🎯

openssl

🎯Skill

from oriolrius/pki-manager-web

What it does

Generates and manages SSL/TLS certificates, cryptographic keys, and performs PKI operations using OpenSSL commands.

📦

Part of

oriolrius/pki-manager-web(18 items)

openssl

Installation

pnpmRun with pnpm

pnpm install

pnpmRun with pnpm

pnpm dev

pnpmRun with pnpm

pnpm dev # Start both backend and frontend in dev mode

pnpmRun with pnpm

pnpm dev # Start dev server with hot reload

pnpmRun with pnpm

pnpm start # Start production server

+ 1 more commands

📖 Extracted from docs: oriolrius/pki-manager-web

Need more details? View full documentation on GitHub →

3Installs

AddedFeb 4, 2026

View on GitHub Back to Skills

Skill Details

SKILL.md

Expert guidance for OpenSSL operations including certificate generation, key management, CSR creation, certificate verification, encryption, and PKI operations. Use this when working with SSL/TLS certificates, cryptographic keys, or PKI infrastructure.

Overview

# OpenSSL

Expert assistance with OpenSSL cryptographic operations and PKI management.

Key Generation

RSA Keys

```bash

# Generate RSA private key (2048-bit)

openssl genrsa -out private.key 2048

# Generate RSA private key (4096-bit, more secure)

openssl genrsa -out private.key 4096

# Generate encrypted RSA private key

openssl genrsa -aes256 -out private.key 4096

# Extract public key from private key

openssl rsa -in private.key -pubout -out public.key

# Remove passphrase from encrypted key

openssl rsa -in encrypted.key -out decrypted.key

```

EC (Elliptic Curve) Keys

```bash

# List available curves

openssl ecparam -list_curves

# Generate EC private key (P-256)

openssl ecparam -name prime256v1 -genkey -noout -out ec-private.key

# Generate EC private key (P-384, more secure)

openssl ecparam -name secp384r1 -genkey -noout -out ec-private.key

# Extract public key

openssl ec -in ec-private.key -pubout -out ec-public.key

```

Certificate Signing Requests (CSR)

Create CSR

```bash

# Create CSR from existing private key

openssl req -new -key private.key -out request.csr

# Create CSR with inline subject

openssl req -new -key private.key -out request.csr \

-subj "/C=US/ST=State/L=City/O=Organization/CN=example.com"

# Generate private key and CSR in one command

openssl req -newkey rsa:2048 -nodes -keyout private.key -out request.csr

# Create CSR with SAN (Subject Alternative Names)

openssl req -new -key private.key -out request.csr -config san.cnf

```

SAN Configuration File (san.cnf)

```ini

[req]

distinguished_name = req_distinguished_name

req_extensions = v3_req

[req_distinguished_name]

CN = example.com

[v3_req]

subjectAltName = @alt_names

[alt_names]

DNS.1 = example.com

DNS.2 = www.example.com

DNS.3 = api.example.com

IP.1 = 192.168.1.1

```

View CSR

```bash

# Display CSR details

openssl req -in request.csr -noout -text

# Verify CSR signature

openssl req -in request.csr -noout -verify

```

Self-Signed Certificates

Create Self-Signed Certificate

```bash

# Generate self-signed certificate (1 year validity)

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365

# Generate self-signed certificate without passphrase

openssl req -x509 -newkey rsa:4096 -nodes -keyout key.pem -out cert.pem -days 365

# From existing key

openssl req -x509 -key private.key -out cert.pem -days 365

# With specific subject

openssl req -x509 -newkey rsa:4096 -nodes -keyout key.pem -out cert.pem -days 365 \

-subj "/C=US/ST=State/L=City/O=Org/CN=example.com"

```

Certificate Authority (CA) Operations

Create Root CA

```bash

# Generate CA private key

openssl genrsa -aes256 -out ca-key.pem 4096

# Create CA certificate

openssl req -x509 -new -nodes -key ca-key.pem -sha256 -days 3650 \

-out ca-cert.pem -subj "/C=US/O=MyOrg/CN=MyOrg Root CA"

