SSL/TLS & OpenSSL Cheatsheet
Essential OpenSSL commands for SSL/TLS certificates
DevOps
SSL/TLS & OpenSSL Cheatsheet
A comprehensive reference for SSL/TLS and OpenSSL commands.
Generate Private Keys
RSA Keys
openssl genrsa -out private.key 2048
openssl genrsa -out private.key 4096
openssl genrsa -aes256 -out private.key 2048 # Encrypted
EC Keys (Recommended)
openssl ecparam -genkey -name prime256v1 -out private.key
openssl ecparam -genkey -name secp384r1 -out private.key
Generate CSR (Certificate Signing Request)
From Private Key
openssl req -new -key private.key -out request.csr
openssl req -new -key private.key -out request.csr -subj "/C=US/ST=State/L=City/O=Org/CN=example.com"
With SAN (Subject Alternative Names)
openssl req -new -key private.key -out request.csr -config <(
cat <<-EOF
[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
req_extensions = v3_req
[dn]
C=US
ST=State
L=City
O=Organization
CN=example.com
[v3_req]
subjectAltName = @alt_names
[alt_names]
DNS.1 = example.com
DNS.2 = www.example.com
DNS.3 = *.example.com
EOF
)
Self-Signed Certificates
Generate Self-Signed Certificate
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes
openssl req -x509 -key private.key -in request.csr -out certificate.crt -days 365
View Certificates
View Certificate
openssl x509 -in certificate.crt -text -noout
openssl x509 -in certificate.crt -noout -subject
openssl x509 -in certificate.crt -noout -issuer
openssl x509 -in certificate.crt -noout -dates
openssl x509 -in certificate.crt -noout -fingerprint
View CSR
openssl req -in request.csr -text -noout
openssl req -in request.csr -noout -subject
View Private Key
openssl rsa -in private.key -text -noout
openssl rsa -in private.key -check
Verify Certificates
Verify Certificate
openssl verify certificate.crt
openssl verify -CAfile ca.crt certificate.crt
Check if Private Key Matches Certificate
openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in private.key | openssl md5
# If MD5 hashes match, they're a pair
Check if CSR Matches Private Key
openssl req -noout -modulus -in request.csr | openssl md5
openssl rsa -noout -modulus -in private.key | openssl md5
Convert Formats
PEM to DER
openssl x509 -in cert.pem -outform der -out cert.der
DER to PEM
openssl x509 -in cert.der -inform der -out cert.pem
PEM to PKCS12
openssl pkcs12 -export -out certificate.pfx -inkey private.key -in certificate.crt -certfile ca.crt
PKCS12 to PEM
openssl pkcs12 -in certificate.pfx -out certificate.pem -nodes
Test SSL/TLS Connections
Test HTTPS Connection
openssl s_client -connect example.com:443
openssl s_client -connect example.com:443 -servername example.com # SNI
openssl s_client -connect example.com:443 -showcerts
openssl s_client -connect example.com:443 -tls1_2
openssl s_client -connect example.com:443 -tls1_3
Test SMTP with STARTTLS
openssl s_client -connect smtp.example.com:587 -starttls smtp
Test IMAP with STARTTLS
openssl s_client -connect imap.example.com:143 -starttls imap
Certificate Authority (CA)
Create CA
# Generate CA private key
openssl genrsa -aes256 -out ca.key 4096
# Generate CA certificate
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
Sign Certificate with CA
openssl x509 -req -in request.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out certificate.crt -days 365
Let's Encrypt (Certbot)
Install Certbot
sudo apt install certbot python3-certbot-nginx # Nginx
sudo apt install certbot python3-certbot-apache # Apache
Obtain Certificate
sudo certbot --nginx -d example.com -d www.example.com
sudo certbot --apache -d example.com
sudo certbot certonly --standalone -d example.com
sudo certbot certonly --webroot -w /var/www/html -d example.com
Renew Certificates
sudo certbot renew
sudo certbot renew --dry-run # Test renewal
List Certificates
sudo certbot certificates
Delete Certificate
sudo certbot delete --cert-name example.com
Common Tasks
Create Certificate Bundle
cat certificate.crt intermediate.crt root.crt > bundle.crt
Extract Certificate from Server
echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -out certificate.crt
Check Certificate Expiry
openssl x509 -in certificate.crt -noout -enddate
echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -enddate
Generate Diffie-Hellman Parameters
openssl dhparam -out dhparam.pem 2048
openssl dhparam -out dhparam.pem 4096
Quick Reference
| Command | Description |
|---|---|
openssl genrsa -out key.pem 2048 |
Generate RSA key |
openssl req -new -key key.pem -out csr.pem |
Generate CSR |
openssl req -x509 -newkey rsa:2048 -out cert.pem |
Self-signed cert |
openssl x509 -in cert.pem -text -noout |
View certificate |
openssl verify cert.pem |
Verify certificate |
openssl s_client -connect host:443 |
Test connection |
certbot --nginx -d example.com |
Let's Encrypt |
Best Practices
- Use strong keys (2048-bit RSA minimum, EC preferred)
- Use Let's Encrypt for free certificates
- Enable HSTS for security
- Use TLS 1.2+ only
- Disable weak ciphers
- Monitor expiry dates
- Automate renewal
- Use certificate pinning when appropriate
- Keep private keys secure
- Test with SSL Labs
Resources
- OpenSSL Documentation: https://www.openssl.org/docs/
- Let's Encrypt: https://letsencrypt.org/
- SSL Labs Test: https://www.ssllabs.com/ssltest/
- Mozilla SSL Config: https://ssl-config.mozilla.org/