← All cheatsheets

Shell

openssl — cert, key, and crypto operations

## Generate keys + CSR
`openssl genrsa -out key.pem 4096` — 4096-bit RSA private key
`openssl req -new -key key.pem -out req.csr` — generate CSR (interactive)
`openssl req -new -key key.pem -out req.csr -subj "/CN=example.com"` — non-interactive

## Self-signed cert
`openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes -subj "/CN=localhost"`

## Inspect
`openssl x509 -in cert.pem -text -noout` — read a cert
`openssl x509 -in cert.pem -enddate -noout` — expiry only
`openssl req -in req.csr -text -noout` — read a CSR
`openssl rsa -in key.pem -check` — verify a key

## Convert formats
`openssl x509 -in cert.pem -outform DER -out cert.der` — PEM → DER
`openssl pkcs12 -in cert.pfx -nokeys -out cert.pem` — PFX → PEM

## TLS test
`openssl s_client -connect host:443 -servername host` — handshake debug
`echo | openssl s_client -connect host:443 2>/dev/null | openssl x509 -enddate -noout` — get expiry of a live cert

## Hash + base64
`openssl dgst -sha256 file` — SHA-256 of a file
`openssl base64 -in file -out file.b64` — encode
`openssl rand -hex 32` — 32 random bytes hex