openssl

Expert assistance with OpenSSL cryptographic operations and PKI management.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "openssl" with this command: npx skills add oriolrius/pki-manager-web/oriolrius-pki-manager-web-openssl

OpenSSL

Expert assistance with OpenSSL cryptographic operations and PKI management.

Key Generation

RSA Keys

Generate RSA private key (2048-bit)

openssl genrsa -out private.key 2048

Generate RSA private key (4096-bit, more secure)

openssl genrsa -out private.key 4096

Generate encrypted RSA private key

openssl genrsa -aes256 -out private.key 4096

Extract public key from private key

openssl rsa -in private.key -pubout -out public.key

Remove passphrase from encrypted key

openssl rsa -in encrypted.key -out decrypted.key

EC (Elliptic Curve) Keys

List available curves

openssl ecparam -list_curves

Generate EC private key (P-256)

openssl ecparam -name prime256v1 -genkey -noout -out ec-private.key

Generate EC private key (P-384, more secure)

openssl ecparam -name secp384r1 -genkey -noout -out ec-private.key

Extract public key

openssl ec -in ec-private.key -pubout -out ec-public.key

Certificate Signing Requests (CSR)

Create CSR

Create CSR from existing private key

openssl req -new -key private.key -out request.csr

Create CSR with inline subject

openssl req -new -key private.key -out request.csr
-subj "/C=US/ST=State/L=City/O=Organization/CN=example.com"

Generate private key and CSR in one command

openssl req -newkey rsa:2048 -nodes -keyout private.key -out request.csr

Create CSR with SAN (Subject Alternative Names)

openssl req -new -key private.key -out request.csr -config san.cnf

SAN Configuration File (san.cnf)

[req] distinguished_name = req_distinguished_name req_extensions = v3_req

[req_distinguished_name] CN = example.com

[v3_req] subjectAltName = @alt_names

[alt_names] DNS.1 = example.com DNS.2 = www.example.com DNS.3 = api.example.com IP.1 = 192.168.1.1

View CSR

Display CSR details

openssl req -in request.csr -noout -text

Verify CSR signature

openssl req -in request.csr -noout -verify

Self-Signed Certificates

Create Self-Signed Certificate

Generate self-signed certificate (1 year validity)

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365

Generate self-signed certificate without passphrase

openssl req -x509 -newkey rsa:4096 -nodes -keyout key.pem -out cert.pem -days 365

From existing key

openssl req -x509 -key private.key -out cert.pem -days 365

With specific subject

openssl req -x509 -newkey rsa:4096 -nodes -keyout key.pem -out cert.pem -days 365
-subj "/C=US/ST=State/L=City/O=Org/CN=example.com"

Certificate Authority (CA) Operations

Create Root CA

Generate CA private key

openssl genrsa -aes256 -out ca-key.pem 4096

Create CA certificate

openssl req -x509 -new -nodes -key ca-key.pem -sha256 -days 3650
-out ca-cert.pem -subj "/C=US/O=MyOrg/CN=MyOrg Root CA"

Sign Certificate with CA

Sign CSR with CA

openssl x509 -req -in request.csr -CA ca-cert.pem -CAkey ca-key.pem
-CAcreateserial -out cert.pem -days 365 -sha256

Sign with extensions (SAN)

openssl x509 -req -in request.csr -CA ca-cert.pem -CAkey ca-key.pem
-CAcreateserial -out cert.pem -days 365 -sha256 -extensions v3_req -extfile san.cnf

Create Intermediate CA

Generate intermediate CA key

openssl genrsa -aes256 -out intermediate-key.pem 4096

Create intermediate CSR

openssl req -new -key intermediate-key.pem -out intermediate.csr

Sign intermediate certificate with root CA

openssl x509 -req -in intermediate.csr -CA ca-cert.pem -CAkey ca-key.pem
-CAcreateserial -out intermediate-cert.pem -days 1825 -sha256

Create certificate chain

cat intermediate-cert.pem ca-cert.pem > chain.pem

Certificate Inspection & Verification

View Certificate Details

Display certificate details

openssl x509 -in cert.pem -noout -text

Show specific fields

openssl x509 -in cert.pem -noout -subject openssl x509 -in cert.pem -noout -issuer openssl x509 -in cert.pem -noout -dates openssl x509 -in cert.pem -noout -serial openssl x509 -in cert.pem -noout -fingerprint

Check expiration

openssl x509 -in cert.pem -noout -enddate

Show in human-readable format

openssl x509 -in cert.pem -text -noout

Verify Certificates

Verify certificate against CA

openssl verify -CAfile ca-cert.pem cert.pem

Verify certificate chain

openssl verify -CAfile ca-cert.pem -untrusted intermediate-cert.pem cert.pem

Check if certificate and key match

openssl x509 -noout -modulus -in cert.pem | openssl md5 openssl rsa -noout -modulus -in private.key | openssl md5

Test SSL/TLS Connection

Connect to server and show certificate

openssl s_client -connect example.com:443 -showcerts

Test specific protocol

openssl s_client -connect example.com:443 -tls1_2 openssl s_client -connect example.com:443 -tls1_3

