CertSimple will be shutting down on January 30 2020. Read the announcement here.

You won't remember the options for OpenSSL, so here's bash shortcuts for everything.

Save a bunch of time by pasting this into your .bash_profile

By Mike on 4th Jan 2016

OpenSSL's various command line modes - officially called 'commands' - are named after a mix of:

Doing any crypto related task nearly always involves also both standards and algorithms, so, for most web developers, it's not entirely obvious which 'command' corresponds to a particular action.

Here's our list of the most common ones - add them to your .bash_profile and let tab completion sort you out!

Add this to your .bash_profile

function openssl-view-certificate () {
    openssl x509 -text -noout -in "${1}"

function openssl-view-csr () {
    openssl req -text -noout -verify -in "${1}"

function openssl-view-key () {
    openssl rsa -check -in "${1}"

function openssl-view-pkcs12 () {
    openssl pkcs12 -info -in "${1}"

# Connecting to a server (Ctrl C exits)
function openssl-client () {
    openssl s_client -status -connect "${1}":443

# Convert PEM private key, PEM certificate and PEM CA certificate (used by nginx, Apache, and other openssl apps) to a PKCS12 file (typically for use with Windows or Tomcat)
function openssl-convert-pem-to-p12 () {
    openssl pkcs12 -export -inkey "${1}" -in "${2}" -certfile ${3} -out ${4}

# Convert a PKCS12 file to PEM
function openssl-convert-p12-to-pem () {
    openssl pkcs12 -nodes -in "${1}" -out "${2}"

# Convert a crt to a pem file
function openssl-crt-to-pem() {
    openssl x509 -in "${1}" -out "${1:0:-4}".pem -outform PEM

# Check the modulus of a certificate (to see if it matches a key)
function openssl-check-certificate-modulus {
    openssl x509 -noout -modulus -in "${1}" | shasum -a 256

# Check the modulus of a key (to see if it matches a certificate)
function openssl-check-key-modulus {
    openssl rsa -noout -modulus -in "${1}" | shasum -a 256

# Check the modulus of a certificate request
function openssl-check-key-modulus {
    openssl req -noout -modulus -in "${1}" | shasum -a 256

# Encrypt a file (because zip crypto isn't secure)
function openssl-encrypt () {
    openssl aes-256-cbc -in "${1}" -out "${2}"

# Decrypt a file
function openssl-decrypt () {
    openssl aes-256-cbc -d -in "${1}" -out "${2}"

# For setting up public key pinning
function openssl-key-to-hpkp-pin() {
    openssl rsa -in "${1}" -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64

# For setting up public key pinning (directly from the site)
function openssl-website-to-hpkp-pin() {
    openssl s_client -connect "${1}":443 | openssl x509 -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64

# Combines the key and the intermediate in a unified PEM file
# (eg, for nginx)
function openssl-key-and-intermediate-to-unified-pem() {
    echo -e "$(cat "${1}")\n$(cat "${2}")" > "${1:0:-4}"_unified.pem

Got anything to add? Post it on the *Hacker News thread* and we'll give you a shout out!

Mike MacCana, founder at CertSimple.

CertSimple makes EV HTTPS fast and painless.

An EV HTTPS certificate verifies the company behind your website. But getting verified is a slow painful process. CertSimple provides EV HTTPS certificates 40x faster than other vendors. We check your company registration, network details, physical address and flag common errors before you pay us, provide verification steps specific for your company, update in realtime during the process, and even check your infrastructure to help you set up HTTPS securely.
Verify your site now!