You won't remember the options for OpenSSL, so here's bash shortcuts for everything.

Save a bunch of time by pasting this into your .bash_profile

July 12, 2021
We're Expedited Security. We help SAAS applications prevent and recover from attack, overcome regulatory or integration security requirements or just stop "weird" traffic before it becomes a problem.

OpenSSL's various command line modes - officially called 'commands' - are named after a mix of:

  • crypto & PKI standards (x509, pkcs12)
  • actual tasks (req, verify)
  • encryption and hashing algorithms (aes-256-cbc, sha256)

Doing any crypto related task nearly always involves also both standards and algorithms, so, for most web developers, it's not entirely obvious which 'command' corresponds to a particular action.

Here's our list of the most common ones - add them to your .bash_profile and let tab completion sort you out!

Add this to your .bash_profile

function openssl-view-certificate () {
    openssl x509 -text -noout -in "${1}"
function openssl-view-csr () {
    openssl req -text -noout -verify -in "${1}"
function openssl-view-key () {
    openssl rsa -check -in "${1}"
function openssl-view-pkcs12 () {
    openssl pkcs12 -info -in "${1}"
# Connecting to a server (Ctrl C exits)
function openssl-client () {
    openssl s_client -status -connect "${1}":443
# Convert PEM private key, PEM certificate and PEM CA certificate (used by nginx, Apache, and other openssl apps) to a PKCS12 file (typically for use with Windows or Tomcat)
function openssl-convert-pem-to-p12 () {
    openssl pkcs12 -export -inkey "${1}" -in "${2}" -certfile ${3} -out ${4}
# Convert a PKCS12 file to PEM
function openssl-convert-p12-to-pem () {
    openssl pkcs12 -nodes -in "${1}" -out "${2}"
# Convert a crt to a pem file
function openssl-crt-to-pem() {
    openssl x509 -in "${1}" -out "${1:0:-4}".pem -outform PEM
# Check the modulus of a certificate (to see if it matches a key)
function openssl-check-certificate-modulus {
    openssl x509 -noout -modulus -in "${1}" | shasum -a 256
# Check the modulus of a key (to see if it matches a certificate)
function openssl-check-key-modulus {
    openssl rsa -noout -modulus -in "${1}" | shasum -a 256
# Check the modulus of a certificate request
function openssl-check-key-modulus {
    openssl req -noout -modulus -in "${1}" | shasum -a 256
# Encrypt a file (because zip crypto isn't secure)
function openssl-encrypt () {
    openssl aes-256-cbc -in "${1}" -out "${2}"
# Decrypt a file
function openssl-decrypt () {
    openssl aes-256-cbc -d -in "${1}" -out "${2}"
# For setting up public key pinning
function openssl-key-to-hpkp-pin() {
    openssl rsa -in "${1}" -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64
# For setting up public key pinning (directly from the site)
function openssl-website-to-hpkp-pin() {
    openssl s_client -connect "${1}":443 | openssl x509 -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
# Combines the key and the intermediate in a unified PEM file
# (eg, for nginx)
function openssl-key-and-intermediate-to-unified-pem() {
    echo -e "$(cat "${1}")\n$(cat "${2}")" > "${1:0:-4}"_unified.pem

Got anything to add? Post it on the Hacker News thread and we'll give you a shout out!

  • Thanks to @emazzotta for his many suggestions and improvements!