```

Sign Certificate with CA

```bash

# Sign CSR with CA

openssl x509 -req -in request.csr -CA ca-cert.pem -CAkey ca-key.pem \

-CAcreateserial -out cert.pem -days 365 -sha256

# Sign with extensions (SAN)

openssl x509 -req -in request.csr -CA ca-cert.pem -CAkey ca-key.pem \

-CAcreateserial -out cert.pem -days 365 -sha256 -extensions v3_req -extfile san.cnf

```

Create Intermediate CA

```bash

# Generate intermediate CA key

openssl genrsa -aes256 -out intermediate-key.pem 4096

# Create intermediate CSR

openssl req -new -key intermediate-key.pem -out intermediate.csr

# Sign intermediate certificate with root CA

openssl x509 -req -in intermediate.csr -CA ca-cert.pem -CAkey ca-key.pem \

-CAcreateserial -out intermediate-cert.pem -days 1825 -sha256

# Create certificate chain

cat intermediate-cert.pem ca-cert.pem > chain.pem

```

Certificate Inspection & Verification

View Certificate Details

```bash

# Display certificate details

openssl x509 -in cert.pem -noout -text

# Show specific fields

openssl x509 -in cert.pem -noout -subject

openssl x509 -in cert.pem -noout -issuer

openssl x509 -in cert.pem -noout -dates

openssl x509 -in cert.pem -noout -serial

openssl x509 -in cert.pem -noout -fingerprint

# Check expiration

openssl x509 -in cert.pem -noout -enddate

# Show in human-readable format

openssl x509 -in cert.pem -text -noout

```

Verify Certificates

```bash

# Verify certificate against CA

openssl verify -CAfile ca-cert.pem cert.pem

# Verify certificate chain

openssl verify -CAfile ca-cert.pem -untrusted intermediate-cert.pem cert.pem

# Check if certificate and key match

openssl x509 -noout -modulus -in cert.pem | openssl md5

openssl rsa -noout -modulus -in private.key | openssl md5

```

Test SSL/TLS Connection

```bash

# Connect to server and show certificate

openssl s_client -connect example.com:443 -showcerts

# Test specific protocol

openssl s_client -connect example.com:443 -tls1_2

openssl s_client -connect example.com:443 -tls1_3

# Test with SNI

openssl s_client -connect example.com:443 -servername example.com

# Check certificate expiration remotely

echo | openssl s_client -connect example.com:443 2>/dev/null | \

openssl x509 -noout -dates

```

Format Conversion

PEM ↔ DER

```bash

# PEM to DER

openssl x509 -in cert.pem -outform DER -out cert.der

# DER to PEM

openssl x509 -in cert.der -inform DER -out cert.pem -outform PEM

```

PKCS#12 (PFX)

```bash

# Create PKCS#12 bundle (certificate + private key)

openssl pkcs12 -export -out cert.pfx -inkey private.key -in cert.pem

# Include certificate chain

openssl pkcs12 -export -out cert.pfx -inkey private.key -in cert.pem -certfile chain.pem

# Extract from PKCS#12

openssl pkcs12 -in cert.pfx -out cert-and-key.pem -nodes

# Extract only certificate

openssl pkcs12 -in cert.pfx -clcerts -nokeys -out cert.pem

# Extract only private key

openssl pkcs12 -in cert.pfx -nocerts -nodes -out private.key

```

PKCS#7

```bash

# Convert PEM to PKCS#7

openssl crl2pkcs7 -nocrl -certfile cert.pem -out cert.p7b

# Convert PKCS#7 to PEM

openssl pkcs7 -print_certs -in cert.p7b -out cert.pem

```

Encryption & Decryption

Symmetric Encryption

```bash

# Encrypt file with AES-256

openssl enc -aes-256-cbc -salt -in file.txt -out file.enc

# Decrypt file

openssl enc -aes-256-cbc -d -in file.enc -out file.txt

# Encrypt with password from file

openssl enc -aes-256-cbc -salt -in file.txt -out file.enc -pass file:password.txt

# Base64 encode encrypted output

openssl enc -aes-256-cbc -salt -in file.txt -out file.enc -a

