OpenSSL is the most widely used open-source toolkit for TLS/SSL and general-purpose cryptography. It handles everything from generating private keys to inspecting TLS connections.
The basic structure is: openssl <subcommand> [options]. Each subcommand (genrsa, req, x509, enc, dgst, s_client, pkcs12β¦) is essentially a separate tool.
key generation
genrsa
Generate an RSA private key. openssl genrsa -out key.pem 4096
genpkey
Generate any key type: RSA, EC, Ed25519. Modern replacement for genrsa/ecparam.
ecparam -genkey
Generate an EC private key for a named curve.
certificates
req -new
Generate a Certificate Signing Request (CSR). Submit to a CA to get a signed cert.
req -x509
Generate a self-signed certificate (no CA needed). Good for internal/dev use.
x509 -in cert -text
Inspect a certificate β view subject, issuer, dates, SANs, fingerprint.
x509 -signreq
Sign a CSR with a CA key to produce a signed certificate.
verify
Verify a certificate against a CA bundle.
encryption
enc -e
Encrypt a file symmetrically with AES or other cipher.
enc -d
Decrypt a symmetrically-encrypted file.
rsautl / pkeyutl
Encrypt/decrypt/sign with RSA or EC keys directly.
hashing & digests
dgst -sha256
Compute SHA-256 (or other) hash of a file.
dgst -hmac
Compute HMAC with a secret key.
dgst -sign / -verify
Sign or verify a file with an RSA/EC key.
TLS inspection
s_client
Connect to a TLS server and inspect its certificate chain, cipher, protocol version.
s_server
Run a simple TLS test server.
format conversion
pkcs12 -export
Bundle a cert + private key into a .p12/.pfx file (for browsers, Java, Windows).
pkcs12 -in
Extract cert and key from a .p12/.pfx file.
x509 -outform DER
Convert PEM certificate to DER (binary) format.
rsa -pubout
Extract the public key from a private key file.
tips
β’ PEM format (-----BEGINβ¦-----) is human-readable Base64. DER is binary. Most tools prefer PEM.
β’ Always protect private keys: chmod 600 private.key and encrypt with a passphrase for storage.
β’ Use openssl x509 -text -noout -in cert.pem to inspect any certificate without writing output.
β’ openssl s_client -connect host:443 is the fastest way to diagnose TLS issues.
β’ For new key generation, prefer genpkey over the older genrsa / ecparam commands.
safety & disclaimer
This is an educational tool. The commands it builds are real β they will do exactly what you tell them to. Some flags are destructive (deletion, overwriting, forced operations) and even non-destructive options can cause data loss or system trouble in the wrong circumstances.
β’ Always review the generated command before running it.
β’ Test on disposable files and directories first.
β’ If you do not understand what a flag does, look it up in the official manual page (man command).
The author of these pages is not responsible for any damage, data loss, or other consequences resulting from commands generated, copied, or run from this site. Use at your own risk.
// OpenSSL glossary β key concepts explained
Private key
A secret key used to sign data or decrypt things encrypted to you. Keep this safe and never share it. Usually stored as a .key or .pem file.
Public key
The non-secret part of a key pair. Can be shared freely. Used to verify signatures or encrypt data to the key owner.
Certificate (cert)
A public key plus identity information (domain, organisation, expiry), signed by a Certificate Authority. Proves "this public key belongs to this domain/person".
CSR (Certificate Signing Request)
A file you send to a Certificate Authority asking them to issue a certificate. Contains your public key and identity info, signed with your private key.
CA (Certificate Authority)
A trusted third party that signs certificates, vouching for the identity of the key owner. Your browser has a built-in list of trusted CAs.
Self-signed certificate
A certificate signed by its own private key (no CA). Free and instant, but browsers won't trust it by default. Fine for internal use and development.
PEM format
The most common certificate/key format. Plain text with Base64-encoded content between -----BEGINβ¦----- and -----ENDβ¦----- headers. Files usually end in .pem, .crt, .cer, or .key.
DER format
Binary (non-text) version of PEM. Same data, different encoding. Files usually end in .der or .cer. Required by some Java and Windows tools.
PKCS#12 / PFX
A bundle format that holds a certificate AND its private key together in one encrypted file. Used by browsers, Windows, and Java keystores. Files end in .p12 or .pfx.
RSA
The most widely used public-key algorithm. Key sizes of 2048+ bits. Slower than EC but universally supported.
EC (Elliptic Curve)
Modern public-key algorithm. Smaller keys with equivalent security to larger RSA keys. P-256, P-384, secp256k1 are common curves.
Ed25519
A modern elliptic curve signature algorithm. Very fast, small keys, strong security. Not yet supported everywhere but becoming the preferred choice.
SAN (Subject Alternative Name)
Extension in a certificate listing all the domain names (and IPs) the cert is valid for. Modern TLS requires SANs β the old Common Name field alone is no longer sufficient.
CN (Common Name)
The primary identity field in a certificate's Subject. For web certs, this was historically the domain name, but SANs now take precedence.
TLS / SSL
The protocol that encrypts web traffic (HTTPS). TLS is the modern name; SSL is the older (deprecated) predecessor. OpenSSL implements both.
Cipher suite
The specific combination of algorithms used for a TLS connection: key exchange, authentication, encryption, and hashing. E.g. TLS_AES_256_GCM_SHA384.
AES
The standard symmetric encryption algorithm. AES-256 with GCM mode is the current gold standard for symmetric encryption.
PBKDF2 / scrypt
Password-based key derivation functions. Used to stretch a passphrase into an encryption key. OpenSSL enc uses PBKDF2 with -pbkdf2 flag.
Fingerprint
A hash (SHA-256 or MD5) of a certificate. Used to verify you have the right cert without comparing the full content.
