A comprehensive guide for generating various types of cryptographic keys and certificates using OpenSSL.
- RSA Key Generation
- Elliptic Curve Keys
- SSL Certificates
- Certificate Signing Requests
- Random Keys and Secrets
- Key Format Conversion
- Key Information and Verification
- File Extensions Reference
- Security Best Practices
Generate 2048-bit RSA private key:
openssl genrsa -out private_key.pem 2048Generate 4096-bit RSA private key (more secure):
openssl genrsa -out private_key.pem 4096Generate password-protected RSA private key:
openssl genrsa -aes256 -out private_key_encrypted.pem 2048Extract public key from RSA private key:
openssl rsa -in private_key.pem -pubout -out public_key.pemExtract public key from encrypted private key:
openssl rsa -in private_key_encrypted.pem -pubout -out public_key.pemShow all available elliptic curves:
openssl ecparam -list_curvesGenerate EC private key (P-256 curve):
openssl ecparam -genkey -name prime256v1 -noout -out ec_private_key.pemGenerate EC private key (P-384 curve - more secure):
openssl ecparam -genkey -name secp384r1 -noout -out ec_private_key.pemGenerate EC private key (P-521 curve - highest security):
openssl ecparam -genkey -name secp521r1 -noout -out ec_private_key.pemExtract EC public key:
openssl ec -in ec_private_key.pem -pubout -out ec_public_key.pemGenerate private key and self-signed certificate (no password):
openssl req -x509 -newkey rsa:2048 -keyout server_key.pem -out server_cert.pem -days 365 -nodes -subj "/C=US/ST=State/L=City/O=Organization/OU=Department/CN=example.com"Generate with password protection:
openssl req -x509 -newkey rsa:2048 -keyout server_key.pem -out server_cert.pem -days 365 -subj "/C=US/ST=State/L=City/O=Organization/OU=Department/CN=example.com"Generate wildcard certificate:
openssl req -x509 -newkey rsa:4096 -keyout wildcard_key.pem -out wildcard_cert.pem -days 365 -nodes -subj "/C=US/ST=State/L=City/O=Organization/CN=*.example.com"Create a config file for SAN certificate:
cat > san.conf << EOF
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C=US
ST=State
L=City
O=Organization
CN=example.com
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = example.com
DNS.2 = www.example.com
DNS.3 = api.example.com
DNS.4 = admin.example.com
EOFGenerate certificate with multiple domains:
openssl req -x509 -newkey rsa:2048 -keyout multi_domain_key.pem -out multi_domain_cert.pem -days 365 -nodes -config san.conf -extensions v3_reqGenerate private key and CSR:
openssl req -new -newkey rsa:2048 -nodes -keyout server_key.pem -out server_csr.pem -subj "/C=US/ST=State/L=City/O=Organization/OU=Department/CN=example.com"Generate CSR from existing private key:
openssl req -new -key private_key.pem -out server_csr.pem -subj "/C=US/ST=State/L=City/O=Organization/OU=Department/CN=example.com"Generate CSR with SAN (Subject Alternative Names):
openssl req -new -key private_key.pem -out server_csr.pem -config san.confGenerate 32-byte random key (base64 encoded):
openssl rand -base64 32Generate 64-byte random key (base64 encoded):
openssl rand -base64 64Generate 256-bit random key (hex encoded):
openssl rand -hex 32Generate 512-bit random key (hex encoded):
openssl rand -hex 64Generate random password (16 characters):
openssl rand -base64 16Generate URL-safe random string:
openssl rand -base64 32 | tr -d "=+/" | cut -c1-25Generate JWT private key:
openssl genrsa -out jwt_private_key.pem 2048Generate JWT public key:
openssl rsa -in jwt_private_key.pem -pubout -out jwt_public_key.pemGenerate session secret key:
openssl rand -base64 32Generate API key:
openssl rand -hex 20Generate database encryption key:
openssl rand -base64 44Convert PEM to DER format:
openssl rsa -in private_key.pem -outform DER -out private_key.derConvert DER to PEM format:
openssl rsa -in private_key.der -inform DER -out private_key.pemConvert to PKCS#8 format (unencrypted):
openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in private_key.pem -out private_key_pkcs8.pemConvert to PKCS#8 format (encrypted):
openssl pkcs8 -topk8 -inform PEM -outform PEM -in private_key.pem -out private_key_pkcs8_encrypted.pemConvert certificate PEM to DER:
openssl x509 -in certificate.pem -outform DER -out certificate.derCreate PKCS#12 bundle (certificate + private key):
openssl pkcs12 -export -out certificate.p12 -inkey private_key.pem -in certificate.pemView private key details:
openssl rsa -in private_key.pem -text -nooutView public key details:
openssl rsa -in public_key.pem -pubin -text -nooutView certificate details:
openssl x509 -in certificate.pem -text -nooutView CSR details:
openssl req -in certificate.csr -text -nooutView PKCS#12 bundle contents:
openssl pkcs12 -in certificate.p12 -info -nooutVerify private key:
openssl rsa -in private_key.pem -checkVerify certificate:
openssl x509 -in certificate.pem -noout -textCheck certificate expiration:
openssl x509 -in certificate.pem -noout -datesVerify certificate chain:
openssl verify -CAfile ca_certificate.pem certificate.pemCheck if private key matches certificate (private key hash):
openssl rsa -noout -modulus -in private_key.pem | openssl md5Check if private key matches certificate (certificate hash):
openssl x509 -noout -modulus -in certificate.pem | openssl md5Test SSL connection to server:
openssl s_client -connect example.com:443 -servername example.comTest with specific certificate:
openssl s_client -connect example.com:443 -CAfile ca_certificate.pemShow certificate chain:
openssl s_client -connect example.com:443 -showcerts| Extension | Description |
|---|---|
.pem |
Privacy Enhanced Mail (Base64 encoded) |
.der |
Distinguished Encoding Rules (Binary) |
.crt, .cer |
Certificate files |
.key |
Private key files |
.csr |
Certificate Signing Request |
.p12, .pfx |
PKCS#12 (contains both certificate and private key) |
.p7b, .p7c |
PKCS#7 certificate chain |
.jks |
Java KeyStore |
- Always use at least 2048-bit RSA keys (4096-bit preferred for long-term use)
- Consider Elliptic Curve keys (P-256, P-384) for better performance and security
- Use strong passphrases for encrypted keys
- Generate keys in a secure environment
- Set proper file permissions (600 for private keys, 644 for public keys/certificates)
- Keep private keys secure and never share them
- Store keys in secure locations (hardware security modules for production)
- Regularly rotate keys and certificates
- Use certificate pinning in production applications
Set proper permissions for private keys (owner read/write only):
chmod 600 private_key.pemSet proper permissions for public keys and certificates (owner read/write, others read):
chmod 644 public_key.pem certificate.pemSet proper permissions for CSRs:
chmod 644 certificate.csr- Always validate certificate chains
- Check certificate expiration dates
- Verify certificate subjects and SANs
- Use OCSP or CRL for revocation checking
- Implement certificate transparency monitoring
Generate new RSA key pair:
openssl genrsa -out key.pem 2048openssl rsa -in key.pem -pubout -out pub.pemGenerate self-signed certificate:
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodesGenerate CSR:
openssl req -new -key key.pem -out csr.pemConvert formats:
openssl x509 -in cert.pem -outform DER -out cert.derView certificate info:
openssl x509 -in cert.pem -text -nooutTest SSL connection:
openssl s_client -connect domain.com:443Note: Always ensure you're using the latest version of OpenSSL and follow current security recommendations for your specific use case.