SkillHub
SkillHubagent skills marketplace
Menu
All SkillsStacksKOLHotRankings
Sign inGet Pro
Back to skills
SkillHub ClubShip Full StackFull StackTesting

OpenSSL

Expert guidance for OpenSSL operations including certificate generation, key management, CSR creation, certificate verification, encryption, and PKI operations. Use this when working with SSL/TLS certificates, cryptographic keys, or PKI infrastructure.

Packaged view

This page reorganizes the original catalog entry around fit, installability, and workflow context first. The original raw source lives below.

Stars
764
Hot score
99
Updated
March 20, 2026
Overall rating
C5.2
Composite score
5.2
Best-practice grade
C68.4

Install command

npx @skill-hub/cli install benchflow-ai-skillsbench-openssl

Repository

benchflow-ai/SkillsBench

Skill path: registry/terminal_bench_2.0/full_batch_reviewed/terminal_bench_2_0_openssl-selfsigned-cert/environment/skills/openssl

Expert guidance for OpenSSL operations including certificate generation, key management, CSR creation, certificate verification, encryption, and PKI operations. Use this when working with SSL/TLS certificates, cryptographic keys, or PKI infrastructure.

Open repository

Best for

Primary workflow: Ship Full Stack.

Technical facets: Full Stack, Testing.

Target audience: everyone.

License: Unknown.

Original source

Catalog source: SkillHub Club.

Repository owner: benchflow-ai.

This is still a mirrored public skill entry. Review the repository before installing into production workflows.

What it helps with

  • Install OpenSSL into Claude Code, Codex CLI, Gemini CLI, or OpenCode workflows
  • Review https://github.com/benchflow-ai/SkillsBench before adding OpenSSL to shared team environments
  • Use OpenSSL for development workflows

Works across

Claude CodeCodex CLIGemini CLIOpenCode

Favorites: 0.

Sub-skills: 0.

Aggregator: No.

Original source / Raw SKILL.md

---
name: OpenSSL
description: Expert guidance for OpenSSL operations including certificate generation, key management, CSR creation, certificate verification, encryption, and PKI operations. Use this when working with SSL/TLS certificates, cryptographic keys, or PKI infrastructure.
---

# OpenSSL

Expert assistance with OpenSSL cryptographic operations and PKI management.

## Key Generation

### RSA Keys
```bash
# Generate RSA private key (2048-bit)
openssl genrsa -out private.key 2048

# Generate RSA private key (4096-bit, more secure)
openssl genrsa -out private.key 4096

# Generate encrypted RSA private key
openssl genrsa -aes256 -out private.key 4096

# Extract public key from private key
openssl rsa -in private.key -pubout -out public.key

# Remove passphrase from encrypted key
openssl rsa -in encrypted.key -out decrypted.key
```

### EC (Elliptic Curve) Keys
```bash
# List available curves
openssl ecparam -list_curves

# Generate EC private key (P-256)
openssl ecparam -name prime256v1 -genkey -noout -out ec-private.key

# Generate EC private key (P-384, more secure)
openssl ecparam -name secp384r1 -genkey -noout -out ec-private.key

# Extract public key
openssl ec -in ec-private.key -pubout -out ec-public.key
```

## Certificate Signing Requests (CSR)

### Create CSR
```bash
# Create CSR from existing private key
openssl req -new -key private.key -out request.csr

# Create CSR with inline subject
openssl req -new -key private.key -out request.csr \
  -subj "/C=US/ST=State/L=City/O=Organization/CN=example.com"

# Generate private key and CSR in one command
openssl req -newkey rsa:2048 -nodes -keyout private.key -out request.csr

# Create CSR with SAN (Subject Alternative Names)
openssl req -new -key private.key -out request.csr -config san.cnf
```

### SAN Configuration File (san.cnf)
```ini
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req

[req_distinguished_name]
CN = example.com

[v3_req]
subjectAltName = @alt_names

[alt_names]
DNS.1 = example.com
DNS.2 = www.example.com
DNS.3 = api.example.com
IP.1 = 192.168.1.1
```

### View CSR
```bash
# Display CSR details
openssl req -in request.csr -noout -text

# Verify CSR signature
openssl req -in request.csr -noout -verify
```

