Openssl cheatsheet

OpenSSL is a great command line tool that can be used for a large variety of tasks related to Public Key Infrastructure (PKI) and HTTPS (HTTP over TLS). 

Openssl utility helps in following:

  • Create Keys and key parameters
  • Create X.509 certificates, CSRs and CRLs
  • Calculate message digests
  • Encryption and decryption
  • SSL/TLS client and server tests
  • Handling of S/MIME signed or encrypted mail


Install openssl client on you machine to perform the operations.


How to connect to secure server

-- https: HTTP over SSL
openssl s_client -connect

-- ldaps: LDAP over SSL
openssl s_client -connect

-- imaps: IMAP over SSL
openssl s_client -connect

-- pop3s: POP-3 over SSL
openssl s_client -connect

Connect to server having SNI

Server Name Indication (SNI) is a TLS extension, defined in RFC 6066. It enables TLS connections to virtual servers, in which multiple servers for different network names are hosted at a single underlying network address.

openssl s_client -servername -connect

Store the public cert for any website locally


openssl s_client -connect < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > public.crt


openssl s_client -connect < NUL | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > public.crt
(info) The command above will only be executed if you have Sed for Windowsas well as OpenSSL installed on your environment. 

Base64 encode using openssl

-- base64 encode a string
echo "value" | openssl enc -base64

-- base64 encode file content
openssl enc -base64 -in file.txt

Encrypt a file and base64 code it

-- Encrypt file.txt to file.enc using 256-bit AES in CBC mode
openssl enc -aes-256-cbc -salt -in file.txt -out file.enc

-- Encrypt file.txt to file.enc using 256-bit AES in CBC mode with base64 encoded output, e.g., e-mail
openssl enc -aes-256-cbc -a -salt -in file.txt -out file.enc

How to secure web server via https

Use following commands to generate private key and CSR.

-- Generate a Private Key and a CSR (Certificate Signing Request)
openssl req -new -newkey rsa:2048 -nodes -out $APPLICATIONNAME_DOMAIN_com.csr -keyout REPLACE_APPLICATIONNAME_DOMAIN_com.key -subj "/C=US/ST=REPLACE_STATE/L=$CITY/O=REPLACE_COMPANYNAME/OU=Network and Security/CN=REPLACE_IN_app.domain.com_FORMAT"

-- Generate a CSR from an existing Private Key
openssl req -key domain.key -new -out  REPLACE_YOUR_DOMAIN.csr

-- Generate a CSR from an Existing Certificate and Private Key to renew a certificate
openssl x509 -in domain.crt -signkey domain.key -x509toreq -out  REPLACE_YOUR_DOMAIN.csr

In order to enable SSL/TLS protocol on the server, it needs a private key and a certificate. The certificate contains the public key that matches the server’s private key.

Following Steps needs to be taken to set up your web server as https.

  1. The CSR is shared with CA (certificate authority) to request the issuance of a CA-signed SSL certificate.
  2. Combine your private key and CA signed SSL certificate
  3. Modify your web server to point you private keys / csr.

Generate a Self-Signed Certificate (Usually for internal apps)

openssl req -newkey rsa:2048 -nodes -keyout domain.key -x509 -days 365 -out  REPLACE_YOUR_DOMAIN.crt

View CSR (Certificate Signing Request)

openssl req -text -noout -verify -in REPLACE_YOUR_DOMAIN.csr

View Certificates

openssl x509 -text -noout -in domain.crt

Verify a Certificate was Signed by a CA

openssl verify -verbose -CAFile REPLACE_ca.crt REPLACE_YOUR_DOMAIN.crt

Verify a Private Key Matches a Certificate and CSR

openssl rsa -noout -modulus -in REPLACE_domain.key | openssl md5
openssl x509 -noout -modulus -in REPLACE_domain.crt | openssl md5
openssl req -noout -modulus -in REPLACE_domain.csr | openssl md5

Convert certificates

-- Convert certificates format from PEM to DER 
openssl x509 -in domain.crt -outform der -out domain.der

-- Convert certificate format DER to PEM
openssl x509 -inform der -in domain.der -out domain.crt

-- Convert certificate format PEM to PFX
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

How to generate an RSA key?

-- Default 1024-bit key, sent to standard output
openssl genrsa

-- 2048-bit key, saved to file key.pem
openssl genrsa -out key.pem 2048

-- 2048-bit key, saved to file key.pem and encrypted with a passphrase
openssl genrsa -des3 -out mykey.pem 2048

-- Generate public RSA key
openssl rsa -in mykey.pem -pubout


The SSL protocol relies heavily on a variety of different cryptographic algorithms, including message digest algorithms, symmetric ciphers, and public key cryptography.

Computes an SHA1 hash for the file named *.zip and write it to stdout in hexadecimal form.

openssl dgst -sha1

Computes an SHA1 hash for the file named *.zip and write it in hexadecimal form to the file named digest.txt.

openssl sha1 -out digest.txt

Signs the SHA1 (DSS1) hash of the file named file.txt using the DSA private key in the file dsakey.pem and write the signature out to the file dsasign.bin

Symmetric Encryption

Encrypts the contents of the file plaintext.doc using DES3 in CBC mode and places the resulting ciphertext into ciphertext.bin.

openssl enc -des3 -salt -in sample.txt -out sampledes3.bin

Since no password is mentioned, command line will prompt for password.

Encrypts the contents of the file plaintext.doc using Blowfish cipher in CFB mode and places the resulting ciphertext into ciphertext.bin.

openssl bf-cfb -salt -in sample.txt -out samplebf-cfb.bin

Encodes the contents of the file ciphertext.bin in base64 and writes the result to the file base64.txt.

openssl base64 -in samplebf-cfb.bin -out samplebf-cfb-base64.txt

Asymmetric Encryption

Diffie-Hellman is used for key agreement. In simple terms, key agreement is the exchange of information over an insecure medium that allows each of the two parties in a conversation to compute a value that is typically used as the key for a symmetric cipher

Digital Signature Algorithm (DSA) is used for creating and verifying digital signatures.

Generates a new set of DSA parameters

openssl dsaparam -out dsaparam.pem 1024

Generates a new DSA private key using the parameters from the file dsaparam.pem

openssl gendsa -out dsaprivatekey.pem -des3 dsaparam.pem

Computes the public key that corresponds to the private key contained in the file dsaprivatekey.pem and writes the public key out to the file dsapublickey.pem.


Version History

|Date | Description
:——————-| :—————————– 2015-12-20    | Initial Version
—————————————————— ————