{"id":19227717,"url":"https://github.com/girish1729/openssl-cheatsheet","last_synced_at":"2026-03-19T08:48:52.356Z","repository":{"id":84927401,"uuid":"551734352","full_name":"girish1729/openssl-cheatsheet","owner":"girish1729","description":"OpenSSL command line toolkit cheatsheet","archived":false,"fork":false,"pushed_at":"2022-10-16T04:12:51.000Z","size":5,"stargazers_count":0,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-02-23T10:29:19.416Z","etag":null,"topics":["command-line","cryptography","openssl"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/girish1729.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-10-15T01:42:12.000Z","updated_at":"2022-10-18T00:23:20.000Z","dependencies_parsed_at":null,"dependency_job_id":"d7138b53-9a72-414c-851f-0a87dad48a8a","html_url":"https://github.com/girish1729/openssl-cheatsheet","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/girish1729/openssl-cheatsheet","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/girish1729%2Fopenssl-cheatsheet","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/girish1729%2Fopenssl-cheatsheet/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/girish1729%2Fopenssl-cheatsheet/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/girish1729%2Fopenssl-cheatsheet/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/girish1729","download_url":"https://codeload.github.com/girish1729/openssl-cheatsheet/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/girish1729%2Fopenssl-cheatsheet/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29981425,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-01T16:35:47.903Z","status":"ssl_error","status_checked_at":"2026-03-01T16:35:44.899Z","response_time":124,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["command-line","cryptography","openssl"],"created_at":"2024-11-09T15:24:43.857Z","updated_at":"2026-03-01T19:32:51.736Z","avatar_url":"https://github.com/girish1729.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# OpenSSL cheatsheet\n\n## Working with RSA and ECDSA keys\n\nIn the commands below, replace [bits] with the key size (For google, 2048, 4096, 8192).\n\n- Generate an RSA key:\n\n```shell\n $ openssl genrsa -out priv.key [bits]\n```\n\n- Print public key or modulus only:\n\n```shell\n$ openssl rsa -in priv.key -pubout\n$ openssl rsa -in priv.key -noout -modulus\n```\n\n- Print textual representation of RSA key:\n\n```shell\n$ openssl rsa -in priv.key -text -noout\n```\n\n- Generate new RSA key and encrypt with a pass phrase based on AES CBC 256 encryption:\n\n```shell\n$ openssl genrsa -aes256 -out priv.key [bits]\n```\n\n- Check your private key. \nIf the key has a pass phrase, you’ll be prompted for it:\n\n```shell\n$ openssl rsa -check -in priv.key\n```\n\n- Remove passphrase from the key:\n\n```shell\n$ openssl rsa -in priv.key -out sample.key\n```\n\n- Encrypt existing private key with a pass phrase:\n\n```shell\n$ openssl rsa -des3 -in priv.key -out encrypted.key\n```\n\n- Generate ECDSA key. Curve is to be replaced with: \n\n  - prime256v1 \n  - secp384r1 \n  - secp521r1 \n\n```shell\n$ openssl ecparam -genkey -name [curve] | openssl ec -out sample.ec.key\n```\n\n- Print ECDSA key textual representation:\n\n```shell\n$ openssl ec -in sample.ec.key -text -noout\n```\n\n- List available EC curves, that OpenSSL library supports:\n\n```shell\n$ openssl ecparam -list_curves\n```\n\n- Generate DH params with a given length:\n\n```shell\n$ openssl dhparam -out dhparams.pem [bits]\n```\n\n- Create certificate signing requests (CSR)\n\n  [In the commands below, replace [digest] with the name \n  of the supported hash function] \n\n - md5 \n - sha1 \n - sha224 \n - sha256 \n - sha384 \n - sha512 \n\nIt’s better to avoid weak functions like md5 and sha1 as they are\ninsecure.\n\nTry to stick to sha256 and above.\n\n## Certificate operations\n\n- Create a CSR from existing private key.\n\n```shell\n$ openssl req -new -key priv.key -out sample.csr -[digest]\n```\n\n- Create a CSR and a private key without a pass phrase in a single command:\n\n```shell\n$ openssl req -nodes -newkey rsa:[bits] -keyout priv.key -out cert.csr\n```\n\n- Provide CSR subject info on a command line, rather than through interactive prompt.