OpenSSL is a general purpose cryptography library that provides an open source implementation of the SSL and TLS protocols.OpenSSL libraries are used by a lot of enterprises in their systems and products.Following are a few common tasks you might need to perform with OpenSSL.

Some of the abbreviations related to certificates.

  • SSL – Secure Socket Layer
  • CSR – Certificate Signing Request
  • TLS – Transport Layer Security
  • PEM – Privacy Enhanced Mail
  • DER – Distinguished Encoding Rules
  • SHA – Secure Hash Algorithm
  • PKCS – Public-Key Cryptography Standards.
Private Key

Private keys should kept secret. Private keys generally used to decrypt data.

Public Key

Public keys are provided every one and it not secret. Public keys generally used to encrypt data.


Certificates holds keys and related information. Certificates generally holds public keys.

1Generate Private Key and Certificate Signing Request

openssl req -out CertificateSigningRequest.csr -newkey rsa:2048 -nodes -keyout sysaix.key

We can generate a private key with a Certificate Signing Request. We can send generated CertificateSigningRequest.csr to the Certificate Authority for approvel and then we can use sysaix.key. Above command will generate CSR and 2048-bit RSA key file. If you intend to use this certificate in Apache or Nginx.

2Generate Self-Signed Certificate

If we will use certificate in our development or test  environment and systems we do not need to sign it by Global Certificate Authority.Below command will generate a self-signed certificate and key file with 2048-bit RSA. I have also included sha256 as it’s considered most secure at the moment.By default, it will generate self-signed certificate valid for only one month but we create for 1 year.

# openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout sysaixPrivateKey.key -out sysaixcert.crt

3Generate Certificate Signing Request (CSR) with Existing Certificate

If we have a certificate but we need to approve it by Global Certificate Authorities we need to generate Certificate Signing Request with the following command.

$ openssl req -out sysaix.csr -key privateKey.key -new

4Verify CSR file

Verification is essential to ensure you are sending CSR to issuer authority with required details.

$ openssl req -noout -text -in sysaix.csr

5Create RSA Private Key

If you just need to generate RSA private key, you can use below command. I have included 1024 for stronger encryption.

$ openssl genrsa -out sysaix.key 2048

6Remove Passphrase From Private Key

Private Keys generally stored as encrypted to make it more secure. But every time we want to use Private Key we have to decrypt it. To make it more practical we can extract Private Key and store as unencrypted.

$ openssl rsa -in sysaixprivate.pem -out newsysaixprivate.pem

7Check and Print Certificate Signing Request (CSR)

We can print every information provided by a Certificate Signing Request on the shell. We will use following command for this.

$ openssl req -text -noout -verify -in CertificatesysaixSignReq.csr

8Verify Private Key

If you doubt on your key file, you can use below command to check.

$ openssl rsa -in sysaix.key –check

9Verify Certificate File

If you would like to validate certificate data like CN, OU, etc. then you can use below command which will give you certificate details.

$ openssl x509 -in certfile.pem -text –noout

10Verify the Certificate Signer Authority

Certificate issuer authority signs every certificate and in case you need to check them, you can use below command.

$ openssl x509 -in certfile.pem -noout -issuer -issuer_hash

11Convert PEM To PKCS#12 (.pfx .p12)

We can convert PEM format to the PKCS#12 format with the following command.

$ openssl pkcs12 -export -out sysaix.pfx -inkey sysaixpri.key -in sysaixcert.crt -certfile sysaixCAcert.crt

12Convert PEM To DER

The reverse conversation from PEM to DER can be done with the following.

$ openssl x509 -outform der -in sysaix.pem -out sysaixcert.der

13Convert DER to PEM format

$ openssl x509 –inform der –in sysaixsslcert.der –out sysaixsslcert.pem

Usually, certificate authority will give you SSL cert in .der format, and if you need to use them in apache or .pem format, you can use above command to convert them.

14Convert PKCS#12 (.pfx .p12) To PEM

We can convert PKCS#12 format files to the PEM files with the following command.

$ openssl pkcs12 -in sysaixkeyStore.pfx -out sysaixkeyStore.pem -nodes

15Check contents of PKCS12 format cert

openssl pkcs12 –info –nodes –in sysaixcert.p12

PKCS12 is binary format so you won’t be able to view the content in notepad or another editor. So you got to use above command to see the contents of PKCS12 format file.

16Check Hash Value of A Certificate

$ openssl x509 -noout -hash -in sysaix.pem

17Find out OpenSSL version

$ openssl version

18Test SSL certificate of particular URL

$ openssl s_client -connect –showcerts

19Check PEM File Certificate Expiration Date

$ openssl x509 -noout -in sysaixcert.pem -dates


Please enter your comment!
Please enter your name here