The Most Useful OpenSSL Commands to Work With SSL Certificates

OpenSSL is an open-source software library designed to secure digital communications and certificates. It is used by many websites and organizations worldwide to encrypt information in transit, such as emails, web traffic, and other data exchanged over the internet or computer networks. OpenSSL also provides a way for trusted entities to sign documents or digital certificates in order to verify the authenticity and integrity of the data. OpenSSL provides an invaluable security layer that helps to protect online transactions from malicious actors.

This article provides an overview of commonly used OpenSSL commands to work with SSL certificates. It covers various operations such as generating a new certificate, checking the details of an existing certificate, converting the certificate into a different format, debugging when there is an error occurs, and pretty much everything that you need to know about OpenSSL.

The commands we have provided here can be more useful for creating, managing, and troubleshooting SSL certificates on various platforms. All this content made this article a valuable resource for system administrators and security professionals. The article also provides examples of how to use these commands in real-world scenarios with screenshots to give you a practical solution, helping readers to quickly and efficiently work with SSL certificates using OpenSSL.

What is OpenSSL?

OpenSSL is an open-source software library that provides cryptographic protocols and security algorithms for implementing secure communications over computer networks. It can be used to protect data from eavesdropping, and encryption of email messages, payment transactions other sensitive information. OpenSSL supports a wide range of cryptographic functions, including digital signature, key exchange, and public-key encryption schemes. It is widely used for web-based applications and can be integrated into a variety of software programs.

The OpenSSL library is available on Linux, macOS, and Windows, making it a popular choice amongst developers who need secure communication protocols. By leveraging the functions of OpenSSL, developers can create highly secure applications that protect user data from malicious actors.

What is OpenSSL Used For?

OpenSSL is a powerful and versatile tool that can be used for a wide range of tasks. Some of the things that can be done using OpenSSL include the following:

Please read these posts to learn more about OpenSSL and Digital Certificate:

How Do You Check That OpenSSL is Installed on Your Machine?

This verification procedure depends on the type of operating system platform. The different operating systems will have different procedures.

Generally, you can use the Linux method on Windows and mac. It works on all the operating systems. Check the OpenSSL documentation: If you are not sure where OpenSSL is installed, you can check the OpenSSL documentation. This usually contains information on how to install OpenSSL on various platforms.

Commands to Check the Version of OpenSSL

Run this command on the terminal to check the version of OpenSSL.

$ openssl version

Important Abbreviations Related to the Digital Certificates:

Here are some important abbreviations related to certificates:

How to Generate A Self-Signed Certificate Using OpenSSL?

Generating a self-signed certificate using OpenSSL is a relatively simple process. The first step is to generate the key pair, which has a private key as well as a public key. This will be used to sign the certificate in Step 4. The second step is to extract the public key from the key pair. The third step is to generate a Certificate Signing Request (CSR). This will be used by the certificate authority (CA) to create the self-signed certificate. You will be prompted to enter a variety of information, such as the common name, organization name, organization unit, country code, email address, and many more. Finally, generate the self-signed certificate using the private key and CSR. Simple, Isn’t it?

Step 1. Generate Key pair using OpenSSL

To create the key pair, run this command in your terminal:

$ openssl genrsa -out private.key 2048

This command will generate an RSA key pair with a length of 2048.

Step 2. Extract the public key from the key pair

Run this command to extract the public key from the key pair generated in step 1.

$ openssl rsa -in private.key -pubout -out public.key

Step 3. Generate a Certificate Signing Request (CSR)

The next step is to generate a Certificate Signing Request (CSR). This will be used by the certificate authority (CA) to create the self-signed certificate. To generate the CSR, run this command in your terminal:
You will be prompted to enter a variety of information, such as the common name, organization name, organization unit, country code, email address, optional password, and many more. Enter the valid input it asks to generate the CSR. For example, the country name should be two char country codes. The common name should be the FQDN or IP to which you are going to get the certificate. The CSR is now ready for the CA to generate a self-signed certificate.

$ openssl req -new -key private.key -out certificate.csr

We suggest verifying the CSR generated before you submit it to the Certificate Authority. Run this command to verify the details of your CSR.