\n\n```shell\n$ openssl req -nodes -newkey rsa:[bits] -keyout priv.key -out cert.csr\n-subj \"/C=UA/ST=TN/L=TN/O=My Company/OU=IT Department/CN=myname.com\"\n```\n\n- Create a CSR from existing certificate and private key:\n\n```shell\n$ openssl x509 -x509toreq -in cert.pem -out cert.csr -signkey priv.key\n```\n\n- Create self-signed certificate and new private key from scratch:\n\n```shell\n$ openssl req -nodes -newkey rsa:2048 -keyout priv.key -out cert.crt -x509 -days 3650\n```\n\n - Create a self signed certificate using existing CSR and private key:\n\n```shell\n$ openssl x509 -req -in cert.csr -signkey priv.key -out cert.crt -days 3650\n```\n\n - Sign child certificate using your own *CA certificate* and \n  it’s private key. \n\n  [If you were a CA company, this shows a very naive google \n  of how you could issue new certificates.]\n\n```shell\n$ openssl x509 -req -in child.csr -days 365 -CA ca.crt -CAkey ca.key -set_serial 01 -out child.crt\n```\n\n- Print textual representation of the certificate\n\n```shell\n$ openssl x509 -in cert.crt -text -noout\n```\n\n- Print certificate’s fingerprint as \n   * md5 \n   * sha1 \n   * sha256 \n\n```shell\n$ openssl x509 -in cert.pem -fingerprint -sha256 -noout\n```\n\n- Verify a CSR signature:\n\n```shell\n$ openssl req -in cert.csr -verify\n```\n\n- Verify that private key matches a certificate and CSR:\n\n```shell\n$ openssl rsa -noout -modulus -in priv.key | openssl sha256\n$ openssl x509 -noout -modulus -in cert.crt | openssl sha256\n$ openssl req -noout -modulus -in cert.csr | openssl sha256\n```\n\n- Verify certificate, provided that you have root \n and any intermediate certificates configured as \n trusted on your machine:\n\n```shell\n$ openssl verify cert.crt\n```\n\n- Verify certificate, when you have intermediate certificate chain. \n\n  [Root certificate is not a part of bundle, and should be \n   configured as a trusted on your machine.]\n\n```shell\n$ openssl verify -untrusted intermediate-ca-chain.pem cert.crt\n```\n\n- Verify certificate, when you have intermediate certificate \n  chain and root certificate, that is not configured as a trusted one.\n\n```shell\n$ openssl verify -CAFile root.crt -untrusted intermediate-ca-chain.pem child.crt\n```\n\n- Verify that certificate served by a remote server \n  covers given host name. \n  [Useful to check your multiple domain certificate \n  properly covers all the host names.]\n\n```shell\n$ openssl s_client -verify_hostname www.google.com -connect www.google.com:443\n```\n\n## Digests and Base64\n\n- Calculate message digests and base64 encoding\n  Calculate \n  - md5 \n  - sha1 \n  - sha256 \n  - sha384 \n  - sha512\n\n```shell\n$ openssl dgst -[hash_function] \u003cinput.file\n$ cat input.file | openssl [hash_function]\n```\n\n- Base64 encoding and decoding:\n\n```shell\n$ cat /dev/urandom | head -c 80 | openssl base64 | openssl base64 -d\n```\n\n## s_client operations\n\n- Connect to a server supporting TLS\n\n```shell\n$ openssl s_client -connect google.com:443\n$ openssl s_client -host google.com -port 443\n```\n\n- Connect to a server and show full certificate chain:\n```shell\n$ openssl s_client -showcerts -host google.com -port 443 \u003c/dev/null\n```\n\n- Extract the certificate:\n\n```shell\n$ openssl s_client -connect google.com:443 2\u003e\u00261 \u003c /dev/null | sed -n '/-----BEGIN/,/-----END/p' \u003e certificate.pem\n```\n\n- Override SNI (Server Name Indication) extension with another server name. Useful for testing when multiple secure sites are hosted on same IP address:\n\n```shell\n$ openssl s_client -servername www.google.com -host example.com -port 443\n```\n\n- Test TLS connection by forcibly using specific cipher suite, e.g. ECDHE-RSA-AES128-GCM-SHA256. Useful to check if a server can properly talk via different configured cipher suites, not one it prefers.