19 Practical Examples of Openssl Command in Linux and Unix

openssl req -out CertificateSigningRequest.csr -newkey rsa:2048 -nodes -keyout sysaix.key

We can generate a private key with a Certificate Signing Request. We can send generated CertificateSigningRequest.csr to the Certificate Authority for approvel and then we can use sysaix.key. Above command will generate CSR and 2048-bit RSA key file. If you intend to use this certificate in Apache or Nginx.

If we will use certificate in our development or test  environment and systems we do not need to sign it by Global Certificate Authority.Below command will generate a self-signed certificate and key file with 2048-bit RSA. I have also included sha256 as it’s considered most secure at the moment.By default, it will generate self-signed certificate valid for only one month but we create for 1 year.

# openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout sysaixPrivateKey.key -out sysaixcert.crt

If we have a certificate but we need to approve it by Global Certificate Authorities we need to generate Certificate Signing Request with the following command.

$ openssl req -out sysaix.csr -key privateKey.key -new

Verification is essential to ensure you are sending CSR to issuer authority with required details.

$ openssl req -noout -text -in sysaix.csr

If you just need to generate RSA private key, you can use below command. I have included 1024 for stronger encryption.

$ openssl genrsa -out sysaix.key 2048

Private Keys generally stored as encrypted to make it more secure. But every time we want to use Private Key we have to decrypt it. To make it more practical we can extract Private Key and store as unencrypted.

$ openssl rsa -in sysaixprivate.pem -out newsysaixprivate.pem

We can print every information provided by a Certificate Signing Request on the shell. We will use following command for this.

$ openssl req -text -noout -verify -in CertificatesysaixSignReq.csr

If you doubt on your key file, you can use below command to check.

$ openssl rsa -in sysaix.key –check

If you would like to validate certificate data like CN, OU, etc. then you can use below command which will give you certificate details.

$ openssl x509 -in certfile.pem -text –noout

Certificate issuer authority signs every certificate and in case you need to check them, you can use below command.

$ openssl x509 -in certfile.pem -noout -issuer -issuer_hash

We can convert PEM format to the PKCS#12 format with the following command.

$ openssl pkcs12 -export -out sysaix.pfx -inkey sysaixpri.key -in sysaixcert.crt -certfile sysaixCAcert.crt

The reverse conversation from PEM to DER can be done with the following.

$ openssl x509 -outform der -in sysaix.pem -out sysaixcert.der

$ openssl x509 –inform der –in sysaixsslcert.der –out sysaixsslcert.pem

Usually, certificate authority will give you SSL cert in .der format, and if you need to use them in apache or .pem format, you can use above command to convert them.

We can convert PKCS#12 format files to the PEM files with the following command.

$ openssl pkcs12 -in sysaixkeyStore.pfx -out sysaixkeyStore.pem -nodes

openssl pkcs12 –info –nodes –in sysaixcert.p12

PKCS12 is binary format so you won’t be able to view the content in notepad or another editor. So you got to use above command to see the contents of PKCS12 format file.

$ openssl x509 -noout -hash -in sysaix.pem

$ openssl version

$ openssl s_client -connect sysaix.com:443 –showcerts

$ openssl x509 -noout -in sysaixcert.pem -dates