Test with SNI

openssl s_client -connect example.com:443 -servername example.com

Check certificate expiration remotely

echo | openssl s_client -connect example.com:443 2>/dev/null |
openssl x509 -noout -dates

Format Conversion

PEM ↔ DER

PEM to DER

openssl x509 -in cert.pem -outform DER -out cert.der

DER to PEM

openssl x509 -in cert.der -inform DER -out cert.pem -outform PEM

PKCS#12 (PFX)

Create PKCS#12 bundle (certificate + private key)

openssl pkcs12 -export -out cert.pfx -inkey private.key -in cert.pem

Include certificate chain

openssl pkcs12 -export -out cert.pfx -inkey private.key -in cert.pem -certfile chain.pem

Extract from PKCS#12

openssl pkcs12 -in cert.pfx -out cert-and-key.pem -nodes

Extract only certificate

openssl pkcs12 -in cert.pfx -clcerts -nokeys -out cert.pem

Extract only private key

openssl pkcs12 -in cert.pfx -nocerts -nodes -out private.key

PKCS#7

Convert PEM to PKCS#7

openssl crl2pkcs7 -nocrl -certfile cert.pem -out cert.p7b

Convert PKCS#7 to PEM

openssl pkcs7 -print_certs -in cert.p7b -out cert.pem

Encryption & Decryption

Symmetric Encryption

Encrypt file with AES-256

openssl enc -aes-256-cbc -salt -in file.txt -out file.enc

Decrypt file

openssl enc -aes-256-cbc -d -in file.enc -out file.txt

Encrypt with password from file

openssl enc -aes-256-cbc -salt -in file.txt -out file.enc -pass file:password.txt

Base64 encode encrypted output

openssl enc -aes-256-cbc -salt -in file.txt -out file.enc -a

Asymmetric Encryption

Encrypt with public key

openssl rsautl -encrypt -pubin -inkey public.key -in file.txt -out file.enc

Decrypt with private key

openssl rsautl -decrypt -inkey private.key -in file.enc -out file.txt

Hashing & Digests

Generate hash

openssl dgst -sha256 file.txt openssl dgst -sha512 file.txt openssl dgst -md5 file.txt

Create signature

openssl dgst -sha256 -sign private.key -out signature.bin file.txt

Verify signature

openssl dgst -sha256 -verify public.key -signature signature.bin file.txt

HMAC

openssl dgst -sha256 -hmac "secret-key" file.txt

Certificate Revocation

Create Certificate Revocation List (CRL)

Create CRL configuration (crl.cnf)

[ca section with database and crl settings needed]

Generate CRL

openssl ca -gencrl -config crl.cnf -out crl.pem

View CRL

openssl crl -in crl.pem -text -noout

Verify certificate against CRL

openssl verify -crl_check -CRLfile crl.pem -CAfile ca-cert.pem cert.pem

OCSP (Online Certificate Status Protocol)

Start OCSP responder

openssl ocsp -port 8080 -index index.txt -CA ca-cert.pem -rkey ca-key.pem -rsigner ca-cert.pem

Query OCSP responder

openssl ocsp -issuer ca-cert.pem -cert cert.pem -url http://ocsp.example.com:8080

Common PKI Workflows

Complete Certificate Workflow

1. Generate private key

openssl genrsa -out server.key 4096

2. Create CSR

openssl req -new -key server.key -out server.csr
-subj "/C=US/ST=CA/L=SF/O=MyOrg/CN=example.com"

3. Sign with CA

openssl x509 -req -in server.csr -CA ca-cert.pem -CAkey ca-key.pem
-CAcreateserial -out server.crt -days 365 -sha256

4. Verify

openssl verify -CAfile ca-cert.pem server.crt

5. Test locally

openssl s_server -cert server.crt -key server.key -accept 8443

Best Practices

  • Key Size: Use at least 2048-bit RSA or 256-bit EC keys

  • Hash Algorithm: Use SHA-256 or stronger (avoid MD5, SHA-1)

  • Validity Period: Certificates should be valid for ≤ 398 days (current CA/Browser Forum baseline)

  • Private Key Protection: Always encrypt private keys with strong passphrases

  • SAN: Always include Subject Alternative Names, even for single domain

  • Key Backup: Securely backup private keys and CA certificates

  • Certificate Chain: Always provide complete certificate chain

  • Regular Rotation: Rotate certificates before expiration

Security Notes

  • Never share private keys - They should remain on the server

  • Use strong passphrases for encrypted keys (16+ characters)

  • Protect CA keys with HSM or secure key storage

  • Monitor expiration - Set up alerts 30 days before expiry

  • Revoke compromised certificates immediately

  • Use Certificate Transparency for public certificates

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

General

trpc

No summary provided by upstream source.

Repository SourceNeeds Review
36-oriolrius
General

keycloak

No summary provided by upstream source.

Repository SourceNeeds Review
34-oriolrius
General

next.js

No summary provided by upstream source.

Repository SourceNeeds Review
25-oriolrius
General

sqlite

No summary provided by upstream source.

Repository SourceNeeds Review
20-oriolrius