Essential OpenSSL Commands for SSL Certificates

The most useful OpenSSL commands for generating certificates, inspecting certs, converting formats, and debugging SSL connections. Copy-paste ready examples.

Generate Certificates

Self-signed certificate (one command)

openssl req -x509 -newkey rsa:2048 -nodes \
    -keyout server.key -out server.pem \
    -days 365 -subj "/CN=example.com"

Or skip the command line and generate one instantly with a web form.

Self-signed with Subject Alternative Names

openssl req -x509 -newkey rsa:2048 -nodes \
    -keyout server.key -out server.pem \
    -days 365 -subj "/CN=example.com" \
    -addext "subjectAltName=DNS:example.com,DNS:www.example.com,IP:192.168.1.1"

Generate a private key

# RSA 2048-bit
openssl genrsa -out private.key 2048

# RSA 4096-bit
openssl genrsa -out private.key 4096

# ECDSA P-256
openssl ecparam -genkey -name prime256v1 -noout -out private.key

# ECDSA P-384
openssl ecparam -genkey -name secp384r1 -noout -out private.key

Generate a CSR (Certificate Signing Request)

openssl req -new -key private.key -out request.csr \
    -subj "/CN=example.com/O=My Company/C=US"

Or generate one and have it signed immediately at getaCert.com/signcsr.

Sign a CSR with your own CA

openssl ca -in request.csr -out signed.pem \
    -config ca.cnf -days 365

Inspect Certificates

View certificate details

openssl x509 -in cert.pem -text -noout

Key fields to look for: - Issuer -- who signed it - Subject -- who it's for - Validity -- Not Before / Not After dates - Subject Alternative Name -- all valid hostnames - Basic Constraints -- CA:TRUE means it's a CA certificate

Or paste it into our certificate decoder for a formatted view.

View a CSR

openssl req -in request.csr -text -noout

View a private key

openssl rsa -in private.key -text -noout

Check if a key matches a certificate

# These should output the same modulus
openssl x509 -in cert.pem -noout -modulus | md5sum
openssl rsa -in private.key -noout -modulus | md5sum

View a remote server's certificate

openssl s_client -connect example.com:443 -servername example.com \
    2>/dev/null | openssl x509 -text -noout

View the full certificate chain

openssl s_client -connect example.com:443 -servername example.com \
    -showcerts 2>/dev/null

Convert Formats

PEM to DER

openssl x509 -in cert.pem -outform DER -out cert.der

DER to PEM

openssl x509 -in cert.der -inform DER -outform PEM -out cert.pem

PEM to PKCS#12 (.p12)

openssl pkcs12 -export -out cert.p12 \
    -inkey private.key -in cert.pem -certfile chain.pem

PKCS#12 to PEM

# Everything in one file
openssl pkcs12 -in cert.p12 -out all.pem -nodes

# Certificate only
openssl pkcs12 -in cert.p12 -clcerts -nokeys -out cert.pem

# Private key only
openssl pkcs12 -in cert.p12 -nocerts -nodes -out key.pem

PEM to PKCS#7

openssl crl2pkcs7 -nocrl -certfile cert.pem -out cert.p7b

See our certificate formats guide for more details on each format.

Debug SSL Connections

Test a connection

openssl s_client -connect example.com:443 -servername example.com

Test with a specific TLS version

# TLS 1.2 only
openssl s_client -connect example.com:443 -tls1_2

# TLS 1.3 only
openssl s_client -connect example.com:443 -tls1_3

Test with a specific CA certificate

openssl s_client -connect example.com:443 \
    -CAfile /path/to/ca-cert.pem

Check certificate expiration

# Local file
openssl x509 -in cert.pem -noout -enddate

# Remote server
echo | openssl s_client -connect example.com:443 -servername example.com \
    2>/dev/null | openssl x509 -noout -enddate

Check all certificates expiring within 30 days

find /etc/ssl/certs -name "*.pem" -exec sh -c '
    exp=$(openssl x509 -in "$1" -noout -enddate 2>/dev/null | cut -d= -f2)
    if [ -n "$exp" ] && [ "$(date -d "$exp" +%s)" -lt "$(date -d "+30 days" +%s)" ]; then
        echo "EXPIRING: $1 ($exp)"
    fi
' _ {} \;

Verify a certificate chain

openssl verify -CAfile ca-chain.pem cert.pem

Generate Test Data

Generate a random password

openssl rand -base64 32

Generate a hash

echo -n "data" | openssl dgst -sha256

Encrypt a file

openssl enc -aes-256-cbc -salt -in plaintext.txt -out encrypted.bin

Quick Reference Table

Task Command
Generate self-signed cert openssl req -x509 -newkey rsa:2048 -nodes -keyout k.key -out c.pem -days 365
View cert details openssl x509 -in c.pem -text -noout
Check remote cert openssl s_client -connect host:443
Check expiry date openssl x509 -in c.pem -noout -enddate
Convert PEM→PKCS#12 openssl pkcs12 -export -out c.p12 -inkey k.key -in c.pem
Convert PKCS#12→PEM openssl pkcs12 -in c.p12 -out c.pem -nodes
Verify key matches cert Compare: openssl x509 -modulus vs openssl rsa -modulus
Generate CSR openssl req -new -key k.key -out r.csr

Next Steps

More in Guides
TLS Certificates in Kubernetes: Complete Guide

How to configure TLS in Kubernetes using Secrets, Ingress termination, and cert-manager. Includes step-by-step instructions for using getacert certificates in your cluster.
Let's Encrypt: Complete Setup Guide

How to get free SSL certificates with Let's Encrypt. Covers certbot setup, automatic renewal, HTTP-01 and DNS-01 validation, wildcard certificates, and common issues.
Mutual TLS (mTLS): Client Certificates Step by Step

A practical guide to mutual TLS authentication using client certificates. Covers the mTLS handshake, certificate generation, and server configuration for nginx and Envoy.
Installing SSL Certificates on Nginx

How to configure SSL/TLS on nginx with proper cipher suites, HSTS, and security headers. Includes a production-ready config and testing instructions.
Installing SSL Certificates on Apache

Step-by-step guide to configuring SSL/TLS on Apache with mod_ssl. Covers virtual hosts, cipher suites, HSTS, OCSP stapling, and common pitfalls.
SSL/TLS Certificates in Docker Containers

How to configure SSL certificates in Docker containers. Covers self-signed certs for development, mounting certificates as volumes, Docker Compose TLS, and Traefik/nginx reverse proxy patterns.
SSL Certificates in Java: Keystores, Truststores, and keytool

How to configure SSL/TLS in Java applications. Covers keytool, PKCS#12 keystores, truststores, Spring Boot TLS, Tomcat SSL, and common Java SSL errors.
Essential OpenSSL Commands for SSL Certificates

The most useful OpenSSL commands for generating certificates, inspecting certs, converting formats, and debugging SSL connections. Copy-paste ready examples.
S/MIME Email Certificates: Sign and Encrypt Email

How to create S/MIME certificates for email signing and encryption. Generate test certificates with getaCert.com, configure Outlook, Apple Mail, and Thunderbird, and understand the trust model.
On This Page
Try It Yourself

Generate real certificates right now — no signup required.

Self-Signed CA-Signed
Resources