Enjoy this cheat sheet at its fullest within Dash, the macOS documentation browser.


Create a CSR with an existing private key

openssl req -out CSR.csr -key privateKey.key -new

Create a CSR with a brand new private key

openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key

Create a CSR from an existing certificate

openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key

Check a CSR

openssl req -text -noout -verify -in CSR.csr


Generate a self-signed certificate

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt

Check a certificate

openssl x509 -in certificate.crt -text -noout

Convert to PEM (from .der, .cer or .crt)

openssl x509 -inform der -in certificate.cer -out certificate.pem

Get server certificate and chain

openssl s_client -connect

Private Keys

Remove a passphrase from a private key

openssl rsa -in privateKey.pem -out newPrivateKey.pem

Check a private key

openssl rsa -in privateKey.key -check

PKCS#12 (.p12 or .pfx)

Check a PKCS#12 file

openssl pkcs12 -info -in keyStore.p12

Convert to PEM

openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes


Convert to DER

openssl x509 -outform der -in certificate.pem -out certificate.der

Convert to PKCS#12

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

Checking Certificate vs Private Key

Certificate signature

openssl x509 -noout -modulus -in certificate.crt | openssl md5

CSR signature

openssl req -noout -modulus -in CSR.csr | openssl md5

Private key signature

openssl rsa -noout -modulus -in privateKey.key | openssl md5