All commands assume OpenSSL is on your PATH. If
openssl is not recognized, see Add to PATH. On Windows use ^ for line continuation in cmd.exe and ` in PowerShell.
Basic
Version and info
# Version:
C:\> openssl version
OpenSSL 4.0.0 6 Jun 2025
# Full build details:
C:\> openssl version -a
# List all available commands:
C:\> openssl help
# List all loaded providers:
C:\> openssl list -providers
# List all supported ciphers:
C:\> openssl list -cipher-algorithms
Keys
Key generation and management
# Generate 2048-bit RSA key:
C:\> openssl genrsa -out key.pem 2048
# Generate 4096-bit RSA key:
C:\> openssl genrsa -out key.pem 4096
# Generate RSA key with AES-256 passphrase:
C:\> openssl genrsa -aes256 -out key.pem 2048
# Generate ECDSA key (P-256):
C:\> openssl ecparam -genkey -name prime256v1 -out ec.key
# Extract public key from private key:
C:\> openssl rsa -in key.pem -pubout -out public.key
# Remove passphrase from encrypted key:
C:\> openssl rsa -in encrypted.key -out decrypted.key
# Inspect key details:
C:\> openssl rsa -in key.pem -text -noout
Full guide: Generate RSA key
CSR
Certificate Signing Requests
# Generate new key + CSR (interactive):
C:\> openssl req -newkey rsa:2048 -nodes -keyout key.pem -out req.csr
# CSR from existing key:
C:\> openssl req -new -key key.pem -out req.csr
# Non-interactive CSR:
C:\> openssl req -newkey rsa:2048 -nodes -keyout key.pem -out req.csr ^
-subj "/C=US/ST=CA/O=Corp/CN=example.com"
# Inspect CSR:
C:\> openssl req -in req.csr -noout -text
Full guide: Generate CSR
Certificates
Certificate inspection and creation
# Self-signed cert (key + cert in one):
C:\> openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 365
# Inspect certificate:
C:\> openssl x509 -in cert.pem -noout -text
# Check expiry dates:
C:\> openssl x509 -in cert.pem -noout -dates
# Check expiry (0=not expired, 1=expired):
C:\> openssl x509 -in cert.pem -noout -checkend 0
# Subject and issuer:
C:\> openssl x509 -in cert.pem -noout -subject -issuer
# Verify cert key matches private key (hashes must match):
C:\> openssl x509 -in cert.pem -noout -modulus | openssl md5
C:\> openssl rsa -in key.pem -noout -modulus | openssl md5
Full guides: Check certificate · Self-signed cert
PFX / PKCS#12
PFX and format conversion
# Extract private key from PFX:
C:\> openssl pkcs12 -in cert.pfx -nocerts -nodes -out key.pem
# Extract certificate from PFX:
C:\> openssl pkcs12 -in cert.pfx -nokeys -out cert.pem
# Create PFX from PEM key + cert:
C:\> openssl pkcs12 -export -inkey key.pem -in cert.pem -out output.pfx
# PEM to DER:
C:\> openssl x509 -in cert.pem -outform DER -out cert.der
# DER to PEM:
C:\> openssl x509 -in cert.der -inform DER -out cert.pem
Full guide: Convert PFX to PEM
TLS testing
Test TLS connections
# Connect to HTTPS server:
C:\> openssl s_client -connect example.com:443
# Show server certificate details:
C:\> openssl s_client -connect example.com:443 2>nul | openssl x509 -noout -text
# Check certificate expiry on remote server:
C:\> openssl s_client -connect example.com:443 2>nul | openssl x509 -noout -dates
# Test specific TLS version:
C:\> openssl s_client -connect example.com:443 -tls1_3
# SNI for virtual hosts:
C:\> openssl s_client -connect example.com:443 -servername example.com
Full guide: Test SSL connection
Hashing
File hashing and verification
# SHA256 hash of a file:
C:\> openssl dgst -sha256 file.exe
SHA2-256(file.exe)= a3f8c2d19b74...
# SHA512:
C:\> openssl dgst -sha512 file.exe
# MD5 (legacy only, not for security):
C:\> openssl dgst -md5 file.exe
For installer verification, certutil is usually faster on Windows. See Verify Hashes.
Looking for the download?
Get the Win64 prebuilt installer and add it to PATH.
Related guides