OpenSSL Quick Reference
Overview
OpenSSL is an open-source cryptographic library and toolkit providing SSL/TLS protocol implementations, certificate management, encryption/decryption, and hash functions.
Main Use Cases: - SSL/TLS certificate generation and management - Private/public key creation - File encryption/decryption - Hashing and digital signatures - Testing network connections with SSL/TLS
1. Certificate and Key Generation
Generate Private Key (RSA)
# RSA 2048 bit key (standard)
openssl genrsa -out private.key 2048
# RSA 4096 bit key (stronger)
openssl genrsa -out private.key 4096
# RSA key protected with password (AES-256)
openssl genrsa -aes256 -out private.key 2048
Extract Public Key from Private Key
Generate Self-Signed Certificate
# One step: private key + self-signed cert (1 year validity)
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes
# Interactive (prompts for data: Country, State, Organization, etc.)
# -nodes: saves private key without password
Generate Certificate Signing Request (CSR)
# Generate CSR from existing private key
openssl req -new -key private.key -out request.csr
# Generate CSR and new private key simultaneously
openssl req -new -newkey rsa:2048 -nodes -keyout private.key -out request.csr
CSR Required Fields: - Country Name (C): US - State (ST): California - Organization (O): Example Inc - Common Name (CN): .example.com or example.com (domain name!) - Email Address:* admin@example.com
2. Viewing and Validating Certificates
View Certificate Contents
# X.509 cert details
openssl x509 -in cert.pem -text -noout
# Check expiration date
openssl x509 -in cert.pem -noout -dates
# View Subject and Issuer
openssl x509 -in cert.pem -noout -subject -issuer
# Certificate fingerprint (SHA256)
openssl x509 -in cert.pem -noout -fingerprint -sha256
Check CSR Contents
Compare Private Key and Certificate
# Private key modulus
openssl rsa -in private.key -noout -modulus | openssl md5
# Certificate modulus
openssl x509 -in cert.pem -noout -modulus | openssl md5
# If MD5 hashes match -> key and cert belong together
Fetch Remote SSL Certificate
# Retrieve HTTPS server certificate
openssl s_client -connect example.com:443 -showcerts < /dev/null
# Only the certificate chain
openssl s_client -connect example.com:443 -showcerts 2>/dev/null | openssl x509 -text
# StartTLS for SMTP
openssl s_client -connect smtp.example.com:587 -starttls smtp
3. File Encryption and Decryption
Symmetric Encryption (AES-256-CBC)
# Encrypt file (prompts for password)
openssl enc -aes-256-cbc -salt -in file.txt -out file.txt.enc
# Decrypt
openssl enc -aes-256-cbc -d -in file.txt.enc -out file.txt
# Encrypt with base64 output (email-friendly)
openssl enc -aes-256-cbc -salt -a -in file.txt -out file.txt.enc
# Decrypt from base64
openssl enc -aes-256-cbc -d -a -in file.txt.enc -out file.txt
Asymmetric Encryption (RSA Keys)
# Encrypt with public key
openssl rsautl -encrypt -pubin -inkey public.key -in file.txt -out file.enc
# Decrypt with private key
openssl rsautl -decrypt -inkey private.key -in file.enc -out file.txt
Limitation: RSA can only encrypt small files (max key size - 11 bytes). For larger files, use hybrid approach (AES + RSA).
4. Hash Functions and Digital Signatures
Calculate Hash
# MD5 (weak, don't use in production!)
openssl md5 file.txt
# SHA-256 (recommended)
openssl sha256 file.txt
# SHA-512 (stronger)
openssl sha512 file.txt
# Hash in base64 format
openssl dgst -sha256 -binary file.txt | openssl base64
Digital Signatures
# Sign file with private key
openssl dgst -sha256 -sign private.key -out file.sig file.txt
# Verify signature with public key
openssl dgst -sha256 -verify public.key -signature file.sig file.txt
5. Format Conversions
PEM ↔ DER Conversion
# PEM -> DER (binary format)
openssl x509 -in cert.pem -outform DER -out cert.der
# DER -> PEM (text format)
openssl x509 -in cert.der -inform DER -out cert.pem
PEM ↔ PKCS#12 (.pfx, .p12) Conversion
# PEM -> PKCS#12 (key + cert in one file, Windows-friendly)
openssl pkcs12 -export -out cert.pfx -inkey private.key -in cert.pem -certfile ca-cert.pem
# PKCS#12 -> PEM (extract)
openssl pkcs12 -in cert.pfx -out cert.pem -nodes
PKCS#7 Handling
# PEM -> PKCS#7
openssl crl2pkcs7 -nocrl -certfile cert.pem -out cert.p7b
# PKCS#7 -> PEM
openssl pkcs7 -print_certs -in cert.p7b -out cert.pem
6. SSL/TLS Testing and Debugging
Test HTTPS Connection
# Basic SSL handshake test
openssl s_client -connect example.com:443
# Force TLS 1.2
openssl s_client -connect example.com:443 -tls1_2
# Specify SNI (Server Name Indication)
openssl s_client -connect 192.168.1.10:443 -servername example.com
# Test cipher suite
openssl s_client -connect example.com:443 -cipher 'ECDHE-RSA-AES256-GCM-SHA384'
Validate Certificate Chain
# Verify cert chain against CA
openssl verify -CAfile ca-cert.pem cert.pem
# Validate full chain
openssl verify -CAfile ca-bundle.pem -untrusted intermediate.pem cert.pem
OCSP (Online Certificate Status Protocol) Test
# Fetch OCSP response
openssl ocsp -issuer ca-cert.pem -cert cert.pem -url http://ocsp.example.com -resp_text
7. Common Errors and Solutions
"unable to load Private Key" Error
Cause: Wrong format or password-protected key.