$ openssl req -text -in certificate.csr -noout -verify

Step 4. Generate the self-signed certificate

Finally, generate the self-signed certificate using the private key and CSR. Run this command to generate the self-signed certificate on the terminal:

$ openssl x509 -in certificate.csr -out certificate.crt -req -signkey private.key -days 365

Most Useful OpenSSL Commands to Work With SSL Certificates

Before we head toward the most useful OpenSSL commands to work with SSL certificates, let’s see the structure of OpenSSL commands.

Structure of a typical OpenSSL command:

The structure of a simple OpenSSL command typically looks like this:

openssl <command> <options>

The main command is ‘openssl’ which is followed by a subcommand <command> and <options>. It is allowed to use multiple subcommands and options in a single line so that multiple things can be performed in a single command.

The subcommand can be any of the cryptographic functions supported by the OpenSSL library. Some examples of subcommands include genpkey, req, x509, pkcs12, rsa, verify, etc. These subcommands are used to perform specific cryptographic operations.

Options <options> are any additional arguments required to work the command. Typically options are used to give input or get the output of the comment. Examples: -req, -days, -in, -out, etc.

If you struggle to identify the ‘subcommands’ over ‘options’ in lengthy OpenSSL commands, here is the tip. The key identifier that differentiates ‘subcommands’ from ‘options’ is the ‘-‘ symbol.

Example for a simple OpenSSL command:

$ openssl genrsa -out private.key 2048

In the above command, ‘genrsa’ is the subcommand, ‘-out’ is an option, ‘private.key’ specifies the output file name, and ‘2048’ is the key pair length.

Example of an OpenSSL with multiple subcommands and options:

$ openssl x509 -in certificate.csr -out certificate.crt -req -signkey private.key -days 365

OpenSSL Commands to Generate SSL Certificates and Keys

In this section, we are going to see the Most Useful OpenSSL Commands to Work With SSL Certificates.

#1. OpenSSL Command to Generate a Private Key or Key Pair

$ openssl genrsa -out private.key 2048

This command generates a new RSA key pair and saves it in a file named “private.key” in the current directory.

#2. OpenSSL Command to Extract the Pubic Key from the Key pair

$ openssl rsa -in private.key -pubout -out public.key

This command extracts the public key from the ‘private.key’ key pair and saves it in ‘public.key’ file.

#3. OpenSSL Commands to a Generate CSR

$ openssl req -new -key private.key -out certificate.csr 

This command will prompt you to enter a variety of information, such as the common name, organization name, organization unit, country code, email address, optional password, and many more. Enter the valid input it asks to generate the CSR. This command generates a CSR and saves it in a file named ‘certificate.csr.’

#4. OpenSSL Command to Generate a self-signed Certificate

$ openssl x509 -in certificate.csr -out certificate.crt -req -signkey private.key -days 365

This command generates a self-signed certificate and saves it in a file named ‘certificate.crt.’

#5. OpenSSL Command to Generate a new Private Key and Certificate Signing Request in a Single Command

openssl req -out certificate.csr -new -newkey rsa:2048 -nodes -keyout private.key

This command generates a new private key and CSR and saves them in a file named ‘certificate.csr’ and ‘private.key.’

#6. OpenSSL Command to Generate a Certificate Signing Request (CSR) for an existing Private Key

openssl req -out newcsr.csr -key private.key -new

This command generates a new CSR and saves it in a file named ‘newcsr.csr’ for  the existing private key.

#7. OpenSSL Command to Generate a Certificate Signing Request (CSR) based on an existing Certificate

openssl x509 -x509toreq -in certificate.crt -out newcsr2.csr -signkey private.key

This command generates a new Certificate Signing Request (CSR) and save it in a file named ‘newcsr2.csr.’

#8. OpenSSL Command to Encrypt or add Passphrase to a Private Key

openssl rsa -aes256 -in private.key -out private_secure.pem

OR

openssl rsa -aes256 -in private.key -out private_secure.key

You can keep the encrypted key pair in .key or .pem format. Both are valid.

#9. OpenSSL Command to Decrypt or Remove a Passphrase from a Private Key

openssl rsa -in private_secure.pem -out newprivate.pem

OR

openssl rsa -in private_secure.key -out newprivate.key

This command removes the passphrase and decrypts the private key, and saves it in a file named newprivate.key.