## Self-Signed Certificates

### Create Self-Signed Certificate
```bash
# Generate self-signed certificate (1 year validity)
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365

# Generate self-signed certificate without passphrase
openssl req -x509 -newkey rsa:4096 -nodes -keyout key.pem -out cert.pem -days 365

# From existing key
openssl req -x509 -key private.key -out cert.pem -days 365

# With specific subject
openssl req -x509 -newkey rsa:4096 -nodes -keyout key.pem -out cert.pem -days 365 \
  -subj "/C=US/ST=State/L=City/O=Org/CN=example.com"
```

## Certificate Authority (CA) Operations

### Create Root CA
```bash
# Generate CA private key
openssl genrsa -aes256 -out ca-key.pem 4096

# Create CA certificate
openssl req -x509 -new -nodes -key ca-key.pem -sha256 -days 3650 \
  -out ca-cert.pem -subj "/C=US/O=MyOrg/CN=MyOrg Root CA"
```

### Sign Certificate with CA
```bash
# Sign CSR with CA
openssl x509 -req -in request.csr -CA ca-cert.pem -CAkey ca-key.pem \
  -CAcreateserial -out cert.pem -days 365 -sha256

# Sign with extensions (SAN)
openssl x509 -req -in request.csr -CA ca-cert.pem -CAkey ca-key.pem \
  -CAcreateserial -out cert.pem -days 365 -sha256 -extensions v3_req -extfile san.cnf
```

### Create Intermediate CA
```bash
# Generate intermediate CA key
openssl genrsa -aes256 -out intermediate-key.pem 4096

# Create intermediate CSR
openssl req -new -key intermediate-key.pem -out intermediate.csr

# Sign intermediate certificate with root CA
openssl x509 -req -in intermediate.csr -CA ca-cert.pem -CAkey ca-key.pem \
  -CAcreateserial -out intermediate-cert.pem -days 1825 -sha256

# Create certificate chain
cat intermediate-cert.pem ca-cert.pem > chain.pem
```

## Certificate Inspection & Verification

### View Certificate Details
```bash
# Display certificate details
openssl x509 -in cert.pem -noout -text

# Show specific fields
openssl x509 -in cert.pem -noout -subject
openssl x509 -in cert.pem -noout -issuer
openssl x509 -in cert.pem -noout -dates
openssl x509 -in cert.pem -noout -serial
openssl x509 -in cert.pem -noout -fingerprint

# Check expiration
openssl x509 -in cert.pem -noout -enddate

# Show in human-readable format
openssl x509 -in cert.pem -text -noout
```

### Verify Certificates
```bash
# Verify certificate against CA
openssl verify -CAfile ca-cert.pem cert.pem

# Verify certificate chain
openssl verify -CAfile ca-cert.pem -untrusted intermediate-cert.pem cert.pem

# Check if certificate and key match
openssl x509 -noout -modulus -in cert.pem | openssl md5
openssl rsa -noout -modulus -in private.key | openssl md5
```

### Test SSL/TLS Connection
```bash
# Connect to server and show certificate
openssl s_client -connect example.com:443 -showcerts

# Test specific protocol
openssl s_client -connect example.com:443 -tls1_2
openssl s_client -connect example.com:443 -tls1_3

# Test with SNI
openssl s_client -connect example.com:443 -servername example.com

# Check certificate expiration remotely
echo | openssl s_client -connect example.com:443 2>/dev/null | \
  openssl x509 -noout -dates
```

## Format Conversion

### PEM ↔ DER
```bash
# PEM to DER
openssl x509 -in cert.pem -outform DER -out cert.der

# DER to PEM
openssl x509 -in cert.der -inform DER -out cert.pem -outform PEM
```

### PKCS#12 (PFX)
```bash
# Create PKCS#12 bundle (certificate + private key)
openssl pkcs12 -export -out cert.pfx -inkey private.key -in cert.pem

# Include certificate chain
openssl pkcs12 -export -out cert.pfx -inkey private.key -in cert.pem -certfile chain.pem

# Extract from PKCS#12
openssl pkcs12 -in cert.pfx -out cert-and-key.pem -nodes

# Extract only certificate
openssl pkcs12 -in cert.pfx -clcerts -nokeys -out cert.pem

# Extract only private key
openssl pkcs12 -in cert.pfx -nocerts -nodes -out private.key
```

