How to use OpenSSL Commands – Top 40 OpenSSL commands with examples
OpenSSL is a powerful and widely-used open-source toolkit that provides various cryptographic functions and tools for managing SSL/TLS certificates, encryption, and security operations. Whether you are a website owner, system administrator, or security professional, understanding and utilizing OpenSSL commands can greatly enhance your ability to secure and manage your WordPress website. In this post, we will explore the top 40 OpenSSL commands that are invaluable for tasks such as generating certificates, encrypting and decrypting files, verifying certificate integrity, testing server vulnerabilities, and much more. By familiarizing yourself with these commands, you will gain the knowledge and tools necessary to ensure the security and integrity of your site.
- Generate a new private key:
openssl genrsa -out private.key 2048
- Generate a certificate signing request (CSR):
openssl req -new -key private.key -out csr.csr
- Generate a self-signed certificate:
openssl req -new -x509 -key private.key -out certificate.crt -days 365
- Verify the certificate:
openssl x509 -in certificate.crt -text -noout
- Convert a certificate from PEM to DER format:
openssl x509 -in certificate.pem -outform der -out certificate.der
- Convert a private key from PEM to DER format:
openssl rsa -in private.pem -outform der -out private.der
- Extract the public key from a certificate:
openssl x509 -in certificate.crt -pubkey -noout > public.key
- Encrypt a file using a public key:
openssl rsautl -encrypt -in plaintext.txt -pubin -inkey public.key -out encrypted.txt
- Decrypt a file using a private key:
openssl rsautl -decrypt -in encrypted.txt -inkey private.key -out decrypted.txt
- Encrypt a file using a symmetric key (AES-256):
openssl enc -aes-256-cbc -salt -in plaintext.txt -out encrypted.txt -pass file:password.txt
- Decrypt a file using a symmetric key (AES-256):
openssl enc -aes-256-cbc -d -in encrypted.txt -out decrypted.txt -pass file:password.txt
- Generate a new Diffie-Hellman parameters file:
openssl dhparam -out dhparam.pem 2048
- Convert a certificate from DER to PEM format:
openssl x509 -inform der -in certificate.der -out certificate.pem
- Check the validity period of a certificate:
openssl x509 -in certificate.crt -noout -dates
- Extract the subject name from a certificate:
openssl x509 -in certificate.crt -noout -subject
- Extract the issuer name from a certificate:
openssl x509 -in certificate.crt -noout -issuer
- Convert a PKCS#12 file (.pfx) to PEM format:
openssl pkcs12 -in certificate.pfx -out certificate.pem -nodes
- Convert a PEM certificate and private key to PKCS#12 format:
openssl pkcs12 -export -out certificate.pfx -inkey private.key -in certificate.crt
- Verify the integrity of a PKCS#12 file:
openssl pkcs12 -info -in certificate.pfx
- Generate a strong random password:
openssl rand -base64 32
- Generate a new 2048-bit RSA private key and certificate in a single command:
openssl req -newkey rsa:2048 -nodes -keyout private.key -x509 -days 365 -out certificate.crt
- Generate a Certificate Signing Request (CSR) with a Subject Alternative Name (SAN):
openssl req -new -key private.key -out csr.csr -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:example
.com,DNS:www.example.com"))
- Generate a CSR with a specific key size (e.g., 4096 bits):
openssl req -new -newkey rsa:4096 -nodes -keyout private.key -out csr.csr
- Convert a PKCS#7 file (.p7b) to PEM format:
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.pem
- Verify a certificate chain:
openssl verify -CAfile ca.crt -untrusted intermediate.crt certificate.crt
- Check the SSL/TLS handshake of a remote server:
openssl s_client -connect example.com:443
- Test a SSL/TLS server for known vulnerabilities (Heartbleed, etc.):
openssl s_client -connect example.com:443 -cipher 'EXP:!aNULL'
- Retrieve the SSL/TLS certificate of a remote server:
openssl s_client -showcerts -connect example.com:443 </dev/null
- Generate a 2048-bit RSA private key and a CSR with SAN in a single command:
openssl req -newkey rsa:2048 -nodes -keyout private.key -out csr.csr -subj "/CN=example.com" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:example.com,DNS:www.example.com"))
- Create a PKCS#12 file from a private key and certificate:
openssl pkcs12 -export -out certificate.pfx -inkey private.key -in certificate.crt
- Extract the public key from a private key:
openssl rsa -in private.key -pubout -out public.key
- Generate a new 256-bit AES encryption key:
openssl rand -hex 32 > aes.key
- Encrypt a file using AES-256 in CBC mode:
openssl enc -aes-256-cbc -salt -in plaintext.txt -out encrypted.txt -pass file:aes.key
- Decrypt a file encrypted with AES-256 in CBC mode:
openssl enc -aes-256-cbc -d -in encrypted.txt -out decrypted.txt -pass file:aes.key
- Encrypt a file using AES-256 in GCM mode:
openssl enc -aes-256-gcm -salt -in plaintext.txt -out encrypted.txt -pass file:aes.key
- Decrypt a file encrypted with AES-256 in GCM mode:
openssl enc -aes-256-gcm -d -in encrypted.txt -out decrypted.txt -pass file:aes.key
- Encrypt a file using 3DES (Triple DES):
openssl enc -des3 -salt -in plaintext.txt -out encrypted.txt -pass file:password.txt
- Decrypt a file encrypted with 3DES (Triple DES):
openssl enc -des3 -d -in encrypted.txt -out decrypted.txt -pass file:password.txt
- Generate a new random initialization vector (IV):
openssl rand -hex 16 > iv.txt
- Encrypt a file using AES-256 in CBC mode with a specific initialization vector (IV):
openssl enc -aes-256-cbc -salt -in plaintext.txt -out encrypted.txt -pass file:aes.key -iv $(cat iv.txt
You can refer to the OpenSSL’s Official website for up to date and all available commands.