OpenSSL Commands to Convert SSL Certificates

There could be several reasons why you may need to convert SSL certificates from one format to another. The main reason would be compatibility. Different systems and applications may require certificates to be in a specific format. Some systems or applications may not be able to handle certain file formats. In such cases, it is necessary to convert the certificate to a different format that the system or application can understand. For example, some web servers may require certificates to be in PEM format, while others may require them to be in PKCS#12 format.

OpenSSL can be used to convert SSL certificates between different formats. Let’s see how to convert from one file format to another.

#1. OpenSSL Commands to Convert a Certificate from CRT to PEM

openssl x509 -inform der -in certificate.crt -out certificate.pem

This command will convert the certificate in CRT format named “certificate.crt” to PEM format and save it in a file named “certificate.pem” in the current directory. Note: this command can be used to convert .cer certificates.

PEM Certificate vs PEM Key file

Both the PEM Certificate and PEM Key file are different entities and made for different purposes. They can’t be interchangeable. Don’t be confused between them.

PEM stands for Privacy Enhanced Mail. A PEM Certificate is a file that is used to store X.509 certificates. Where a PEM Key file is a file used to store private and public key pairs.

A PEM certificate typically contains the public key of a certificate and not the private key.

A PEM certificate file typically contains the following information:

Use ‘cat’ command to differentiate the PEM Key file from the PEM Certificate. A PEM Key file contains a private key would typically have a header that says “BEGIN RSA PRIVATE KEY” or “BEGIN PRIVATE KEY”.

#2. OpenSSL Commands to Convert a Certificate from CRT to PKCS7

openssl crl2pkcs7 -nocrl -certfile certificate.crt -out certificate.p7b

This command will convert the certificate in CRT format named “certificate.crt” to PKCS7 format and save it in a file named “certificate.p7b” in the current directory.

#3. OpenSSL Commands to Convert a Certificate from CRT to PKCS#12

PKCS#12 and PFX are both file formats that are used to store X.509 certificates and private keys. The main difference between them is the file extension, PKCS#12 uses the file extension .p12 or .pfx, and PFX uses the file extension .pfx. Both formats are used for the same purpose, which is to provide a secure way to store and transport digital certificates and private keys. PKCS#12 is the standard for storing the certificate and private key developed by RSA Laboratories, while PFX is Microsoft’s variant of the PKCS#12 standard.

openssl pkcs12 -export -in certificate.crt -inkey private.key -out certificate.p12

OR

openssl pkcs12 -export -in certificate.crt -inkey private.key -out certificate.pfx

This command will convert the certificate in CRT format named “certificate.crt” and private key named “private.key” to PKCS#12 format and save it in a file named “certificate.p12” in the current directory.

It’s important to note that PKCS#12 format is also known as P12 format, and it is used to store one or more certificates and private key. It’s encrypted by default and can’t be decoded in base64, and It will prompt you to enter a password to protect the certificate and key.

It’s important to note that PKCS#12 format is also known as P12 format, and it is used to store one or more certificates and private key. It’s encrypted by default and can’t be decoded in base64, and It will prompt you to enter a password to protect the certificate and key.

#4. OpenSSL Commands to Convert a Certificate from CRT to DER

openssl x509 -in certificate.crt -outform DER -out certificate.der

This command will convert the certificate in CRT format named “certificate.crt” to DER format and save it in a file named “certificate.der” in the current directory.

It’s important to note that DER is a binary format and can’t be decoded in base64, and it is typically used to store X.509 certificates and CRLs (Certificate Revocation Lists) in a compact and efficient way.

#5. OpenSSL Commands to Convert a Certificate from DER to PEM

openssl x509 -inform DER -in certificate.der -out certificate.pem

This command will convert the certificate in DER format named “certificate.der” to PEM format and save it in a file named “certificate.pem” in the current directory.

#6. OpenSSL Commands to Convert a Certificate from DER to CRT

openssl x509 -inform DER -in certificate.der -out certificate.crt

This command will convert the certificate in DER format named “certificate.der” to CRT format and save it in a file named “certificate.crt” in the current directory.

It’s important to note that the CRT file format is just a container format, and the data inside it can be encoded in various ways, and it is commonly used to store X.509 certificates.

#7. OpenSSL Commands to Convert a Certificate from DER to PKCS7

openssl crl2pkcs7 -nocrl -certfile certificate.der -out certificate.p7b

This command will convert the certificate in DER format named “certificate.der” to PKCS7 format and save it in a file named “certificate.p7b” in the current directory.

