Skip to content

OpenSSL Cheatsheet



OpenSSL is a widely-used open-source implementation of the SSL and TLS protocols. It is used to secure data transmission over the internet. OpenSSL is available on multiple platforms, including Linux, Windows and macOS. It provides a command-line interface that allows users to perform various cryptographic operations. In this blog post, we provide an OpenSSL cheatsheet that summarizes the most commonly used commands.

Basic OpenSSL Commands

The following OpenSSL commands are the most commonly used and essential commands that you should know:


  • Create a CSR with an existing private key
openssl req -out CSR.csr -key privateKey.key -new
  • Create a CSR with a brand new private key
openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
  • Create a CSR from an existing certificate
openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key
  • Check a CSR
openssl req -text -noout -verify -in CSR.csr


  • Generate a self-signed certificate
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
  • Check a certificate
openssl x509 -in certificate.crt -text -noout
  • Convert to PEM (from .der, .cer or .crt)
openssl x509 -inform der -in certificate.cer -out certificate.pem
  • Get server certificate and chain
openssl s_client -connect

Private Keys

  • Remove a passphrase from a private key
openssl rsa -in privateKey.pem -out newPrivateKey.pem
  • Check a private key
openssl rsa -in privateKey.key -check


  • Check a PKCS#12 file
openssl pkcs12 -info -in keyStore.p12
  • Convert to PEM
openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes


  • Convert to DER
openssl x509 -outform der -in certificate.pem -out certificate.der
  • Convert to PKCS#12
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

Checking Certificate vs Private Key

  • Certificate signature
openssl x509 -noout -modulus -in certificate.crt | openssl md5
  • CSR signature
openssl req -noout -modulus -in CSR.csr | openssl md5
  • Private key signature
openssl rsa -noout -modulus -in privateKey.key | openssl md5

Encode or Decode

  • Encode to base64
openssl enc -base64 <<< "Hello, World!"
openssl base64 -in <infile> -out <outfile>
  • Decode from base64
openssl enc -base64 -d <<< SGVsbG8sIFdvcmxkIQo=
openssl base64 -d -in <infile> -out <outfile>


  • Generate random
openssl rand -base64 10
openssl rand -hex 10
  • Get a list of available ciphers
openssl list-cipher-algorithms


OpenSSL is a powerful and versatile tool that can be used to generate private keys, CSRs, and certificates. The commands listed in this cheatsheet provide a quick reference guide for OpenSSL users. If you are new to OpenSSL, we recommend that you read the documentation to understand the command-line options and parameters in more detail.


  • Welcome to visit the knowledge base of SRE and DevOps!
  • License under CC BY-NC 4.0
  • Made with Material for MkDocs and improve writing by generative AI tools
  • Copyright issue feedback, replace # with @