OpenSSL Commands and Certificate Management Cheatsheet
This comprehensive guide covers essential OpenSSL commands for certificate creation, verification, and SSL/TLS management. Whether you’re setting up development environments, managing production certificates, or troubleshooting SSL issues, these commands provide the foundation for secure certificate operations.
Certificate Creation Commands
Self-Signed CA Certificate
Creates a self-signed certificate authority (CA) certificate pair that can be used to sign other certificates. This is particularly useful for development environments and internal infrastructure, such as when setting up TLS termination in nginx configurations.
openssl req -x509 -nodes -days <expiry-days> -newkey rsa:4096 -keyout cert.key -out cert.crt -subj "/CN=<domain>" -addext "subjectAltName=DNS:<domain>"Parameters explained:
-x509: Create a self-signed certificate instead of a certificate request-nodes: Don’t encrypt the private key (no passphrase required)-days <expiry-days>: Certificate validity period (e.g., 365 for one year)-newkey rsa:4096: Generate a new RSA private key with 4096 bits-keyout cert.key: Output filename for the private key-out cert.crt: Output filename for the certificate-subj "/CN=<domain>": Certificate subject with Common Name-addext "subjectAltName=DNS:<domain>": Add Subject Alternative Name extension
Self-Signed Non-CA Certificate
Creates a self-signed certificate without Certificate Authority permissions. This certificate cannot be used to sign other certificates and is suitable for end-entity certificates.
openssl req -x509 -nodes -days <expiry-days> -newkey rsa:4096 -keyout cert.key -out cert.crt -subj "/CN=<domain>" -addext "subjectAltName=DNS:<domain>" -addext "basicConstraints=CA:FALSE"The key difference is the addition of -addext "basicConstraints=CA:FALSE" which explicitly marks this certificate as not being a CA certificate.
Certificate Verification and Inspection
Check Certificate Information
Display detailed information about a certificate including validity dates, subject, issuer, and extensions.
openssl x509 -in <cert-file> -noout -textCheck Certificate Validity Dates
Quickly check when a certificate expires:
openssl x509 -in <cert-file> -noout -datesVerify Certificate Against CA
Verify a certificate against a Certificate Authority:
openssl verify -CAfile <ca-cert.pem> <cert-file>Check Certificate and Key Match
Verify that a certificate and private key belong together:
openssl x509 -noout -modulus -in <cert-file> | openssl md5
openssl rsa -noout -modulus -in <key-file> | openssl md5Both commands should produce identical MD5 hashes.
Advanced Certificate Operations
Generate Certificate Signing Request (CSR)
Create a certificate signing request for submission to a Certificate Authority:
openssl req -new -newkey rsa:4096 -nodes -keyout <domain>.key -out <domain>.csr -subj "/CN=<domain>" -addext "subjectAltName=DNS:<domain>"Sign CSR with CA Certificate
Sign a certificate request using your CA certificate:
openssl x509 -req -in <domain>.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out <domain>.crt -days <expiry-days> -extensions v3_reqConvert Certificate Formats
Convert PEM to DER format:
openssl x509 -in cert.pem -outform DER -out cert.derConvert DER to PEM format:
openssl x509 -in cert.der -inform DER -outform PEM -out cert.pemSSL/TLS Connection Testing
Test SSL Connection
Test SSL/TLS connection to a server:
openssl s_client -connect <hostname>:<port> -servername <hostname>Check SSL Certificate Chain
Verify the complete certificate chain:
openssl s_client -connect <hostname>:443 -showcertsTest Specific SSL/TLS Version
Test connection with specific protocol version:
openssl s_client -connect <hostname>:443 -tls1_2Key Management
Generate Private Key
Generate a new RSA private key:
openssl genrsa -out private.key 4096Generate Private Key with Passphrase
Generate an encrypted private key:
openssl genrsa -aes256 -out private.key 4096Remove Passphrase from Private Key
Remove encryption from a private key:
openssl rsa -in encrypted.key -out decrypted.keyExtract Public Key