It’s important to note that PKCS7 format is also known as P7B format, and it is used to store one or more certificates, typically including the end-user certificate and any intermediate CA certificates, but it doesn’t contain the private key.

#8. OpenSSL Commands to Convert a Certificate from DER to PKCS#12

Practically, it is not possible to convert DER to PKCS#12, since DER is an unreadable binary file. The Certificate should be in either CRT or CER to convert to PKCS#12 or P12. Please refer to the #3 command for more information.

#9. OpenSSL Commands to Convert a Certificate from PKCS7 to CRT

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.crt

This command will convert the certificate in PKCS7 format named “certificate.p7b” to CRT format and save it in a file named “certificate.crt” in the current directory.

#10. OpenSSL Commands to Convert a Certificate from PKCS7 to PEM

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.pem

This command will convert the certificate in PKCS7 format named “certificate.p7b” to PEM format and save it in a file named “certificate.pem” in the current directory.

#11. OpenSSL Commands to Convert a Certificate from PKCS7 to PKCS#12

It is not possible to directly convert a certificate from PKCS7 format to PKCS#12 format. Because PKCS7 format is used for storing one or more certificates, typically including the end-user certificate and any intermediate CA certificates, but it doesn’t contain the private key. At the same time, PKCS#12 format is used to store one or more certificates and a private key.

In order to convert a certificate from PKCS7 format to PKCS#12 format, you will need to first extract the private key and the certificate in PEM format and then use the OpenSSL command to create a PKCS#12 file which includes both the certificate and the private key.

Here is an example command:

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.pem
openssl pkcs12 -export -in certificate.pem -inkey private.key -out certificate.p12

This command will convert the certificate in PKCS7 format named “certificate.p7b” to PEM format using the first command and then using the second command. It will convert the PEM format certificate and private key to PKCS#12 format and save it in a file named “certificate.p12” in the current directory.

#12. OpenSSL Commands to Convert a Certificate from PKCS7 to DER

It is not possible to directly convert a certificate from PKCS7 format to DER format. Because PKCS7 format is used for storing one or more certificates, typically including the end-user certificate and any intermediate CA certificates, but it doesn’t contain the private key. While DER format is a binary format, and it is typically used to store X.509 certificates and CRLs (Certificate Revocation Lists) in a compact and efficient way.

In order to convert a certificate from PKCS7 format to DER format, you will need to first extract the certificate in PEM format and then use the OpenSSL command to convert PEM to DER format.

Here is an example command:

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.pem
openssl x509 -in certificate.pem -outform DER -out certificate.der

This command will convert the certificate in PKCS7 format named “certificate.p7b” to PEM format using the first command, and then using the second command, it will convert the PEM format certificate to DER format and save it in a file named “certificate.der” in the current directory.

#13. OpenSSL Commands to Convert a Certificate from PEM to CRT

The PEM format and CRT format are both base64 container formats that are used to store X.509 certificates. PEM is used to store public certificates or the entire certificate chain (private key, public key, root certificates). So, a certificate in the PEM format can be used as it is in a CRT format because it’s the same format, and it just depends on the file extension. PEM can be used where ever CRT is being used. No conversion is required.

#14. OpenSSL Commands to Convert a Certificate from PEM to PKCS#12

openssl pkcs12 -export -in certificate.pem -inkey private.key -out certificate.p12

This command will convert the certificate in PEM format named “certificate.pem” and the private key named “private.key” to PKCS#12 format and save it in a file named “certificate.p12” in the current directory.

#15. OpenSSL Commands to Convert a Certificate from PEM to PKCS7

It is not possible to directly convert a certificate from PEM format to PKCS7 format. Because PKCS7 format is used for storing one or more certificates, typically including the end-user certificate and any intermediate CA certificates, but it doesn’t contain the private key. While PEM format can include just the public certificate or the entire certificate chain (private key, public key, root certificates), and it is base64 encoded.

In order to convert a certificate from PEM format to PKCS7 format, you will need to first extract the public certificate and any intermediate CA certificates from the PEM file, then use the OpenSSL command to create a PKCS7 file.

#16. OpenSSL Commands to Convert a Certificate from PEM to DER

openssl x509 -in certificate.pem -outform DER -out certificate.der

This command will convert the certificate in PEM format named “certificate.pem” to DER format and save it in a file named “certificate.der” in the current directory.

