OpenSSL

Certificates

Generate and manage SSL/TLS certificates

Certificates

Generate Self-Signed Certificate

Generate a self-signed certificate valid for 365 days:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes

With subject info inline (non-interactive):

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes \
  -subj "/C=US/ST=State/L=City/O=Organization/CN=example.com"

Generate Certificate Signing Request (CSR)

Create a CSR from an existing private key:

openssl req -new -key private.key -out request.csr

Generate new key and CSR together:

openssl req -new -newkey rsa:4096 -nodes -keyout private.key -out request.csr

Generate CSR and key with config file and subject (production use):

openssl req -new -newkey rsa:2048 \
  -out domain.csr \
  -keyout domain.key \
  -config domain.conf \
  -subj "/C=US/ST=California/L=San Francisco/O=Company Inc./CN=domain.example.com" \
  -nodes -sha256

View Certificate Details

View certificate information:

openssl x509 -in cert.pem -text -noout

View only specific fields:

# Subject and issuer
openssl x509 -in cert.pem -subject -issuer -noout

# Expiration dates
openssl x509 -in cert.pem -dates -noout

# Serial number
openssl x509 -in cert.pem -serial -noout

View CSR Details

openssl req -in request.csr -text -noout

Verify CSR, Key, and Certificate Match

After certificate approval, verify all files match by comparing MD5 checksums:

# CSR modulus
openssl req -noout -modulus -in domain.csr | openssl md5

# Private key modulus
openssl rsa -noout -modulus -in domain.key | openssl md5

# Certificate modulus
openssl x509 -noout -modulus -in domain.crt | openssl md5

All three commands should output the same MD5 hash if the files match.

Convert Certificate Formats

PEM to DER:

openssl x509 -in cert.pem -outform DER -out cert.der

DER to PEM:

openssl x509 -in cert.der -inform DER -outform PEM -out cert.pem

PEM to PKCS#12 (PFX):

openssl pkcs12 -export -out cert.pfx -inkey key.pem -in cert.pem

When generating PFX for automated systems, you can skip the passphrase by pressing Enter when prompted.

PKCS#12 to PEM:

openssl pkcs12 -in cert.pfx -out cert.pem -nodes

Convert PFX to Base64

Generate PFX then convert to base64 (useful for storing in environment variables or secrets):

# Generate PFX file
openssl pkcs12 -export -out domain.pfx -inkey domain.key -in domain.crt

# Convert to base64
openssl base64 -in domain.pfx -out domain.base64

Convert base64 to hex:

cat domain.base64 | od -A n -t x1 | sed 's/ *//g' | tr -d '\n'

Check Certificate Expiration

openssl x509 -in cert.pem -checkend 86400 -noout
# Returns 0 if valid for next 24 hours, 1 if expiring

Get expiration date:

openssl x509 -in cert.pem -enddate -noout

Edit this pageorReport an issue

Overview

OpenSSL command reference and examples

Keys

Generate and manage cryptographic keys