You won't remember the options for OpenSSL, so here's bash shortcuts for everything.

January 25, 2020

Save a bunch of time by pasting this into your .bash_profile

an image

By Mike on 4th Jan 2016

OpenSSL's various command line modes - officially called 'commands' - are named after a mix of:

  • crypto & PKI standards (x509, pkcs12)
  • actual tasks (req, verify)
  • encryption and hashing algorithms (aes-256-cbc, sha256)

Doing any crypto related task nearly always involves also both standards and algorithms, so, for most web developers, it's not entirely obvious which 'command' corresponds to a particular action.

Here's our list of the most common ones - add them to your .bash_profile and let tab completion sort you out!

Add this to your .bash_profile

function openssl-view-certificate () {
    openssl x509 -text -noout -in "${1}"

function openssl-view-csr () {
    openssl req -text -noout -verify -in "${1}"

function openssl-view-key () {
    openssl rsa -check -in "${1}"

function openssl-view-pkcs12 () {
    openssl pkcs12 -info -in "${1}"

# Connecting to a server (Ctrl C exits)
function openssl-client () {
    openssl s_client -status -connect "${1}":443

# Convert PEM private key, PEM certificate and PEM CA certificate (used by nginx, Apache, and other openssl apps) to a PKCS12 file (typically for use with Windows or Tomcat)
function openssl-convert-pem-to-p12 () {
    openssl pkcs12 -export -inkey "${1}" -in "${2}" -certfile ${3} -out ${4}

# Convert a PKCS12 file to PEM
function openssl-convert-p12-to-pem () {
    openssl pkcs12 -nodes -in "${1}" -out "${2}"

# Convert a crt to a pem file
function openssl-crt-to-pem() {
    openssl x509 -in "${1}" -out "${1:0:-4}".pem -outform PEM

# Check the modulus of a certificate (to see if it matches a key)
function openssl-check-certificate-modulus {
    openssl x509 -noout -modulus -in "${1}" | shasum -a 256

# Check the modulus of a key (to see if it matches a certificate)
function openssl-check-key-modulus {
    openssl rsa -noout -modulus -in "${1}" | shasum -a 256

# Check the modulus of a certificate request
function openssl-check-key-modulus {
    openssl req -noout -modulus -in "${1}" | shasum -a 256

# Encrypt a file (because zip crypto isn't secure)
function openssl-encrypt () {
    openssl aes-256-cbc -in "${1}" -out "${2}"

# Decrypt a file
function openssl-decrypt () {
    openssl aes-256-cbc -d -in "${1}" -out "${2}"

# For setting up public key pinning
function openssl-key-to-hpkp-pin() {
    openssl rsa -in "${1}" -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64

# For setting up public key pinning (directly from the site)
function openssl-website-to-hpkp-pin() {
    openssl s_client -connect "${1}":443 | openssl x509 -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64

# Combines the key and the intermediate in a unified PEM file
# (eg, for nginx)
function openssl-key-and-intermediate-to-unified-pem() {
    echo -e "$(cat "${1}")\n$(cat "${2}")" > "${1:0:-4}"_unified.pem

Got anything to add? Post it on the Hacker News thread and we'll give you a shout out!

  • Thanks to @emazzotta for his many suggestions and improvements!