Skip to content
>_devvkit
$devvkit learn --librarie openssl-guide

OpenSSL Guide

[tls][ssl][crypto][certificates]
Security & Cryptography
Install
# Pre-installed on most Linux/macOS
sudo apt install openssl
# Windows: download from openssl.org or via WSL
brew install openssl

OpenSSL is the de facto standard for TLS in the open-source world. The CLI can generate CSRs, self-signed certs, check certificate expiry, test TLS connections, encrypt/decrypt files, and compute hashes — all without writing code.

The most useful subcommands: `req` (CSR/cert generation), `x509` (certificate inspection), `s_client` (test TLS connections — better than curl for TLS debugging), `s_server` (quick TLS test server), `speed` (benchmark crypto).

For everyday use: `openssl s_client -connect example.com:443` shows the full certificate chain, TLS version, and cipher negotiated. Add `-servername` for SNI and `-tlsextdebug` for ALPN debugging. GUI: Keychain Access (macOS), certlm.msc (Windows), or XCA for certificate management.

Certificate Management

Generate CSRCertificate Signing Request.
openssl req -new -newkey rsa:2048 -nodes \
  -keyout mydomain.key -out mydomain.csr \
  -subj "/C=US/ST=State/L=City/O=Org/CN=mydomain.com"

# Check CSR content:
openssl req -text -noout -verify -in mydomain.csr
Self-signed certQuick dev certificate.
openssl req -x509 -newkey rsa:4096 -nodes \
  -days 365 -keyout key.pem -out cert.pem \
  -subj "/CN=localhost" \
  -addext "subjectAltName=DNS:localhost,DNS:*.local,IP:127.0.0.1"
Inspect certificateCheck cert details.
openssl x509 -in cert.pem -text -noout
openssl x509 -in cert.pem -dates -noout          # Validity dates
openssl x509 -in cert.pem -subject -issuer -noout # Subject + issuer
openssl x509 -in cert.pem -fingerprint -sha256 -noout  # SHA256 fingerprint
Check certificate expiryMonitor expiry dates.
# Check all certs in a directory:
for cert in *.pem; do
  expiry=$(openssl x509 -in "$cert" -enddate -noout | cut -d= -f2)
  days=$(( ( $(date -d "$expiry" +%s) - $(date +%s) ) / 86400 ))
  echo "$cert: expires $expiry ($days days)"
done

# Check remote cert expiry:
echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -enddate -noout

TLS Testing

Test TLS connectionDebug TLS handshake.
openssl s_client -connect example.com:443         # Basic TLS test
echo | openssl s_client -connect example.com:443 2>&1 | grep -E "SSL-Session|Protocol|Cipher"
# Check SNI:
echo | openssl s_client -connect 1.1.1.1:443 -servername cloudflare.com
# Show full certificate chain:
echo | openssl s_client -showcerts -connect example.com:443
Test TLS version supportWhich TLS versions.
# Test each TLS version:
echo | openssl s_client -tls1_2 -connect example.com:443 2>&1 | grep -q "Protocol.*TLSv1.2" && echo "TLS 1.2: OK"
echo | openssl s_client -tls1_3 -connect example.com:443 2>&1 | grep -q "Protocol.*TLSv1.3" && echo "TLS 1.3: OK"
# TLS 1.0/1.1 should fail — check with:
echo | openssl s_client -tls1 -connect example.com:443 2>&1 | grep "alert" || echo "TLS 1.0 rejected"

Encryption

Encrypt fileAES-256 encryption.
# Encrypt:
openssl enc -aes-256-cbc -salt -pbkdf2 -in secret.txt -out secret.enc
# Decrypt:
openssl enc -aes-256-cbc -d -pbkdf2 -in secret.enc -out secret.txt

# Encrypt with password file:
openssl enc -aes-256-cbc -salt -pbkdf2 -pass file:key.txt -in data.txt -out data.enc
Prime number generationGenerate cryptographically secure primes.
openssl prime -generate -bits 2048 -hex
openssl prime -generate -bits 4096 -safe  # Safe prime: (p-1)/2 is also prime

# DH parameters (for Diffie-Hellman):
openssl dhparam -out dhparam.pem 2048

Hashing

Hash a fileCompute checksums.
openssl dgst -sha256 file.txt
openssl dgst -sha512 file.txt > file.sha512
# Verify:
openssl dgst -sha512 -verify pubkey.pem -signature file.sig file.txt

# Quick MD5/SHA1 (but prefer SHA256):
openssl md5 file.txt
openssl sha1 file.txt

Benchmark

Speed benchmarkBenchmark crypto algorithms.
openssl speed sha256 aes-256-cbc rsa2048
openssl speed -multi 4            # Use 4 threads
openssl speed -evp aes-256-gcm    # OpenSSL 3.x EVP API
# Compare: hardware AES vs software AES