Frequently used OpenSSL Commands

General OpenSSL Commands

The following commands show how to create CSRs, certificates and private keys, in addition to a few other tasks using OpenSSL.

  • Generate a new private key and CSR (Unix) openssl req -utf8 -nodes -sha256 -newkey rsa:2048 -keyout server.key -out server.csropenssl req -out CSR.csr -pubkey -new -keyout privateKey.key
  • Generate a new private key and CSR (Windows) openssl req -out CSR.csr -pubkey -new -keyout privateKey.key -config .shareopenssl.cmf
  • Generate a CSR for an existing private key openssl req -out CSR.csr -key privateKey.key -new
  • Generate a CSR based on an existing certificate openssl x509 -x509toreq -in MYCRT.crt -out CSR.csr -signkey privateKey.key
  • Generate a self-signed certificate openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
  • Remove a password from a private key openssl rsa -in privateKey.pem -out newPrivateKey.pem

Check the CSR, Private Key or Certificate using OpenSSL

Use the following commands to check the information of a certificate, CSR or private key. Our online Tools LINK can also be used for this purpose.

  • Check a CSR openssl req -text -noout -verify -in CSR.csr
  • Check a private key openssl rsa -in privateKey.key -check
  • Check a certificate openssl x509 -in certificate.crt -text -noout
  • Check a PKCS#12 file (.pfx or .p12) openssl pkcs12 -info -in keyStore.p12

Debugging with OpenSSL

With error messages like 'the Private Key does not match the Certificate' or 'the Certificate is not Trusted' you can use one of the following commands. Please also use our online SSL Check LINK tool to check the certificate.

  • Check the MD5 hash of the public key to check if it is equal to what is in the CSR or private key. openssl x509 -noout -modulus -in certificate.crt | openssl md5 openssl rsa -noout -modulus -in privateKey.key | openssl md5 openssl req -noout -modulus -in CSR.csr | openssl md5
  • Check an SSL connection. All certificates (also intermediate certificates) should be displayed. openssl s_client -connect

Convert certificates using OpenSSL

With the commands below files can be converted to another format. This is sometimes necessary to make certificates or private keys suitable for different types of servers or software. A PEM file for Apache can, for example, be converted to a PFX (PCKS#12) file for use with Tomcat or IIS.

  • Convert a DER file (.crt .cer .der) to PEM openssl x509 -inform der -in certificate.cer -out certificate.pem
  • Convert a PEM file to DER openssl x509 -outform der -in certificate.pem -out certificate.der
  • Convert a PKCS#12 file (.pfx .p12) including the private key and certificate(s) to PEM openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes

Note: Add -nocerts to only convert the private key, or add -nokeys to convert only the certificates.

  • Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12) openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt


Our SSLCheck will examine your website's root and intermediate certificates for correctness and report any potential issues

point up