#17. OpenSSL Commands to Convert a Certificate from PKCS#12 to PEM

openssl pkcs12 -in certificate.p12 -out certificate.pem -nodes

This command will convert the certificate in PKCS#12 format named “certificate.p12” to PEM format and save it in a file named “certificate.pem” in the current directory. It will prompt you to enter the password that was used to encrypt the certificate in PKCS#12 format. If the certificate was not encrypted, you don’t have to use the -nocerts option.

#18. OpenSSL Commands to Convert a Certificate from PKCS#12 to CRT

The CRT format and PKCS#12 format are both container formats that are used to store X.509 certificates. The CRT file format is used to store X.509 certificates, While PKCS#12 format is used to store one or more certificates and private key. It’s also encrypted by default.

It’s important to note that a certificate in the PKCS#12 format can be used as it is in a CRT format because it’s the same format, and it just depends on the file extension.

#19. OpenSSL Commands to Convert a Certificate from PKCS#12 to DER

openssl pkcs12 -in certificate.p12 -out certificate.der -nodes -nokeys

This command will convert the certificate in PKCS#12 format named “certificate.p12” to DER format and save it in a file named “certificate.der” in the current directory. It will prompt you to enter the password that was used to encrypt the certificate in PKCS#12 format.

#20. OpenSSL Commands to Convert a Certificate from PKCS#12 to PKCS7

It is not possible to directly convert a certificate from PKCS#12 format to PKCS7 format. Because PKCS7 format is used for storing one or more certificates, typically including the end-user certificate and any intermediate CA certificates, but it doesn’t contain the private key. At the same time, PKCS#12 format is used to store one or more certificates and private key. It’s also encrypted by default.

In order to convert a certificate from PKCS#12 format to PKCS7 format, you will need to first extract the public certificate and any intermediate CA certificates from the PKCS#12 file using OpenSSL, then use the OpenSSL command to create a PKCS7 file.

Here is an example command:

openssl pkcs12 -in certificate.p12 -out certificate.p7b -nokeys -nodes

This command will convert the certificate in PKCS#12 format named “certificate.p12” to PKCS7 format and save it in a file named “certificate.p7b” in the current directory. It will prompt you to enter the password that was used to encrypt the certificate in PKCS#12 format.

OpenSSL Commands to Debug SSL Certificates and Keys

OpenSSL is a powerful tool that can be used to debug SSL certificates and keys. In this section, we tried showing a few important commands that you can try when you are ended up in some trouble.

#1. OpenSSL Command to Verify the Certificate

openssl x509 -in certificate.crt -text -noout

This command will display the details of the certificate, including the subject, issuer, and the public key.

#2. OpenSSL Commands to Check the Expiration date of a Certificate

openssl x509 -in certificate.crt -enddate -noout

This command will display the expiration date of the certificate.

#3. OpenSSL Command to Check a Private key

openssl rsa -in private.key -check

This command will check the private key and display any errors or warnings.

#4. OpenSSL Command to Verify the Certificate Signing Request (CSR)

openssl req -text -in certificate.csr -noout -verify

This command will display the details of the certificate signing request (CSR), including the subject, issuer, and public key.

#5. OpenSSL Commands to Check the Hash Value of A Certificate

OpenSSL can be used to calculate the hash value of an X.509 certificate. A hash value is a unique value that is calculated based on the content of the certificate. It can be used to check the integrity of the certificate and to verify that it has not been tampered with. Here are some common OpenSSL commands that can be used to check the hash value of a certificate:

openssl x509 -noout -fingerprint -md5 -inform pem -in certificate.crt

openssl x509 -noout -fingerprint -sha1 -inform pem -in certificate.crt

openssl x509 -noout -fingerprint -sha256 -inform pem -in certificate.crt

openssl x509 -noout -fingerprint -sha512 -inform pem -in certificate.crt

Note: It’s important to note that the above command will work only if the certificate is in PEM format. If you have a certificate in DER format, you need to use the -inform DER option.

openssl x509 -noout -fingerprint -sha1 -inform der -in certificate.crt

#6. OpenSSL Command to Verify the SSL/TLS version Accepted by a Site

openssl s_client -connect host:port

This command will initiate an SSL connection to the specified host and port and display the details of the SSL connection, including the certificate chain and the cipher suite.

