How do I generate a private key and CSR with openssl?

Generate a key with openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out key.pem, then create a CSR with openssl req -new -key key.pem -out req.csr and answer the prompts (or pass -subj to fill them inline). Send the CSR to your certificate authority; keep key.pem secret.

How do I inspect a certificate with openssl?

Use openssl x509 -in cert.pem -noout -text to print the full human-readable certificate including subject, issuer, validity dates and SAN entries. Add -fingerprint -sha256 for the fingerprint, or -dates to see only notBefore and notAfter.

How do I test a TLS server from the command line?

openssl s_client -connect example.com:443 -servername example.com opens a TLS connection and prints the certificate chain, negotiated protocol and cipher. The -servername (SNI) flag is important on shared hosts. Pipe in echo or add -quiet to avoid hanging on input.

What is the difference between genrsa and genpkey?

genrsa is the older, RSA-specific key generator. genpkey is the modern, algorithm-agnostic command that can produce RSA, EC (elliptic curve), Ed25519 and other keys with consistent options. Prefer genpkey for new work; genrsa still appears widely in older guides.

How do I convert a certificate to PKCS#12?

Bundle a certificate and its private key into a .p12/.pfx file (used by Windows, Java and many servers) with openssl pkcs12 -export -in cert.pem -inkey key.pem -out bundle.p12. You will be asked to set an export password. Use openssl pkcs12 -in bundle.p12 to read it back.

OpenSSL Commands Cheatsheet

Email me this result

Get this tool's output sent to your inbox, plus one useful tool a week. No spam, unsubscribe any time.

OpenSSL is the Swiss-army knife for TLS and cryptography on the command line: generating keys, creating certificate signing requests, inspecting and converting certificates, computing digests, encrypting files and probing live TLS servers. This cheatsheet collects the subcommands you reach for most, each with a runnable example.

How it works

The CLI is structured as openssl <subcommand> [options]. Each subcommand is a small tool: genpkey/genrsa create keys, req builds CSRs and self-signed certs, x509 reads and transforms certificates, s_client connects to a TLS endpoint, dgst hashes and signs, enc does symmetric encryption, and pkcs12 bundles keys and certs. Options control input/output files, algorithms and formats (PEM vs DER).

Common recipes

# Key + self-signed cert in one step (10 years)
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem \
  -days 3650 -nodes -subj "/CN=example.com"

# Show certificate details and SAN
openssl x509 -in cert.pem -noout -text

# Test a live TLS endpoint
openssl s_client -connect example.com:443 -servername example.com

Notes and tips

-nodes (no DES) leaves the private key unencrypted — convenient for servers but keep the file permissions tight. Use -subj "/CN=…" to fill CSR fields non-interactively in scripts. PEM is the Base64 -----BEGIN----- format; add -inform DER/-outform DER to work with binary. When testing TLS, always pass -servername so SNI selects the right certificate on shared hosting.