Openssl – Usefull commands

Published on Author gryzli

Usefull commands for generating SSL Keys, CSR’s and certificates using Openssl tool.


Working with SSL Private Keys


Generate unencrypted private key without password

# Key size: 2048
# Key file: self-ssl.ket
openssl genrsa  -out self-ssl.key  2048


Generate(BATCH) encrypted private key with password  from password file

# Key encryption: AES256
# Key file      : self-ssl.key
# Password file : pass.txt
# Key size      : 2048 bits
openssl genrsa -aes256 -out self-ssl.key -passout file:pass.txt 2048


Working with SSL CSR’s [.csr]  (Certificate Signing Requests)

Creating CSR.conf for CSR generation automation

Creating your own CSR config, allows you to predefine default values, field constraints and hints, which will be used later for CSR generation.

Also by having predefined default values, you can batch create your CSR with appropriate values

# vim csr.conf

[ req ]
default_bits = 4096
default_keyfile = self-ssl.key
distinguished_name = req_distinguished_name

dirstring_type = nobmp
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = BG
countryName_min = 2
countryName_max = 2

stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Sofia

localityName = Locality Name (eg, city)
localityName_default = Sofia

organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default =

organizationName = Organization Name (eg, company)
organizationName_default = SuperHosting.BG

commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
commonName_default =

emailAddress = Email Address
emailAddress_max = 64
emailAddress_default =


Generate new CSR by using already existing key

# -nodes says there's no password on key
# existing.key - The already existing key file
# new.csr      - The name of the newly created CSR file
openssl req -nodes -new -key existing.key -out new.csr


Read existing CSR file

# existing.csr is the name of the CSR file you want to read
openssl req -text -noout -in existing.csr


Working with SSL Certificates [.crt]

Generate SSL Certificate from existing CSR and Key

# Existing csr: server.csr
# Existing key; server.key
# Newly generated certificate: server.crt
# Validity period: 365 days
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

 Check if existing SSL certificate matches existing Key file


# Get SSL cert modulus
openssl x509 -noout -modulus -in existing.crt

# Get Key modulus
openssl rsa -noout -modulus -in existing.key


Automation of different SSL related tasks

Batch creation of SSL Key and Certificate

This is a one-liner for creation of self-signed SSL key and SSL Certificate:

# Runs in unattended batch mode
# Key length is                 : 2048 bits
# Certificate validity period   : 365 days
# [-nodes]                      : No password protection for the key
# New key file                  : self-ssl.key
# New certificate file          : self-ssl.crt

openssl req -batch  -nodes -newkey rsa:2048 -x509 -days 365 -keyout self-ssl.key -out self-ssl.crt


“The worst page in the universe”