```

Asymmetric Encryption

```bash

# Encrypt with public key

openssl rsautl -encrypt -pubin -inkey public.key -in file.txt -out file.enc

# Decrypt with private key

openssl rsautl -decrypt -inkey private.key -in file.enc -out file.txt

```

Hashing & Digests

```bash

# Generate hash

openssl dgst -sha256 file.txt

openssl dgst -sha512 file.txt

openssl dgst -md5 file.txt

# Create signature

openssl dgst -sha256 -sign private.key -out signature.bin file.txt

# Verify signature

openssl dgst -sha256 -verify public.key -signature signature.bin file.txt

# HMAC

openssl dgst -sha256 -hmac "secret-key" file.txt

```

Certificate Revocation

Create Certificate Revocation List (CRL)

```bash

# Create CRL configuration (crl.cnf)

# [ca section with database and crl settings needed]

# Generate CRL

openssl ca -gencrl -config crl.cnf -out crl.pem

# View CRL

openssl crl -in crl.pem -text -noout

# Verify certificate against CRL

openssl verify -crl_check -CRLfile crl.pem -CAfile ca-cert.pem cert.pem

```

OCSP (Online Certificate Status Protocol)

```bash

# Start OCSP responder

openssl ocsp -port 8080 -index index.txt -CA ca-cert.pem -rkey ca-key.pem -rsigner ca-cert.pem

# Query OCSP responder

openssl ocsp -issuer ca-cert.pem -cert cert.pem -url http://ocsp.example.com:8080

```

Common PKI Workflows

Complete Certificate Workflow

```bash

# 1. Generate private key

openssl genrsa -out server.key 4096

# 2. Create CSR

openssl req -new -key server.key -out server.csr \

-subj "/C=US/ST=CA/L=SF/O=MyOrg/CN=example.com"

# 3. Sign with CA

openssl x509 -req -in server.csr -CA ca-cert.pem -CAkey ca-key.pem \

-CAcreateserial -out server.crt -days 365 -sha256

# 4. Verify

openssl verify -CAfile ca-cert.pem server.crt

# 5. Test locally

openssl s_server -cert server.crt -key server.key -accept 8443

```

Best Practices

Key Size: Use at least 2048-bit RSA or 256-bit EC keys
Hash Algorithm: Use SHA-256 or stronger (avoid MD5, SHA-1)
Validity Period: Certificates should be valid for ≤ 398 days (current CA/Browser Forum baseline)
Private Key Protection: Always encrypt private keys with strong passphrases
SAN: Always include Subject Alternative Names, even for single domain
Key Backup: Securely backup private keys and CA certificates
Certificate Chain: Always provide complete certificate chain
Regular Rotation: Rotate certificates before expiration

Security Notes

Never share private keys - They should remain on the server
Use strong passphrases for encrypted keys (16+ characters)
Protect CA keys with HSM or secure key storage
Monitor expiration - Set up alerts 30 days before expiry
Revoke compromised certificates immediately
Use Certificate Transparency for public certificates

More from this repository10

🎯

trpc🎯Skill

trpc skill from oriolrius/pki-manager-web

🎯

keycloak🎯Skill

keycloak skill from oriolrius/pki-manager-web

🎯

sqlite🎯Skill

sqlite skill from oriolrius/pki-manager-web

🎯

backlog.md🎯Skill

backlog.md skill from oriolrius/pki-manager-web

🎯

next.js🎯Skill

next.js skill from oriolrius/pki-manager-web

🎯

zod🎯Skill

Validates and infers TypeScript schemas with zero dependencies, enabling robust type-safe data parsing and validation across various complex types.

Skill

oauth2 skill from oriolrius/pki-manager-web

🎯

tanstack router🎯Skill

Manages client-side routing and navigation for the PKI Manager web application using TanStack Router, enabling type-safe and declarative route configuration in the React frontend.

🎯

vitest🎯Skill

Provides expert testing support for Vite-based applications using Vitest's fast, TypeScript-friendly, and Jest-compatible testing framework.