openssl genrsa -aes256 -out service.key.pem 4096
... generates a 4096bit private RSA key and encrypts it with AES256 (prompting for password) -aes256 should be removed to avoid password protection
openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:P-256 -aes256 -out service.key.pem
... generates a prime256v1 private ECDSA key and encrypts it with AES256
openssl rsa -in service.key -out service_unencrypted.key.pem
... removes the pass phrase (encryption) from the RSA private key
openssl rsa -in service_unencrypted.key.pem -aes256 -out service.key.pem
... encrypts the RSA private key with AES256 and a pass phrase
openssl req -new -x509 -config openssl.cnf -extensions v3_ca -days 3650 -sha256 -key cakey.pem -out cacert.pem
... generates a selfsigned CA certificate from cakey.pem (generated as described in Private keys) valid for 10 years
openssl req -new -subj "/C=NO/O=Pichove Undernet/CN=myuser" -sha256 -key client.key.pem -out client.req.pem
... generates a client certificate request from client.key.pem (generated as described in Private keys)
openssl ca -config openssl.cnf -md sha256 -days 731 -rand_serial -policy client_signing_policy -extensions v3_client_signing -out client.cert.pem -infiles client.req.pem
... signs the client certificate using random serial and openssl.cnf (see the one defined bellow)
openssl pkcs12 -export -out client.pfx -inkey client.key.pem -in client.cert.pem -certfile cacert.pem
... produces a password protected (will prompt for password) bundle (client.pfx) ready to be imported in the browser
openssl req -config openssl.cnf -sha256 -newkey rsa:4096 -nodes -x509 -extensions v3_signing -subj "/C=NO/O=MyOrg/CN=hostname.org" -addext "subjectAltName = DNS:hostname.org" -days 365 -keyout service.key.pem -out service.cert.pem
... selfsigns with no password protection for the private key (-newkey ec -pkeyopt ec_paramgen_curve:prime256v1 can be used for ECDSA)
openssl req -new -config service.cnf -reqexts SAN -keyout service.key.pem -out service.req.pem
... creates a certificate request in PEM format (using service.cnf as described bellow). -keyout will also generate key, while -key will use an existing key. -outform DER creates a certificate request in DER format to be used with Let's encrypt
openssl ca -config openssl.cnf -md sha256 -days 731 -rand_serial -policy signing_policy -extensions v3_signing -out service.cert.pem -infiles service.req.pem
... signs a request with the CA key using openssl.cnf (see the one defined bellow)
[ req ]
default_bits = 4096
prompt = no # remove in order to get prompt for DN
encrypt_key = no
default_md = sha256
distinguished_name = dn
# req_extensions = SAN
utf8 = yes
[ dn ]
C = NO
L = Oslo
O = Pichove Undernet
OU = My Department
CN = hostname.com
# ... or prompt for DN instead
# [ dn ]
# countryName = Country Name (2 letter code)
# stateOrProvinceName = State or Province Name (full name)
# localityName = Locality Name (eg, city)
# organizationalUnitName = Organizational Unit Name (eg, section)
# commonName = Common Name (eg, your name or your server\'s hostname)
# emailAddress = Email Address
[SAN]
subjectAltName = @alt_names
# subjectAltName=DNS:hostname.com # a single alt.name
[ alt_names ]
DNS.1 = hostname.com
DNS.2 = www.hostname.com
IP.1 = 192.168.1.6
... for certificate with aliases (service.cnf)
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
base_dir = .
