Guide

Using OpenSSL from PowerShell on Windows

OpenSSL works from PowerShell on Windows just like from cmd.exe — with a few syntax differences. This guide covers the key differences, PowerShell-native alternatives, and how to use OpenSSL in scripts.

OpenSSL must be installed and on your PATH before using it from PowerShell. If openssl is not recognized, see Add to PATH and then open a new PowerShell window.
Key differences

cmd.exe vs PowerShell syntax

Most OpenSSL commands work identically in both shells. The main differences:

cmd.exe
  • Line continuation: ^
  • Redirect stderr: 2>nul
  • Pipe stderr: works natively
  • Env variable: %PATH%
  • Quotes: single or double
PowerShell
  • Line continuation: backtick `
  • Redirect stderr: 2>$null
  • Pipe stderr separately: 2>&1
  • Env variable: $env:PATH
  • Use double quotes for paths with spaces
Common commands

OpenSSL commands in PowerShell

Version check

PowerShell
PS C:\> openssl version
OpenSSL 4.0.0 6 Jun 2025

Generate RSA key

PowerShell
PS C:\certs> openssl genrsa -out key.pem 2048

Non-interactive CSR (multi-line with backtick)

PowerShell
PS C:\certs> openssl req -newkey rsa:2048 -nodes `
-keyout key.pem -out req.csr `
-subj "/C=US/ST=CA/O=Corp/CN=example.com"

Check certificate expiry on remote server

PowerShell
PS C:\> openssl s_client -connect example.com:443 2>$null | openssl x509 -noout -dates
notBefore=Apr 1 00:00:00 2026 GMT
notAfter=Jun 30 23:59:59 2026 GMT

Extract certificate from PFX

PowerShell
PS C:\certs> openssl pkcs12 -in cert.pfx -nokeys -out cert.pem
PowerShell-native alternatives

Built-in PowerShell for common tasks

Some tasks have native PowerShell cmdlets that are easier than OpenSSL for Windows-specific workflows:

Verify file hash (no OpenSSL needed)

PowerShell
PS> Get-FileHash -Algorithm SHA256 .\installer.exe
SHA256 A3F8C2D19B74... .\installer.exe

Trust a self-signed certificate

PowerShell — admin
PS> Import-Certificate -FilePath .\cert.pem -CertStoreLocation Cert:\LocalMachine\Root

Check authenticode signature

PowerShell
PS> Get-AuthenticodeSignature .\installer.exe | Select-Object Status
Status
------
Valid
Automation

Using OpenSSL in PowerShell scripts

Example: check certificate expiry and alert if it expires within 30 days:

check-cert.ps1
$output = openssl s_client -connect example.com:443 2>&1 | openssl x509 -noout -dates 2>&1
$expiry = ($output | Select-String "notAfter").Line -replace "notAfter=",""
$expiryDate = [DateTime]::ParseExact($expiry.Trim(), "MMM d HH:mm:ss yyyy GMT", $null)
$daysLeft = ($expiryDate - (Get-Date)).Days
if ($daysLeft -lt 30) {
Write-Warning "Certificate expires in $daysLeft days!"
} else {
Write-Host "Certificate OK: $daysLeft days remaining"
}
FAQ

PowerShell questions

openssl is not recognized in PowerShell
PowerShell uses the same PATH as cmd.exe. If OpenSSL is on PATH in cmd.exe but not PowerShell, close and reopen both. Also note that PowerShell 5 and PowerShell 7 (pwsh) may have different PATH environments if one was opened before the PATH change.
My openssl command works in cmd.exe but not PowerShell
PowerShell has a built-in Invoke-WebRequest alias as iwr, but it does not intercept openssl. The most common cause is quoting — PowerShell is stricter about quotes. Try wrapping the subj string in double quotes and escaping slashes if needed.
How do I suppress the s_client connection noise in PowerShell?
Use 2>$null to discard stderr: openssl s_client -connect host:443 2>$null | openssl x509 -noout -dates. In cmd.exe use 2>nul.

New to OpenSSL on Windows?

Start with the Win64 installer and PATH setup guide.

Add to PATH guide →

Related guides

Commands cheat sheet →
all commands
Not recognized fix →
PATH issues
Verify Hashes →
Get-FileHash guide