OpenSSL Command Builder

How to use

1. 1Choose what you want to do from the command picker: private key, CSR, self-signed cert, format conversion, inspection, key + cert verification, hash / digest, Base64, encrypt file, or random bytes.
2. 2Fill in the form for the selected command. Subjects, SANs, file names, days, sizes, and curves all update the command preview immediately.
3. 3Read the safety note under each command. It calls out gotchas like the trailing-newline difference between echo and printf for hashing strings, or that PKCS#12 always encrypts the key block.
4. 4Click Copy command on the card, paste into your terminal, and run. OpenSSL will prompt for any passphrases at the keyboard instead of reading them from the command line.
5. 5For CSRs on older OpenSSL versions, also copy the generated openssl.cnf snippet and invoke openssl req with -config openssl.cnf, which attaches the SAN extension the legacy way.

About this tool

OpenSSL Command Builder writes the exact openssl shell commands developers reach for when they need to generate a private key, create a Certificate Signing Request, mint a self-signed X.509 certificate for local development, convert between PEM, DER, and PKCS#12 (.pfx / .p12) bundles, inspect a certificate or CSR or key file, verify that a private key matches a certificate, hash a file or string with SHA-256, SHA-512, SHA-384, SHA-1, or MD5, encode or decode Base64, encrypt a file with AES-256-CBC under a passphrase that is properly stretched through PBKDF2, or pull cryptographically random bytes from the operating system RNG. Every command is built locally from the form inputs in your browser. Nothing is executed and nothing is uploaded. Subject Distinguished Names are assembled in the order C, ST, L, O, OU, CN, emailAddress with slashes and equal signs stripped so the subject syntax stays valid. Subject Alternative Names are classified automatically: hostnames become DNS:, dotted-quad and colon-form addresses become IP:, addresses with an @ become email:, and scheme-prefixed values become URI: entries, but you can also type the prefix yourself. Modern OpenSSL 1.1.1 or 3.x commands use -addext to attach SANs without an openssl.cnf file; a fallback openssl.cnf snippet is generated in parallel for older releases. The self-signed flow ships in both one-shot and three-step forms so the CSR can be reused later with an internal CA. The format conversion tab covers the eight pairs most people search for, including the often-painful PEM key + cert to PKCS#12 bundle for IIS, Java keystores, and Windows, and PKCS#12 back to a PEM key + cert. The verify pair tab generates the modulus-hash check for RSA pairs and the SPKI-hash check for EC pairs that the OpenSSL FAQ recommends. The encrypt tab uses -pbkdf2 with a high iteration count rather than the legacy EVP_BytesToKey default. All passphrases are prompted for at runtime rather than passed on the command line, so they never enter shell history or process listings. Every command card has a copy button and a plain-English note explaining the flags. Useful when you are setting up TLS for a local service, requesting a public CA certificate, signing internal services with a private CA, exporting a key to a Windows server or a Java keystore, verifying a key + cert match before a deploy, hashing release artifacts for a checksum file, or simply trying to remember the exact -outform DER vs -inform DER pair you need this minute.

Free to use. Works in your browser. No signup, no login.