OpenSSL

OpenSSL is a command-line toolkit for SSL/TLS encryption that inspects certificates, tests secure connections, generates keys, and converts certificate formats on Linux, macOS, and Windows.

What OpenSSL Does and When to Use It

OpenSSL provides command-line tools for working with SSL/TLS certificates, private keys, Certificate Signing Requests (CSRs), and encrypted connections. System administrators use OpenSSL to inspect a server's certificate chain, verify expiration dates, test TLS handshakes, and diagnose why HTTPS connections fail.

OpenSSL is the diagnostic companion to Certbotand web server SSL configuration. When Nginxor Apachereturns a certificate error, or when cURLreports "SSL certificate problem," OpenSSL is the tool that reveals the specific certificate, chain link, or protocol version causing the failure.

OpenSSL is not a Certificate Authority — it does not issue publicly trusted certificates. Use Certbotwith Let's Encrypt for free, automated, publicly trusted certificates. OpenSSL generates self-signed certificates for development and testing, but these trigger browser warnings in production.

How to Install OpenSSL

=== "Ubuntu / Debian"

OpenSSL is preinstalled on most Ubuntu and Debian systems. Verify with:

```bash
openssl version
```

If missing, install with:

```bash
sudo apt install openssl
```

=== "macOS"

macOS includes LibreSSL (an OpenSSL fork). For the latest OpenSSL version, install via Homebrew:

```bash
brew install openssl
```

=== "CentOS / RHEL"

```bash
sudo yum install openssl
```

Core Concepts of OpenSSL

Certificate Chains in OpenSSL

OpenSSL validates certificates by building a chain from the leaf (server) certificate through intermediate CA certificates to a trusted root CA. A missing intermediate certificate breaks the chain, causing "unable to get local issuer certificate" errors. The openssl s_client -connect command displays the full chain the server presents.

PEM vs DER Certificate Formats in OpenSSL

OpenSSL reads and writes certificates in multiple formats. PEM (Privacy-Enhanced Mail) is Base64-encoded with -----BEGIN CERTIFICATE----- headers — it is the default format on Linux and in most web servers. DER (Distinguished Encoding Rules) is binary — used by Java keystores and Windows certificate stores. OpenSSL converts between formats with the x509, rsa, and pkcs12 subcommands.

OpenSSL s_client for TLS Connection Testing

The openssl s_client subcommand establishes a TLS connection to a server and displays the full handshake details: protocol version, cipher suite, certificate chain, and verification result. This is the primary diagnostic tool for SSL/TLS issues that affect cURL, web browsers, and application clients.

Common Tasks with OpenSSL

How to Check a Certificate's Expiration with OpenSSL

Display the expiration date of a remote server's SSL certificate:

openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -dates

How to View a Certificate's Full Details with OpenSSL

Display the complete certificate including subject, issuer, SANs, and signature algorithm:

openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -text

For detailed step-by-step instructions, see How to check a website's SSL certificate with OpenSSL.

OpenSSL Troubleshooting

Related Tools and Guides

The Certbottool automates certificate issuance from Let's Encrypt — use it instead of OpenSSL for obtaining production certificates. The cURL commanduses OpenSSL (or a compatible library) for its TLS implementation and surfaces OpenSSL errors as cURL error codes 35, 51, and 60.