openssl Command
Advanced Firewall & Security man(1)OpenSSL command line tool for cryptography and SSL/TLS
👁 10 views
📅 Updated: Mar 15, 2026
SYNTAX
openssl COMMAND [OPTION]...
What Does openssl Do?
openssl is a cryptographic toolkit for SSL/TLS operations, certificate management, encryption, hashing, and key generation. It is the Swiss Army knife of cryptography on Linux.
openssl is used for generating SSL certificates, creating certificate signing requests (CSRs), testing SSL connections, encrypting/decrypting files, and generating random data.
For web servers, openssl is essential for generating private keys, creating CSRs for certificate authorities, and converting between certificate formats (PEM, DER, PFX).
openssl is used for generating SSL certificates, creating certificate signing requests (CSRs), testing SSL connections, encrypting/decrypting files, and generating random data.
For web servers, openssl is essential for generating private keys, creating CSRs for certificate authorities, and converting between certificate formats (PEM, DER, PFX).
Options & Flags
| Option | Description | Example |
|---|---|---|
| genrsa | Generate RSA private key | openssl genrsa -out key.pem 4096 |
| req | Create certificate signing request | openssl req -new -key key.pem -out csr.pem |
| x509 | Create/examine X.509 certificates | openssl x509 -in cert.pem -text -noout |
| s_client | Test SSL/TLS connection | openssl s_client -connect example.com:443 |
| enc | Encrypt/decrypt files | openssl enc -aes-256-cbc -in plain.txt -out encrypted.enc |
| rand | Generate random data | openssl rand -hex 32 |
| dgst | Calculate hash/digest | openssl dgst -sha256 file.txt |
Practical Examples
#1 Generate private key
Creates a 4096-bit RSA private key.
$ openssl genrsa -out server.key 4096
Output:
Generating RSA private key, 4096 bit long modulus
#2 Generate CSR
Creates a Certificate Signing Request for a CA.
$ openssl req -new -key server.key -out server.csr#3 Self-signed certificate
Creates a self-signed certificate valid for 1 year.
$ openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes#4 Test SSL connection
Tests SSL/TLS connection and shows certificate details.
$ openssl s_client -connect example.com:443 -servername example.com#5 View certificate
Displays certificate details: issuer, validity, subject, etc.
$ openssl x509 -in cert.pem -text -noout#6 Check certificate expiry
Shows certificate validity dates for a remote server.
$ echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -dates
Output:
notBefore=Jan 1 00:00:00 2024 GMT\nnotAfter=Jan 1 00:00:00 2025 GMT
#7 Generate random password
Generates a 32-byte random string encoded in base64.
$ openssl rand -base64 32
Output:
aB3cD4eF5gH6iJ7kL8mN9oP0qR1sT2u=
#8 Encrypt a file
Encrypts a file with AES-256-CBC using a password.
$ openssl enc -aes-256-cbc -salt -in secret.txt -out secret.enc -pbkdf2Tips & Best Practices
Check remote certificates: echo | openssl s_client -connect host:443 2>/dev/null | openssl x509 -text quickly shows any server certificate.
Protect private keys: Private keys must be 600 permissions and never shared. chmod 600 server.key immediately after generation.
Let's Encrypt: For production SSL certificates, use certbot (Let's Encrypt) instead of self-signed. openssl is for testing and CSR generation.
Frequently Asked Questions
How do I check SSL certificate expiration?
echo | openssl s_client -connect domain:443 2>/dev/null | openssl x509 -noout -dates shows certificate validity dates.
How do I create a self-signed certificate?
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes. For production, use Let's Encrypt instead.
How do I generate a random password?
openssl rand -base64 32 generates a cryptographically secure random string.
Related Commands
More Firewall & Security Commands
Master Linux with Professional eBooks
Curated IT eBooks covering Linux, DevOps, Cloud, and more
Browse Books →