Quick Reference

Cheatsheets

Practical command references for Linux, networking, servers, containers, databases, and more.

Cheatsheet#ssl-tls-cheatsheet

SSL / TLS (OpenSSL) Cheatsheet

OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.

Certificate Generation Workflow

1. Generate a Private Key

# Generate a 2048-bit RSA private key
openssl genrsa -out domain.key 2048
 
# Generate a 4096-bit RSA private key
openssl genrsa -out domain.key 4096

2. Generate a Certificate Signing Request (CSR)

You will send this CSR to a Certificate Authority (CA) to get your signed certificate.

openssl req -new -key domain.key -out domain.csr

3. Generate a Self-Signed Certificate (For Testing)

Generate the key and a self-signed certificate valid for 365 days in one command.

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout domain.key -out domain.crt

Viewing and Verifying Certificates

# Check a CSR
openssl req -text -noout -verify -in domain.csr
 
# Check a Private Key
openssl rsa -in domain.key -check
 
# Check a Certificate
openssl x509 -in domain.crt -text -noout

Verifying Key/CSR/Cert Match

To ensure your private key, CSR, and certificate all belong together, their modulus hashes must match exactly.

openssl x509 -noout -modulus -in domain.crt | openssl md5
openssl rsa -noout -modulus -in domain.key | openssl md5
openssl req -noout -modulus -in domain.csr | openssl md5

Format Conversions

# Convert PEM to DER
openssl x509 -outform der -in domain.pem -out domain.der
 
# Convert DER to PEM
openssl x509 -inform der -in domain.der -out domain.pem
 
# Convert PEM to PKCS12 (.pfx or .p12) (Often used by Windows/IIS)
openssl pkcs12 -export -out domain.pfx -inkey domain.key -in domain.crt -certfile ca-bundle.crt

Testing Live Connections

You can use OpenSSL to debug HTTPS connections to a remote server.

# Connect to an HTTPS server and view certificate details
openssl s_client -connect example.com:443
 
# Check specific protocols (e.g., test if TLS 1.2 is supported)
openssl s_client -connect example.com:443 -tls1_2