certificate = $base_dir/certs/cacert.pem # The CA certifcate
certs = $base_dir/certs
crl_dir = $base_dir/crl
crl = $base_dir/crl/ca.crl.pem # Root CA CRL
crlnumber = $base_dir/crlnumber # Root CA CRL number
crl_extensions = v3_crl_ext
database = $base_dir/index.txt # Database index file
new_certs_dir = $base_dir/newcerts # Location for new certs after signing
private_key = $base_dir/private/cakey.pem # The CA private key
serial = $base_dir/serial # The current serial number
default_days = 731 # How long to certify for
default_crl_days = 30 # How long before next CRL
default_md = sha256 # Use public key default MD
preserve = no # Keep passed DN ordering
x509_extensions = v3_signing # The extensions to add to the cert
email_in_dn = no # Don't concat the email in the DN
copy_extensions = copy # Required to copy SANs from CSR to cert
name_opt = ca_default # Formatting options for names
cert_opt = ca_default # Certificate output options
policy = strict_policy # Certificate policy
unique_subject = no # Allow multiple certs with the same DN
[ req ]
default_bits = 4096
default_keyfile = cakey.pem
distinguished_name = dn
x509_extensions = v3_ca # The extensions to add to the self signed cert
req_extensions = v3_req # The extensions to add to a certificate request
string_mask = utf8only
[ dn ]
countryName = Country Name (2 letter code)
countryName_default = NO
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Oslo
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Pichove Undernet
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
[ v3_ca ]
# used for a typycal CA
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer
basicConstraints = critical, CA:true
keyUsage = critical, keyCertSign, cRLSign
[ v3_client_signing ]
# used then "CA" signs a request for client cert
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "Openssl Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
[ v3_crl ]
authorityKeyIdentifier = keyid:always,issuer # Authority key identifier
[ v3_intermediate_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ v3_req ]
# extensions to add to a certificate request
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
[ v3_signing ]
# used then "CA" signs a request
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
# crlDistributionPoints = URI:https://simeon.simeonov.no/crl.pem
[ client_signing_policy ]
countryName = supplied # Must provide country
stateOrProvinceName = optional # Must match the issuer's state
organizationName = supplied # Must provide organization
organizationalUnitName = optional # Organizational unit is optional
commonName = supplied # Must provide a common name
emailAddress = optional # Email address is optional
[ signing_policy ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ strict_policy ]
countryName = match # Must match the issuer's country
stateOrProvinceName = match # Must match the issuer's state
organizationName = match # Must match the issuer's organization
organizationalUnitName = optional # Organizational unit is optional
commonName = supplied # Must provide a common name
emailAddress = optional # Email address is optional
... a working openssl.cnf used in most of the examples above
openssl ciphers -tls1 -v 'HIGH:!ADH:!MD5:@STRENGTH'
... lists all available ciphers, skipping MD5 ADH and ordering by strength
openssl x509 -noout -issuer -subject -dates -fingerprint -in service.cert.pem
... get the issuer, subject, dates and fingerprint of the certificate
openssl s_client –showcerts –connect hostname:443
... try to connect and show cert. information
openssl s_client -connect hostname:25 -starttls smtp
... try to connect with STARTTLS and display certificate information
openssl x509 -subject -dates -fingerprint -in service.cert.pem
... displays certificate fingerprint
openssl x509 -noout -text -in service.cert.pem
... displays certificate information
openssl x509 -noout -hash -in service.cert.pem
... displays certificate hash (to use for symlinks)
openssl pkcs12 -nokeys -info -in client_cert.pfx
... displays client certificate bundle metadata and certs (no private key info)
openssl pkcs12 -nokeys -in test.pfx | openssl x509 -serial -noout
... displays client certificate serial (extraxted from the certificate part of the bundle)
cat file.js | openssl dgst -sha384 -binary | openssl base64 -A
... creates a SRI hash of file.js for the
openssl storeutl -noout -text -certs bundle.crt
... displays the entire bundle of certificates
openssl rand -base64 8
... generates 8 bytes of random data and encode it in base64
openssl passwd <password>
... generates a crypt() password from password
openssl passwd -1 <password>
... generates an MD5 ($1$) password from password
echo -n | openssl s_client -showcerts -connect example.com:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > file.pem
... fetches the whole certificate chain as a bundle and stores it to file.pem
2026-03-24 13:12:11
minicms - © 2020-2026 Simeon Simeonov