OpenSSL cheat sheet

October 16, 2025 · 2 min read

This is a collection of useful OpenSSL commands I don’t use frequently enough to remember them.

Generate and read CSRs

To generate a certificate signing request, first create a configuration file ( Source ):

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
utf8 = yes
[req_distinguished_name]
C = DE
ST = Nordrhein-Westfalen
L = Bochum
O = Ruhr-Universität Bochum
CN = einrichtung.ruhr-uni-bochum.de (die Hauptdomain)
[v3_req]
subjectAltName = @alt_names
[alt_names]
DNS.1 = einrichtung.ruhr-uni-bochum.de
DNS.2 = www.einrichtung.ruhr-uni-bochum.de

And create a private key: openssl genrsa -out einrichtung.rub.de.key 4096. Afterwards, generate the CSR from the private key and the configuration file: openssl req -new -out einrichtung.rub.de.csr -key einrichtung.rub.de.key -config csr.conf. View the contents of the CSR using openssl req -in einrichtung.rub.de.csr -noout -text.

Manually view an SMIME signature

To manually view an SMIME signature using openssl, first extract the signature attachment from the e-Mail (e.g. using More > View Source in Thunderbird):

--------------ms090207000304020906070306
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgMFADCABgkqhkiG9w0BBwEAAKCC
[...]
iHhl+Dund/bPkO4nUalDLG9COKjSWLAAAAAAAAA=

--------------ms090207000304020906070306--

Save the attachment content block (following the Content- headers, ending before the ----- closing line) to a file and decode it using base64 -d smime.p7s.b64 > smime.p7s. View the signature contents using openssl cms -cmsout -in smime.p7s -inform DER -noout -print.

View certificate chain of a website

openssl allows you to view the certificate chain presented by a website:

lukas@framework-rose:~$ openssl s_client -connect archlinux.org:443
Connecting to 95.217.163.246
CONNECTED(00000003)
depth=2 C=US, O=Internet Security Research Group, CN=ISRG Root X1
verify return:1
depth=1 C=US, O=Let's Encrypt, CN=E8
verify return:1
depth=0 CN=archlinux.org
verify return:1
---
Certificate chain
 0 s:CN=archlinux.org
   i:C=US, O=Let's Encrypt, CN=E8
   a:PKEY: EC, (prime256v1); sigalg: ecdsa-with-SHA384
   v:NotBefore: Sep 10 20:56:01 2025 GMT; NotAfter: Dec  9 20:56:00 2025 GMT
 1 s:C=US, O=Let's Encrypt, CN=E8
   i:C=US, O=Internet Security Research Group, CN=ISRG Root X1
   a:PKEY: EC, (secp384r1); sigalg: sha256WithRSAEncryption
   v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID4jCCA2mgAwIBAgISBTYAANCToGlCsm2dHbYESwXqMAoGCCqGSM49BAMDMDIx
CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF
[...]