Skip to main content

OpenSSL Command Cheatsheet

OpenSSL is a robust open-source cryptography toolkit widely used for SSL/TLS certificate management, key generation, encryption/decryption, and SSL testing. This cheatsheet summarizes the most commonly used OpenSSL commands for daily operations.

Updated: 2026-07-17·33 commands

Overview

OpenSSL is a robust, full-featured open-source toolkit implementing the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. This cheatsheet covers key generation, certificates, and SSL testing.

Quick Start

``bash openssl version # Check OpenSSL version openssl help # List available commands ``

Refer to the command table below for detailed usage.

Key Mgmt(10)

CommandLevel
openssl genrsa [numbits]
Generate an RSA private key file, defaults to 2048 bits
Basic
openssl ecparam -genkey -name [curve]
Generate an elliptic curve (EC) private key, common curves: prime256v1, secp384r1
Intermediate
openssl genpkey -algorithm [algo]
Generic private key generation tool supporting RSA, EC, ED25519, and more
Intermediate
openssl pkey [options]
General-purpose private key processing tool for format conversion, inspection, etc.
Intermediate
openssl pkeyutl [options]
Perform low-level sign, verify, encrypt, and decrypt operations using private/public keys
Expert
openssl ec [options]
EC key processing tool for inspection and format conversion
Intermediate
openssl rsa [options]
RSA key processing tool for inspection, format conversion, and public key extraction
Intermediate
openssl pkcs8 [options]
PKCS#8 private key format converter supporting encrypted and unencrypted formats
Intermediate
openssl dsaparam [numbits]
Generate DSA parameter files for DSA key generation
Intermediate
openssl dhparam [numbits]
Generate Diffie-Hellman parameters for perfect forward secrecy key exchange
Intermediate

CSR(3)

CommandLevel
openssl req -new -key [keyfile] -out [csr]
Generate a new Certificate Signing Request (CSR) from an existing private key
Basic
openssl req -x509 -newkey [type] -days [n]
Generate a self-signed certificate (with private key), ideal for dev and testing
Intermediate
openssl req -text -noout -in [csr]
View the detailed content of a CSR file
Basic

Certificates(8)

CommandLevel
openssl x509 -in [cert] -text -noout
View detailed X.509 certificate information, including issuer, validity, SAN, etc.
Intermediate
openssl x509 -req -in [csr] -CA [ca] -CAkey [key]
Sign a CSR using a CA certificate to generate a server certificate
Intermediate
openssl verify [options] [cert]
Verify that a certificate chain is valid and trusted
Intermediate
openssl ca [options]
Minimal Certificate Authority command for issuing and managing certificates
Expert
openssl crl [options]
Process Certificate Revocation Lists (CRL), supports inspection and format conversion
Expert
openssl ocsp [options]
Online Certificate Status Protocol (OCSP) client for querying real-time revocation status
Expert
openssl ts [options]
Time Stamp Protocol (TSP) tool for generating or verifying digital timestamps
Expert
openssl pkcs12 -export [options]
Package PEM certificate and private key into PKCS#12 / PFX file
Intermediate

SSL Testing(7)

CommandLevel
openssl s_client [options]
Test SSL/TLS client connections, display certificate chain and handshake details
Intermediate
openssl s_server [options]
Start a test SSL/TLS server for debugging clients
Intermediate
openssl speed [algorithm]
Benchmark encryption algorithm performance, supports various algorithms
Basic
openssl version [options]
Display OpenSSL version and build information
Basic
openssl ciphers [options]
List supported cipher suites for SSLv3, TLSv1.2, TLSv1.3, etc.
Intermediate
openssl asn1parse [options]
Parse ASN.1 structured files for deep inspection of certificate and key encodings
Expert
openssl prime [options]
Test whether a number is prime, or generate prime numbers
Basic

Encryption(5)

CommandLevel
openssl enc -cipher [options]
Symmetric encryption/decryption tool supporting AES, DES, ChaCha20, and more
Intermediate
openssl dgst [algorithm] [file]
Compute hash digests of files, supports MD5, SHA256, SHA512, etc.
Intermediate
openssl passwd [options]
Generate password hashes in crypt, MD5, SHA256, SHA512, and other formats
Intermediate
openssl rand [nbytes]
Generate cryptographically secure random bytes of specified length, output to file or base64
Basic
openssl smime [options]
S/MIME email encryption and signing tool for encrypting/decrypting and signing/verifying emails
Expert

FAQ

This cheatsheet is compiled from official tool documentation. Last updated: 2026-07-17.