10 Essential OpenSSL Commands for 2025: A Pro Guide
Master the command line in 2025 with our pro guide to 10 essential OpenSSL commands. Generate keys, CSRs, inspect certs, and more. A must-read for devs & sysadmins.
Alex Volkov
Senior DevOps Engineer specializing in cloud security and infrastructure automation.
10 Essential OpenSSL Commands for 2025: A Pro Guide
If you work in DevOps, system administration, or web development, you've undoubtedly crossed paths with OpenSSL. It’s the swiss-army knife for anything related to SSL/TLS certificates and general cryptography. But with hundreds of functions, knowing which ones to keep in your back pocket can be a challenge.
Forget sifting through dense man pages. Here’s a straightforward, practical guide to the 10 OpenSSL commands you'll actually use in 2025. Let's cut through the noise and get straight to what matters.
1. Generate a New Private Key and Certificate Signing Request (CSR)
This is the quintessential starting point for getting a new SSL certificate. This single command creates both your private key (the secret part you must protect) and the CSR (the file you send to a Certificate Authority like Let's Encrypt or DigiCert).
openssl req -new -newkey rsa:4096 -nodes -keyout yourdomain.key -out yourdomain.csrBreaking it down:
req: The command for handling certificate requests.-new -newkey rsa:4096: Creates a new request and a new 4096-bit RSA private key. For 2025, 4096-bit is the recommended standard for strong security.-nodes: Stands for "No DES." It skips encrypting the private key with a passphrase. While less secure if the key file is stolen, it's essential for web servers that need to restart automatically without manual intervention.-keyout yourdomain.key: The name of your new private key file.-out yourdomain.csr: The name of your new CSR file.
You'll be prompted to enter information for your CSR, like your country, organization, and—most importantly—the Common Name, which must be your fully qualified domain name (e.g., www.yourdomain.com).
2. Create a Self-Signed Certificate
Perfect for local development or internal services where you need encryption but don't need public trust. This command generates a key and a certificate in one go, signed by itself.
openssl req -x509 -newkey rsa:4096 -nodes -keyout yourdomain.key -out yourdomain.crt -days 365The new flags here are:
-x509: This tells OpenSSL to create a self-signed certificate instead of a CSR.-days 365: Sets the certificate's validity period. One year is common for these types of certs.
3. Verify a Certificate Signing Request (CSR)
Before you send your CSR to a Certificate Authority, it's wise to double-check its contents to ensure you entered everything correctly. This command lets you inspect it in a human-readable format.
openssl req -in yourdomain.csr -noout -textThe output will show you the Common Name, organization, and other details you entered, so you can catch a typo before you pay for a certificate.
4. Check a Private Key
Is your key file valid? Is it corrupted? This quick command will confirm its integrity.
openssl pkey -in yourdomain.key -checkIf the key is valid, it will print it out. If there's a problem, it will throw an error. Simple and effective.
5. Inspect a Certificate's Details
Once you get your certificate back from the CA (or if you just want to inspect an existing one), this command is your best friend. It reveals the issuer, subject (your domain), validity dates, and more.
openssl x509 -in yourdomain.crt -noout -textLook for the "Not Before" and "Not After" lines to quickly check the expiration date—a common source of website outages!
6. Inspect a Remote Server's SSL Certificate
This is a sysadmin's secret weapon for debugging. It connects to any server and displays the certificate it's presenting, allowing you to verify installation, check expiration dates, and troubleshoot chain issues directly from your terminal.
openssl s_client -connect www.example.com:443For a cleaner view that only shows the certificate details, pipe it into the `x509` command:
openssl s_client -connect www.example.com:443 2>/dev/null | openssl x509 -noout -text7. Convert Certificate Formats (e.g., PEM to DER)
Different systems require different certificate encodings. The most common are PEM (Base64 ASCII) and DER (binary). For example, Java keystores often prefer DER. OpenSSL makes conversion trivial.
PEM to DER:
openssl x509 -in cert.pem -outform der -out cert.derPEM to PFX/P12 (for Windows/IIS):
openssl pkcs12 -export -out certificate.pfx -inkey yourdomain.key -in yourdomain.crt8. Verify a Certificate Matches a Private Key
Ever wonder if `cert.crt` and `private.key` actually belong together? This is how you confirm it. You check if the "modulus"—a unique public component shared between the key and the certificate—is identical.
Run these three commands. If the output hashes are the same, they match!
# Check the certificate
openssl x509 -noout -modulus -in yourdomain.crt | openssl md5
# Check the private key
openssl pkey -noout -modulus -in yourdomain.key | openssl md5
# Bonus: Check the CSR
openssl req -noout -modulus -in yourdomain.csr | openssl md5This is a lifesaver when you're managing dozens of certificate files and need to avoid a mismatch.
9. Encrypt and Decrypt a File
OpenSSL is more than just a certificate tool; it's a full-fledged crypto toolkit. You can easily perform symmetric encryption on a file using a strong cipher like AES-256.
To encrypt a file:
openssl enc -aes-256-cbc -salt -in plaintext.txt -out encrypted.encIt will prompt you for a password.
To decrypt it:
openssl enc -d -aes-256-cbc -in encrypted.enc -out decrypted.txtYou'll need the same password to unlock the file. This is great for securing backups or sensitive configuration files.
10. Generate a Strong Random String
Need a quick, cryptographically secure password or API key? OpenSSL can generate one instantly.
openssl rand -base64 32This command generates 32 bytes of random data and encodes it in Base64, resulting in a 44-character string that's perfect for passwords, salts, or secrets.
Conclusion
Mastering these 10 commands will equip you to handle the vast majority of day-to-day SSL/TLS and cryptographic tasks. OpenSSL is a deep and powerful tool, but you don't need to know everything to be effective. Keep this list handy, and you'll be managing certificates and keys like a pro.
What are your favorite OpenSSL commands? Share them in the comments below!