OpenSSL Command Generator
Pick a task, fill in the blanks, and get the exact openssl command to run in your terminal — no need to memorize the flags.
Command
openssl …
Why an OpenSSL Command Generator?
OpenSSL is the standard toolkit for almost everything involving SSL/TLS certificates — generating keys and CSRs, creating self-signed certificates, converting between formats, and inspecting what is inside a certificate. It is also notorious for its dense, hard-to-remember flag syntax. This generator builds the exact command from a simple form so you can copy it straight into your terminal.
Nothing runs here — the commands are meant to run on your own machine, where your private keys stay safely under your control.
What This Tool Covers
- Generate CSR — Create a new private key and a Certificate Signing Request to send to a CA.
- Self-Signed Certificate — Make a key + certificate in one step for local development or internal services.
- Private Key — Generate an RSA or EC private key on its own.
- Convert Format — Move between PEM, DER, PKCS#12 (PFX/P12), and PKCS#7 (P7B).
- Inspect / Verify — Read certificate or CSR details, check a private key, query a live server, or confirm a key matches a certificate.
Handy OpenSSL Reference
openssl req -new -newkey rsa:2048 -nodes -keyout site.key -out site.csr— new key + CSRopenssl x509 -in cert.crt -text -noout— read a certificateopenssl s_client -connect example.com:443 -servername example.com— inspect a live TLS endpointopenssl pkcs12 -in cert.pfx -out cert.pem -nodes— extract PFX to PEMopenssl rsa -in private.key -check— validate an RSA private key
Frequently Asked Questions
OpenSSL is a free, open-source command-line toolkit for working with SSL/TLS and general cryptography. It is the de facto standard tool for generating private keys and CSRs, creating self-signed certificates, converting between certificate formats, and inspecting certificate details. It ships with most Linux and macOS systems and is available for Windows.
No. This generator builds the correct command text from your inputs so you can copy it and run it in your own terminal. It does not execute anything and never sees your keys or files. Running the command locally keeps your private keys on your own machine, which is the safest approach.
Use openssl pkcs12 to extract the contents. To get the certificate and key in PEM form:
openssl pkcs12 -in input.pfx -out output.pem -nodes. The -nodes flag leaves the private key unencrypted; omit it to be prompted for a passphrase. This generator builds the exact command for both PFX-to-PEM and PEM-to-PFX directions.Run
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes. This generates a new private key and a self-signed certificate valid for the chosen number of days in one step. Self-signed certificates are useful for local development and internal services but are not trusted by browsers without manual installation.Use
openssl x509 -in certificate.crt -text -noout to print all the human-readable details, including subject, issuer, validity dates, and Subject Alternative Names. The -noout flag suppresses the re-encoded certificate so you see only the parsed information. To check a live server instead, use openssl s_client -connect host:443.