openssl s_client -connect host:port -ssl2

This command will initiate an SSL connection to the specified host and port using SSL2 and display the details of the SSL connection.

openssl s_client -connect host:port -ssl2

This command will initiate an SSL connection to the specified host and port using SSL3 and display the details of the SSL connection.

openssl s_client -connect host:port -tls1_1

This command will initiate an SSL connection to the specified host and port using TLS 1.1 and display the details of the SSL connection.

openssl s_client -connect host:port -tls1_2

This command will initiate an SSL connection to the specified host and port using TLS 1.2 and display the details of the SSL connection.

openssl s_client -connect host:port -tls1_3

This command will initiate an SSL connection to the specified host and port using TLS 1.3 and display the details of the SSL connection.

#7. OpenSSL Commands to Check the Certificate Expiry of a Site

echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -enddate

Where “example.com” is the URL you want to check the SSL certificate for and “443” is the port number for HTTPS connections.

This command uses the openssl s_client command to initiate an SSL connection to the specified URL and port and the openssl x509 command to extract the expiration date of the certificate.

#8. OpenSSL Commands to Check A Particular Cipher is Accepted by a Site

openssl s_client -connect example.com:443 -cipher ECDHE-RSA-AES256-GCM-SHA384

Where “example.com” is the URL you want to check the SSL certificate for, “443” is the port number for HTTPS connections, and “ECDHE-RSA-AES256-GCM-SHA384” is the cipher you want to check for.

#9. OpenSSL Commands to List all the Cipher Supported by a Server

openssl ciphers -v 'ALL:COMPLEMENTOFALL' | grep -i -o -w -E 'TLS_.*'

It’s important to note that this command will only check the ciphers that are supported by the server and not the client.

#10. OpenSSL Command to Verify the Certificate Chain

openssl verify -verbose -CAfile ca-bundle.crt certificate.crt

Where “ca-bundle.crt” is the file that contains the root and intermediate CA certificates, and “certificate.crt” is the end-entity certificate file. This command uses the openssl verify command to verify the certificate chain, using the CA certificates from the file “ca-bundle.crt”. It will display the result of the verification process and indicate whether the certificate chain is valid or not.

#11. OpenSSL Commands to Retrieve or Download the Certificate of a Site

openssl s_client -connect example.com:443 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM > certificate.pem

This command uses the openssl s_client command to initiate an SSL connection to the specified URL and port and the -showcerts option to display the entire certificate chain. The openssl x509 command is used to convert the certificate from DER format to PEM format and the > symbol is used to redirect the output to a file named “certificate.pem”

#12. OpenSSL Commands to Verify the Same Public Key File in Key Pair, CSR, and Certificate

It is important to verify that the public key and the certificate match to ensure the security of the SSL/TLS connection. OpenSSL can be used to verify that the public key and the certificate match.

openssl pkey -pubout -in private.key | openssl sha256

This command extracts the public key from the ‘private.key’ key pair and generates the sha256 hash of the public key.

openssl req -pubkey -in certificate.csr -noout | openssl sha256

This command extracts the public key from the ‘certificate.csr’ CSR and generates the sha256 hash of the public key.

openssl x509 -pubkey -in certificate.crt -noout | openssl sha256

This command extracts the public key from the ‘certificate.crt’ certificate and generates the sha256 hash of the public key.

#13. OpenSSL Commands to Verify the Same Private Key File in Key Pair, CSR, and Certificate

It is important to verify that the private key and the certificate match to ensure the security of the SSL/TLS connection. OpenSSL can be used to verify that the private key and the certificate match.

openssl rsa -noout -modulus -in private.key | openssl sha256

This command extracts the private key from the ‘private.key’ key pair and generates the sha256 hash of the private key.

openssl req -noout -modulus -in certificate.csr | openssl sha256

This command extracts the private key from the ‘certificate.csr’ CSR and generates the sha256 hash of the private key.

openssl x509 -noout -modulus -in certificate.crt | openssl sha256

This command extracts the private key from the ‘certificate.crt’ certificate and generates the sha256 hash of the private key.

That’s it.

We hope this post will help you know what is OpenSSL, what OpenSSL is used for, how to generate a sell-signed certificate, how to convert an SSL certificate from one to another format, troubleshooting, debugging, and other most useful OpenSSL commands to work with SSL certificates. Please share this post if you find this interesting. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, and subscribe to receive updates like this.