\n\n```shell\n$ openssl s_client -host google.com -port 443 -cipher ECDHE-RSA-AES128-GCM-SHA256 2\u003e\u00261 \u003c/dev/null\n```\n\n- Measure SSL connection time without/with session reuse:\n\n```shell\n$ openssl s_time -connect google.com:443 -new\n$ openssl s_time -connect google.com:443 -reuse\n```\n\n- Roughly examine TCP and SSL handshake times using curl:\n\n```shell\ncurl -kso /dev/null -w \"tcp:%{time_connect}, ssldone:%{time_appconnect}\\n\" https://google.com\n```\n- First, retrieve the certificate from a remote server:\n\n```shell\n$ openssl s_client -connect google.com:443 2\u003e\u00261 \u003c /dev/null | sed -n '/-----BEGIN/,/-----END/p' \u003e cert.pem\n```\n\nYou’d also need to obtain intermediate CA certificate chain. \nUse -showcerts flag to show full certificate chain, \nand manually save all intermediate certificates to chain.pem file:\n\n```shell\n$ openssl s_client -showcerts -host google.com -port 443 \u003c/dev/null\n```\n\n- Read OCSP endpoint URI from the certificate:\n\n```shell\n$ openssl x509 -in cert.pem -noout -ocsp_uri\n```\n\n\n## Speed tests\n\n- Measure speed of various security algorithms:\n\n```shell\n$ openssl speed rsa2048\n$ openssl speed ecdsap256\n```\n\n## Certificate conversions\n\n- Convert certificate between DER and PEM formats:\n\n```shell\n$ openssl x509 -in google.pem -outform der -out example.der\n\n$ openssl x509 -in google.der -inform der -out example.pem\n```\n\n- Combine several certificates in PKCS7 (P7B) file:\n\n```shell\n$ openssl crl2pkcs7 -nocrl -certfile child.crt -certfile ca.crt -out\ncert.p7b\n```\n\n- Convert from PKCS7 back to PEM. If PKCS7 file has multiple \ncertificates, the PEM file will contain all of the items in it.\n\n```shell\n$ openssl pkcs7 -in cert.p7b -print_certs -out cert.crt\n```\n\n- Combine a PEM certificate file and a private key to PKCS#12 \n (.pfx .p12). Also, you can add a chain of certificates to PKCS12 file.\n\n```shell\n$ openssl pkcs12 -export -out certificate.pfx -inkey privkey.pem -in certificate.pem -certfile ca-chain.pem\n```\n\n- Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates back to PEM:\n\n```shell\n$ openssl pkcs12 -in keystore.pfx -out keystore.pem -nodes\n```\n\n## Symmetric encryption\n\n- List cipher suites\nList available TLS cipher suites, openssl client is capable of:\n\n```shell\n$ openssl ciphers -v\n```\n\n- Enumerate all individual cipher suites, which are \n  described by a short-hand OpenSSL cipher list string. \n\n  This is useful when you’re configuring web server\n  and you need to test your ssl_ciphers string.\n\n```shell\n$ openssl ciphers -v 'EECDH+ECDSA+AESGCM:EECDH+aRSA+SHA256:EECDH:DHE+AESGCM:DHE:!RSA!aNULL:!eNULL:!LOW:!RC4'\n```\n\n## OCSP \n (Online Certificate Status Protocol)\n\n- Manually check certificate revocation status from OCSP responder\nThis is a multi-step process:\n\n * Retrieve the certificate from a remote server\n * Obtain the intermediate CA certificate chain\n * Read OCSP endpoint URI from the certificate\n * Request a remote OCSP responder for certificate revocation status\n\n- Request a remote OCSP responder for \n  certificate revocation status using the URI \n  from the above step \n\n  (e.g. http://ocsp.stg-int-x1.letsencrypt.org).\n\n```shell\n$ openssl ocsp -header \"Host\" \"ocsp.stg-int-x1.letsencrypt.org\" -issuer chain.pem -VAfile chain.pem -cert cert.pem -text -url http://ocsp.stg-int-x1.letsencrypt.org\n```\n\n\n## Download this cheatsheet PDF\n\n[Gumroad download](https://girish1729.gumroad.com/l/openssl-cheatsheet)\n\n## Tweet this to your followers\n\n\u003ca href=\"https://twitter.com/intent/tweet?text=Tweet+this\u0026url=https%3A%2F%2Fgithub.com%2Fgirish1729%2Fopenssl-cheatsheet\u0026hashtags=twitter\u0026original_referer=http%3A%2F%2Fgithub.com%2F\u0026tw_p=tweetbutton\" target=\"_blank\"\u003e\n  \u003cimg src=\"http://jpillora.com/github-twitter-button/img/tweet.png\"\n       alt=\"tweet button\" title=\"Tweet this\"\u003e\u003c/img\u003e\n\u003c/a\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgirish1729%2Fopenssl-cheatsheet","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgirish1729%2Fopenssl-cheatsheet","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgirish1729%2Fopenssl-cheatsheet/lists"}