OpenSSL command reference
Complete reference for OpenSSL subcommands including s_client, x509, req, verify, pkcs12, and rsa with flags and examples.
Complete reference for OpenSSL command-line subcommands covering certificate inspection, key generation, format conversion, and TLS connection testing.
OpenSSL Certificate Inspection Subcommands
| Subcommand | OpenSSL operation | Common flags | Example |
|---|---|---|---|
x509 | OpenSSL displays, converts, and signs X.509 certificates | -in,
-noout,
-text,
-dates,
-subject,
-issuer,
-modulus,
-outform | openssl x509 -in cert.pem -noout -dates |
s_client | OpenSSL establishes a TLS connection and displays handshake details, certificate chain, and verification result | -connect host:port,
-servername,
-showcerts,
-starttls,
-CAfile | openssl s_client -connect example.com:443 -servername example.com |
verify | OpenSSL verifies a certificate against a CA bundle and intermediate chain | -CAfile,
-untrusted,
-partial_chain | openssl verify -CAfile ca.crt -untrusted intermediate.crt server.crt |
OpenSSL Key and CSR Generation Subcommands
| Subcommand | OpenSSL operation | Common flags | Example |
|---|---|---|---|
req | OpenSSL generates Certificate Signing Requests (CSRs) and self-signed certificates | -new,
-x509,
-newkey rsa:2048,
-keyout,
-out,
-nodes,
-subj,
-days,
-addext | openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes |
genrsa | OpenSSL generates an RSA private key | -out, key size (2048, 4096) | openssl genrsa -out server.key 2048 |
rsa | OpenSSL processes RSA private keys — displays, converts, removes passphrase | -in,
-out,
-noout,
-modulus,
-inform,
-outform | openssl rsa -in server.key -noout -modulus |
ec | OpenSSL processes Elliptic Curve (EC) private keys | -in,
-out,
-noout,
-param_enc named_curve | openssl ec -in ec.key -noout -text |
ecparam | OpenSSL generates EC parameters and keys | -genkey,
-name prime256v1,
-out | openssl ecparam -genkey -name prime256v1 -out ec.key |
OpenSSL Format Conversion Subcommands
| Subcommand | OpenSSL operation | Common flags | Example |
|---|---|---|---|
pkcs12 | OpenSSL creates or extracts PKCS12/PFX bundles containing certificate + key | -export,
-in,
-inkey,
-out,
-certfile,
-nodes,
-clcerts | openssl pkcs12 -export -out bundle.pfx -inkey key.pem -in cert.pem |
x509 -outform | OpenSSL converts certificates between PEM and DER formats | -inform PEM/DER,
-outform PEM/DER | openssl x509 -in cert.pem -outform DER -out cert.der |
OpenSSL Connection Testing Flags for s_client
| Flag | OpenSSL s_client behavior | Default | Example |
|---|---|---|---|
-connect host:port | OpenSSL connects to the specified hostname and TCP port for TLS handshake | Required | -connect example.com:443 |
-servername host | OpenSSL sends the Server Name Indication (SNI) extension for virtual hosting | None | -servername example.com |
-showcerts | OpenSSL displays all certificates in the chain, not just the leaf | Leaf only | -showcerts |
-starttls proto | OpenSSL performs STARTTLS upgrade for plaintext protocols before TLS handshake | Direct TLS | -starttls smtp (also: imap, pop3, ftp) |
-CAfile path | OpenSSL uses the specified CA bundle file for chain verification instead of system default | System bundle | -CAfile /path/to/ca-bundle.crt |
-verify_return_error | OpenSSL exits with error on verification failure instead of continuing | Continue | -verify_return_error |