This guide provides a compact overview of important OpenSSL commands for creating, managing and using RSA keys, certificates and signatures. It is aimed at users who want to perform cryptographic tasks such as creating key pairs, generating certificate requests or signing and verifying files.
OpenSSL commands
- Generating an RSA key (with passphrase):
openssl genrsa -des3 -out key_private.pem -rand [files] 2048 - Create an RSA key (without passphrase):
openssl genrsa -out key_private.pem -rand [files] 2048 - Remove passphrase:
openssl rsa -in key_private.pem -out key_private_ohne.pem - Add passphrase:
openssl rsa -des3 -in key_private_ohne.pem -out key_private.pem - Create a request:
openssl req -new -key key.pem -out req.pem - Creating a pkcs12 file (ending .pfx is important):
openssl pkcs12 -export -in cert -inkey private.key -out test.pfx - Signing a text file:
openssl dgst -sha1 -sign private.key -out file.signed.sha1 file.txt
(It is better to use sha254 instead of sha1 if available.) - Verify signature:
openssl dgst -sha1 -verify public.key -signature file.signed.sha1 file.txt
(If sha254 was used for signing, sha254 must also be used for verification. The public.key is contained in the certificate. See next command.) - Export public key from the certificate:
openssl x509 -in users.crt -pubkey > public.key - Export private key from a pfx file:
openssl pkcs12 -in server.pfx -nocerts -nodes -out server.key - Export certificate from a pfx file:
openssl pkcs12 -in server.pfx -clcerts -nokeys -out server.crt - Extract certificate chain (if available):
openssl pkcs12 -in server.pfx -cacerts -nokeys -chain | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > inter.pem
IT Service Desk
University Computer Centre, Bernhard-von-Cotta-Str. 1, 09599 Freiberg
servicedesk [at] tu-freiberg.de
+49 3731 39-1818