Solution:
# Remove password from private key
openssl rsa -in encrypted-private.key -out private.key
# Check format
openssl rsa -in private.key -text -noout
"certificate verify failed" Errors
Cause: Missing CA certificate or certificate chain issue.
Solution:
# Use CA bundle
openssl s_client -connect example.com:443 -CAfile /etc/ssl/certs/ca-bundle.crt
# Use system CAs (Red Hat/Fedora)
openssl s_client -connect example.com:443 -CApath /etc/pki/tls/certs/
Accept Self-Signed Certificate for Testing
# Skip validation (TESTING ONLY!)
curl -k https://example.com
# or
openssl s_client -connect example.com:443 -verify_return_error
8. Useful One-Liners
# Certificate expiration date in human-readable format
openssl x509 -in cert.pem -noout -enddate | cut -d= -f2
# Generate random password (32 characters, base64)
openssl rand -base64 32
# Generate random hex string (16 bytes)
openssl rand -hex 16
# File SHA-256 checksum (compatible with sha256sum)
openssl dgst -sha256 file.txt | awk '{print $2}'
# List certificate Subject Alternative Names (SAN)
openssl x509 -in cert.pem -noout -ext subjectAltName
# Check private key bit length
openssl rsa -in private.key -text -noout | grep "Private-Key"
# List all available cipher suites
openssl ciphers -v
# TLS 1.3 ciphers
openssl ciphers -v -tls1_3
9. Automation and Scripting
Non-Interactive CSR Generation
# Specify subject from command line
openssl req -new -key private.key -out request.csr -subj "/C=US/ST=California/L=San Francisco/O=Example Inc/OU=IT/CN=example.com"
# Use config file
openssl req -new -key private.key -out request.csr -config openssl.cnf
openssl.cnf Example:
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name
stateOrProvinceName_default = California
commonName = Common Name (FQDN)
commonName_default = example.com
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = example.com
DNS.2 = www.example.com
DNS.3 = *.example.com
Batch Encryption/Decryption
# Encrypt all .txt files in a directory
for file in *.txt; do
openssl enc -aes-256-cbc -salt -in "$file" -out "$file.enc" -pass pass:MySecretPassword
done
# Decrypt
for file in *.txt.enc; do
openssl enc -aes-256-cbc -d -in "$file" -out "${file%.enc}" -pass pass:MySecretPassword
done
10. Kubernetes/OpenShift Context
Create TLS Secret
# 1. Generate certificate and key
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout tls.key -out tls.crt \
-subj "/CN=myapp.example.com/O=myapp"
# 2. Create Kubernetes TLS secret
kubectl create secret tls myapp-tls --cert=tls.crt --key=tls.key
# 3. Use in Ingress/Route
# OpenShift Route YAML:
# spec:
# tls:
# termination: edge
# key: <tls.key content>
# certificate: <tls.crt content>
Verify Service Mesh (Istio) Certificates
# Retrieve Istio sidecar certificate
kubectl exec -it <pod-name> -c istio-proxy -- openssl s_client -connect myservice:8080 -showcerts
# Test HTTPS connection from pod
kubectl exec -it <pod-name> -- openssl s_client -connect external-service.com:443
References
Official Documentation:
- https://www.openssl.org/docs/
- man openssl - OpenSSL man pages
Useful Links: - OpenSSL Cookbook (SSL/TLS): https://www.feistyduck.com/library/openssl-cookbook/ - Mozilla SSL Configuration Generator: https://ssl-config.mozilla.org/
Red Hat Specific:
- RHEL Crypto Policy: /etc/crypto-policies/
- System-wide CA certificates: /etc/pki/tls/certs/
Updated: 2026-05-23 Author: Documentation Team Use Case: SRE, DevOps, Security Engineering