Extract public key from private key:
openssl rsa -in private.key -pubout -out public.keyCommon Use Cases and Examples
Development Environment Setup
For local development with HTTPS, especially when configuring nginx reverse proxy setups:
# Create self-signed certificate for localhost
openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout localhost.key -out localhost.crt -subj "/CN=localhost" -addext "subjectAltName=DNS:localhost,DNS:*.localhost,IP:127.0.0.1"Multi-Domain Certificate
Create a certificate valid for multiple domains:
openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout multi.key -out multi.crt -subj "/CN=example.com" -addext "subjectAltName=DNS:example.com,DNS:www.example.com,DNS:api.example.com"Production Certificate Renewal
Steps for certificate renewal in production:
- Generate new CSR:
openssl req -new -key existing.key -out renewal.csr -subj "/CN=example.com" -addext "subjectAltName=DNS:example.com,DNS:www.example.com"-
Submit CSR to CA and receive new certificate
-
Verify new certificate:
openssl x509 -in new-cert.crt -noout -textSecurity Best Practices
Key Size Recommendations
- RSA: Minimum 2048 bits, recommended 4096 bits
- EC: Minimum 256 bits (P-256), recommended 384 bits (P-384)
Certificate Validity
- Development: 90-365 days
- Production: Follow CA guidelines, typically 90 days with auto-renewal
Storage Security
- Store private keys with restricted permissions (600 or 640)
- Use hardware security modules (HSMs) for production CAs
- Regular key rotation for long-lived certificates
Troubleshooting Common Issues
Certificate Validation Errors
Problem: Certificate not trusted Solution: Verify certificate chain and ensure CA certificate is in trust store
Problem: Hostname mismatch Solution: Check Subject Alternative Names match the hostname
Problem: Certificate expired Solution: Check validity dates and renew if necessary
Connection Issues
Problem: SSL handshake failures Solution: Check supported cipher suites and protocol versions
Problem: Certificate chain incomplete Solution: Ensure intermediate certificates are included
References and Resources
- OpenSSL Official Documentation
- RFC 5280 - X.509 Certificate and CRL Profile
- SSL/TLS Best Practices
- OpenSSL Command Line Utilities
Questions Answered in This Document
Q: How do I create a self-signed certificate with Subject Alternative Names? A: Use openssl req -x509 -nodes -days <days> -newkey rsa:4096 -keyout cert.key -out cert.crt -subj "/CN=<domain>" -addext "subjectAltName=DNS:<domain>" to create a certificate with SAN extension.
Q: What’s the difference between a CA certificate and a non-CA certificate? A: A CA certificate can sign other certificates, while a non-CA certificate cannot. Add -addext "basicConstraints=CA:FALSE" to create a non-CA certificate.
Q: How can I verify that a certificate and private key match? A: Generate MD5 hashes of both the certificate and key modulus using openssl x509 -noout -modulus -in cert.crt | openssl md5 and openssl rsa -noout -modulus -in key.key | openssl md5. The hashes should match.
Q: How do I check when an SSL certificate expires? A: Use openssl x509 -in certificate.crt -noout -dates to display the certificate validity period, or openssl s_client -connect hostname:443 -servername hostname to check a remote server’s certificate.
Q: What’s the recommended RSA key size for SSL certificates? A: Use a minimum of 2048 bits, but 4096 bits is recommended for better security. Generate with openssl genrsa -out private.key 4096.
Q: How do I test SSL connectivity to a server? A: Use openssl s_client -connect hostname:443 -servername hostname to test the connection and view certificate details.
Q: How can I create a certificate valid for multiple domains? A: Include multiple DNS entries in the Subject Alternative Names extension: -addext "subjectAltName=DNS:example.com,DNS:www.example.com,DNS:api.example.com"
Q: How do I convert between PEM and DER certificate formats? A: Use openssl x509 -in cert.pem -outform DER -out cert.der for PEM to DER, or openssl x509 -in cert.der -inform DER -outform PEM -out cert.pem for DER to PEM conversion.