### PKCS#7
```bash
# Convert PEM to PKCS#7
openssl crl2pkcs7 -nocrl -certfile cert.pem -out cert.p7b

# Convert PKCS#7 to PEM
openssl pkcs7 -print_certs -in cert.p7b -out cert.pem
```

## Encryption & Decryption

### Symmetric Encryption
```bash
# Encrypt file with AES-256
openssl enc -aes-256-cbc -salt -in file.txt -out file.enc

# Decrypt file
openssl enc -aes-256-cbc -d -in file.enc -out file.txt

# Encrypt with password from file
openssl enc -aes-256-cbc -salt -in file.txt -out file.enc -pass file:password.txt

# Base64 encode encrypted output
openssl enc -aes-256-cbc -salt -in file.txt -out file.enc -a
```

### Asymmetric Encryption
```bash
# Encrypt with public key
openssl rsautl -encrypt -pubin -inkey public.key -in file.txt -out file.enc

# Decrypt with private key
openssl rsautl -decrypt -inkey private.key -in file.enc -out file.txt
```

## Hashing & Digests

```bash
# Generate hash
openssl dgst -sha256 file.txt
openssl dgst -sha512 file.txt
openssl dgst -md5 file.txt

# Create signature
openssl dgst -sha256 -sign private.key -out signature.bin file.txt

# Verify signature
openssl dgst -sha256 -verify public.key -signature signature.bin file.txt

# HMAC
openssl dgst -sha256 -hmac "secret-key" file.txt
```

## Certificate Revocation

### Create Certificate Revocation List (CRL)
```bash
# Create CRL configuration (crl.cnf)
# [ca section with database and crl settings needed]

# Generate CRL
openssl ca -gencrl -config crl.cnf -out crl.pem

# View CRL
openssl crl -in crl.pem -text -noout

# Verify certificate against CRL
openssl verify -crl_check -CRLfile crl.pem -CAfile ca-cert.pem cert.pem
```

### OCSP (Online Certificate Status Protocol)
```bash
# Start OCSP responder
openssl ocsp -port 8080 -index index.txt -CA ca-cert.pem -rkey ca-key.pem -rsigner ca-cert.pem

# Query OCSP responder
openssl ocsp -issuer ca-cert.pem -cert cert.pem -url http://ocsp.example.com:8080
```

## Common PKI Workflows

### Complete Certificate Workflow
```bash
# 1. Generate private key
openssl genrsa -out server.key 4096

# 2. Create CSR
openssl req -new -key server.key -out server.csr \
  -subj "/C=US/ST=CA/L=SF/O=MyOrg/CN=example.com"

# 3. Sign with CA
openssl x509 -req -in server.csr -CA ca-cert.pem -CAkey ca-key.pem \
  -CAcreateserial -out server.crt -days 365 -sha256

# 4. Verify
openssl verify -CAfile ca-cert.pem server.crt

# 5. Test locally
openssl s_server -cert server.crt -key server.key -accept 8443
```

## Best Practices

1. **Key Size**: Use at least 2048-bit RSA or 256-bit EC keys
2. **Hash Algorithm**: Use SHA-256 or stronger (avoid MD5, SHA-1)
3. **Validity Period**: Certificates should be valid for ≤ 398 days (current CA/Browser Forum baseline)
4. **Private Key Protection**: Always encrypt private keys with strong passphrases
5. **SAN**: Always include Subject Alternative Names, even for single domain
6. **Key Backup**: Securely backup private keys and CA certificates
7. **Certificate Chain**: Always provide complete certificate chain
8. **Regular Rotation**: Rotate certificates before expiration

## Security Notes

- **Never share private keys** - They should remain on the server
- **Use strong passphrases** for encrypted keys (16+ characters)
- **Protect CA keys** with HSM or secure key storage
- **Monitor expiration** - Set up alerts 30 days before expiry
- **Revoke compromised certificates** immediately
- **Use Certificate Transparency** for public certificates
OpenSSL | SkillHub