Cheatsheets - openssl

Last Updated: 2024-01-31

Steps to generate a cert

# generate a private key foo.key
openssl genrsa -out foo.key 2048

# show content of the private key
openssl rsa -text -in foo.key -noout

# extract public key (the private key file contains both the private key and the public key).
openssl rsa -in foo.key -pubout -out foo_public.key

# create csr; public key will be included in.
openssl req -new -key foo.key -out foo.csr

# verify csr
openssl req -text -in foo.csr -noout -verify

# (send csr to CA and get the cert)

# view cert
openssl x509 -text -in foo.crt -noout

Generate a hash of each file's public key, they should match:

openssl pkey -pubout -in foo.key | openssl sha256
openssl req -pubkey -in foo.csr -noout | openssl sha256
openssl x509 -pubkey -in foo.crt -noout | openssl sha256

Check Kubernetes Certs

Kubernetes stores config files in /etc/kubernetes, to check the cert content (e.g. of the kube-scheduler):

$ cat /etc/kubernetes/scheduler.conf | yq .users[].user.client-certificate-data | base64 -d | openssl x509 -text

# Result:
Issuer: CN = kubernetes
Subject: CN = system:kube-scheduler


By default, OpenSSL generates keys and CSRs using the PEM format.

Between PEM and PKCS#12:

# PEM to PKCS#12
openssl pkcs12 -export -name "foo-digicert-(expiration date)" \
-out foo.pfx -inkey foo.key -in foo.crt

# PKCS#12 to PEM; PKCS#12 format contains both the certificate and private key
# extract private key
openssl pkcs12 -in foo.pfx -nocerts -out foo.key -nodes

# extract cert
openssl pkcs12 -in foo.pfx -nokeys -clcerts -out foo.crt

Between PEM and DER: The DER format uses ASN.1 encoding to store certificate or key information. Similar to the PEM format, DER stores key and certificate information in two separate files. The file extension .der was used in the below examples for clarity.

# convert a PEM encoded certificate into a DER encoded certificate:
openssl x509 -inform PEM -in foo.crt -outform DER -out foo.der

# convert a PEM encoded private key into a DER encoded private key:
openssl rsa -inform PEM -in foo.key -outform DER -out foo_key.der

# convert a DER encoded certificate into a PEM encoded certificate:
openssl x509 -inform DER -in foo.der -outform PEM -out foo.crt

# convert a DER encoded private key into a PEM encoded private key:
openssl rsa -inform DER -in foo_key.der -outform PEM -out foo.key
# Check a PEM certificate (`.crt` or `.pem`)
openssl x509 -text -noout -in cert.pem

# Check a Certificate Signing Request (CSR)
openssl req -text -noout -verify -in CSR.csr

# Check a private key
openssl rsa -check -in cert.key

cat << EOF > csr.cnf
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no

CN = example.com

keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

DNS.1 = example.com
DNS.2 = www.example.com
openssl req -newkey rsa:2048 -out csr.pem -keyout key.pem -config csr.cnf

Key Verification

To verify that a private key corresponds to the public key from a certificate or a CSR, print out their modulus and compare the resulting hash-values.

For an ECDSA key pair/certificate:

openssl req -in ${CSR_FILE} -noout -pubkey | openssl dgst -sha256
openssl ec -in ${KEY_FILE} -pubout | openssl dgst -sha256
openssl x509 -in ${CERT_FILE} -noout -pubkey | openssl dgst -sha256

For a RSA key pair/certificate:

openssl req -noout -modulus -in ${CSR_FILE} | openssl sha256
openssl rsa -noout -modulus -in ${KEY_FILE} | openssl sha256
openssl x509 -noout -modulus -in ${CERT_FILE} | openssl sha256
openssl x509 -in /path/to/cert -text -noout
  • -in filename
  • -text print out full detailed
  • -issuer print the issuer name
  • -noout do not print anything NOT specified

Generate random strings:

$ openssl rand -base64 10

Find openssl config dir

$ openssl version -d
OPENSSLDIR: "/usr/lib/ssl"

Check if TLS is used

check if an endpoint you are connecting to or listening at uses TLS by running the following command:

$ openssl s_client -connect HOST:PORT

It shows Certificate chain, server certificate, etc

The s_client command implements a generic SSL/TLS client which connects to a remote host using SSL/TLS.

Verify if a certificate is self-signed

Check if the subject and the issuer are the same entity.

$ openssl x509 -in <file> -noout -subject -issuer

Verify if is CA

Check if CA:TRUE is included in the X509v3 Basic Constraints.

# A CA certificate can be identified by running:
$ openssl x509 -in <file> -noout -text

Or verif by cert-manager. If you are issuing a certificate using cert-manager, and the issuer only has the SelfSigned stanza in the spec (selfSigned: {}), then you are using an arbitrary CA.

OpenSSL vs BoringSSL

BoringSSL is a much lighter-weight version of OpenSSL with no guarantees of API or ABI stability since Google requires far less legacy application support.


Private key

openssl genrsa -out foo.key 4096

Private key => Certificate

openssl req -x509 -new -nodes -sha512 -days 3650 \
 -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=yourdomain.com" \
 -key foo.key \
 -out foo.crt

Generated cert:


A certificate verifies that an entity is the owner of a particular public key.

A certificate is a trusted document that contains a public key and other data of the respective private key owner.

certificate = public key + extra info (cert issuer, owner of the key, valid time period)

self-signed certificate = the owner and the issuer are the same.

CA signs the certificate with its private key.

The root CA has a self-signed certificate. Each subordinate CA has a certificate that is signed by the next highest CA in the hierarchy. A certificate chain is the certificate of a particular CA, plus the certificates of any higher CAs up through the root CA.

openssl configurations

  • /etc/ssl/openssl.cnf