openssl Cheatsheet

Top commands.

Overview

openssl is the standard TLS, certificate, and crypto toolbox for command-line work. Five primitives carry most operational use during cert and TLS investigation: certificate inspection, handshake debugging via s_client, CSR generation, PEM/DER/PKCS12 format conversion, ad-hoc crypto operations. Fluency turns "the cert is broken" into a specific finding within seconds.

• Certificate inspection. View fields, expiration, SANs, chain. First move on any cert-related ticket.
• TLS handshake debugging. s_client connects and shows the full handshake including cipher, protocol, peer cert. Standard TLS troubleshooting tool.
• CSR generation. Generate keys and signing requests for issuing new certs. Supports the cert-issuance workflow end-to-end.
• Format conversion plus crypto primitives. PEM, DER, PKCS12 conversions match the tooling differences across vendors; hashing, signing, encryption primitives cover ad-hoc crypto tasks.

The approach

Inspect first, debug the handshake with s_client, convert formats when tooling demands it, verify chains explicitly. Five idioms cover most operational openssl use; memorising them moves the team from "ask the security team" to confident self-service.

• openssl x509 -in cert.pem -text -noout. Print the full cert. First move on any cert investigation.
• openssl s_client -connect host:443. Live TLS handshake debug. Shows protocol, cipher, peer cert, chain.
• openssl req -new -key key.pem -out csr.pem. Generate a CSR for cert issuance. Pair with -config for SAN handling.
• Format conversion plus chain verify. openssl pkcs12 -in cert.p12 -out cert.pem bridges tooling differences; openssl verify -CAfile chain.pem cert.pem catches chain-of-trust issues.

Why this compounds

Each TLS investigation that the operator can run themselves shortens the next one. The team's TLS muscle grows from "open a ticket with security" to confident self-service. Scripted openssl checks become certificate health monitors that surface expirations a month before alerts fire.

• Faster cert debugging. Fluent openssl produces fast root cause. MTTR on TLS-adjacent incidents drops.
• Better TLS understanding. Each session reinforces protocol knowledge. Institutional knowledge grows.
• Automation support. openssl in scripts produces certificate health checks. Operations scale.
• Year-one investment, year-two habit. First year builds fluency; by year two, openssl is the first tool reached for any TLS question.