSR using a CA certificate to generate a server certificate | Intermediate | openssl x509 -req -in request.csr -CA ca.pem -CAkey ca.key -out cert.pem -days 365 | |
openssl verify [options] [cert]Verify that a certificate chain is valid and trusted | Intermediate | openssl verify -CAfile ca-chain.pem server.crt | |
openssl ca [options]Minimal Certificate Authority command for issuing and managing certificates | Expert | openssl ca -in request.csr -out signed.pem -config openssl.cnf | |
openssl crl [options]Process Certificate Revocation Lists (CRL), supports inspection and format conversion | Expert | openssl crl -in crl.pem -text -noout | |
openssl ocsp [options]Online Certificate Status Protocol (OCSP) client for querying real-time revocation status | Expert | openssl ocsp -issuer ca.pem -cert server.crt -url http://ocsp.example.com | |
openssl ts [options]Time Stamp Protocol (TSP) tool for generating or verifying digital timestamps | Expert | openssl ts -query -data doc.txt -cert -out ts-query.tsq | |
openssl pkcs12 -export [options]Package PEM certificate and private key into PKCS#12 / PFX file | Intermediate | openssl pkcs12 -export -in cert.pem -inkey key.pem -out cert.pfx |
SSL Testing(7)
| Command | Level | ||
|---|---|---|---|
openssl s_client [options]Test SSL/TLS client connections, display certificate chain and handshake details | Intermediate | openssl s_client -connect example.com:443 -servername example.com | |
openssl s_server [options]Start a test SSL/TLS server for debugging clients | Intermediate | openssl s_server -accept 4433 -cert cert.pem -key key.pem | |
openssl speed [algorithm]Benchmark encryption algorithm performance, supports various algorithms | Basic | openssl speed aes-256-cbc | |
openssl version [options]Display OpenSSL version and build information | Basic | openssl version -a | |
openssl ciphers [options]List supported cipher suites for SSLv3, TLSv1.2, TLSv1.3, etc. | Intermediate | openssl ciphers -v 'TLSv1.3' | |
openssl asn1parse [options]Parse ASN.1 structured files for deep inspection of certificate and key encodings | Expert | openssl asn1parse -in cert.pem -inform PEM | |
openssl prime [options]Test whether a number is prime, or generate prime numbers | Basic | openssl prime -generate -bits 128 |
Encryption(5)
| Command | Level | ||
|---|---|---|---|
openssl enc -cipher [options]Symmetric encryption/decryption tool supporting AES, DES, ChaCha20, and more | Intermediate | openssl enc -aes-256-cbc -salt -in plain.txt -out encrypted.enc | |
openssl dgst [algorithm] [file]Compute hash digests of files, supports MD5, SHA256, SHA512, etc. | Intermediate | openssl dgst -sha256 -hex file.txt | |
openssl passwd [options]Generate password hashes in crypt, MD5, SHA256, SHA512, and other formats | Intermediate | openssl passwd -6 -salt xyz123 mypassword | |
openssl rand [nbytes]Generate cryptographically secure random bytes of specified length, output to file or base64 | Basic | openssl rand -hex 32 | |
openssl smime [options]S/MIME email encryption and signing tool for encrypting/decrypting and signing/verifying emails | Expert | openssl smime -encrypt -aes256 -in email.txt -out encrypted.msg cert.pem |
FAQ
This cheatsheet is compiled from official tool documentation. Last updated: 2026-07-17.