openssl Command: Certificates, Hashing, and Encryption

2026-06-05 Reading time: About 10 min Difficulty: Intermediate

What You'll Learn

How to create self-signed certificates and CSRs with openssl
How to compute SHA-256 hashes and run AES encryption instantly
How to check a public server's certificate expiry in one line

Quick Summary (the 5 you'll actually use)

Version → openssl version
Hash → openssl dgst -sha256 file
Certificate → openssl req -x509 -newkey rsa:2048 ...
Inspect cert → openssl s_client -connect host:443
Encrypt → openssl enc -aes-256-cbc -pbkdf2 ...

Assumptions (target environment)

OS: Ubuntu / general Linux
OpenSSL 1.1.1 or later (check with openssl version)
On old 1.0.x, -pbkdf2 is unavailable

What is the openssl command?

Conclusion: openssl is a Swiss-army CLI for TLS/SSL and cryptography, handling certificates, hashes, encryption, and random generation through subcommands.

openssl is the front end for the OpenSSL library and works through subcommands: openssl <subcommand> <options>.

$ openssl version

OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)

The main subcommands:

Subcommand	Role
`dgst`	Compute hashes
`enc`	Symmetric encryption
`genpkey`	Generate private keys
`req`	CSR / self-signed cert
`x509`	Display/convert certs
`s_client`	TLS connection debug
`rand`	Random generation

How do you compute a hash?

Conclusion: openssl dgst -sha256 file computes a file's SHA-256, useful for tamper detection and integrity checks of downloads.

Hash a file

$ openssl dgst -sha256 ubuntu.iso

SHA256(ubuntu.iso)= 9bc6b8f6...(64 hex digits)

Swap sha256 for sha1 or sha512 to get other digests.

Hash a string

$ echo -n "hello" | openssl dgst -sha256

Without -n, echo appends a trailing newline that becomes part of the hashed data and changes the result. Always use -n for string hashing.

How do you create a certificate?

Conclusion: For development, openssl req -x509 creates a private key and self-signed certificate at once; for production, create a CSR and have a CA sign it.

Self-signed certificate (development/testing)

$ openssl req -x509 -newkey rsa:2048 \
    -keyout key.pem -out cert.pem \
    -days 365 -nodes \
    -subj "/CN=localhost"

What the options mean:

-x509: output a self-signed certificate instead of a CSR
-newkey rsa:2048: generate a fresh 2048-bit RSA key
-keyout / -out: output paths for the key / certificate
-days 365: validity period
-nodes: store the private key without a passphrase ("no DES")
-subj: set the Subject non-interactively

-nodes removes passphrase protection. Always restrict the key file with chmod 600 key.pem so only the owner can read it.

For production: create a CSR

To have a CA sign your certificate, create a private key and a CSR (Certificate Signing Request).

$ openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out key.pem
$ openssl req -new -key key.pem -out request.csr -subj "/CN=example.com"

Inspect the generated CSR with:

$ openssl req -in request.csr -noout -text

How do you check a server certificate's expiry?

Conclusion: Connect with openssl s_client and pipe into x509 -noout -dates to get the validity period in a single line.

Inspect a local certificate

$ openssl x509 -in cert.pem -noout -text

For just the validity dates, use -dates:

$ openssl x509 -in cert.pem -noout -dates

notBefore=Jun  5 00:00:00 2026 GMT
notAfter=Jun  5 00:00:00 2027 GMT

Inspect a public server's certificate

$ echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null \
    | openssl x509 -noout -dates

-servername sets SNI (Server Name Indication). On hosts serving multiple domains from one IP, omitting it returns a different certificate.

How do you encrypt a file?

Conclusion: openssl enc -aes-256-cbc -pbkdf2 does password-based symmetric encryption; decrypt by adding -d to the same options.

Encrypt

$ openssl enc -aes-256-cbc -pbkdf2 -salt -in secret.txt -out secret.enc

It prompts for a password. What the options mean:

-aes-256-cbc: AES-256 in CBC mode
-pbkdf2: use PBKDF2 key derivation (effectively mandatory)
-salt: add a salt (on by default; stated explicitly here)

Decrypt

$ openssl enc -aes-256-cbc -pbkdf2 -d -in secret.enc -out secret.txt

Without -pbkdf2, OpenSSL falls back to its old weak key derivation (a single MD5), which is vulnerable to brute force. Always use identical options for both encryption and decryption.

How do you generate strong passwords or keys?

Conclusion: openssl rand generates cryptographically secure random data: -base64 for passwords, -hex for tokens.

$ openssl rand -base64 24

Xa9b2C... (~32-character random string)

$ openssl rand -hex 32

This yields a 64-digit hex token, useful for API keys and session secrets.

Summary: Copy-Paste Templates

Conclusion: Keep these task-based openssl one-liners handy to run certificate, hashing, and encryption work without hesitation.

Copy-paste openssl templates

# Show version
openssl version

# SHA-256 hash
openssl dgst -sha256 file

# Self-signed certificate (dev, 1 year)
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes -subj "/CN=localhost"

# Public server certificate expiry
echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -dates

# AES-256 encrypt / decrypt
openssl enc -aes-256-cbc -pbkdf2 -salt -in in.txt -out out.enc
openssl enc -aes-256-cbc -pbkdf2 -d -in out.enc -out in.txt

# Generate a strong password
openssl rand -base64 24

What not to do

Use enc without -pbkdf2 (weak key derivation)
Leave a private key unprotected without chmod 600
Leave a -nodes key sitting on a production server