OpenSSL: common commands (and some others)

Thu, Feb 12, 2026 ❝I'm writing this post for completely selfish reasons.❞

Contents

I’m writing this post for completely selfish reasons. I’ve caught myself looking up openssl commands from my previous SecureBoot-related posts, probably more than 10 times now. OpenSSL is rather amazing, but I have so little working memory of the command-line arguments, that I need to look up virtually every command. Now I’m writing down a bunch that I’ve needed recently.

This isn’t going to look pretty or have much in terms of clarification. I will likely update it in time, as I need other commands.

Generating certificates for server and clients

Generating certificates for a CA, a server and some clients, for any purpose that supports IEEE-802.1x.

# List available curves.
openssl ecparam -list_curves

# Generate a self-signed CA key and certificate.
openssl ecparam -name secp384r1 -genkey -noout -out CA.key
openssl req -new -x509 -subj "/CN=CA/" -key CA.key -out CA.crt -days 3650 -sha256

# Generate a (server/client) key.
openssl ecparam -name secp224r1 -genkey -out server.key

# Generate a certificate (signing request).
openssl req -new -sha256 -key server.key -out server.csr -subj '/CN=server/' -noenc
openssl req -in server.csr -noout -text

# Sign a certificate signing request (for server-role, according to IEEE-802.1x) on the machine maintaining the CA key.
openssl x509 -req -CA CA.crt -CAkey CA.key -subj '/CN=server/' -addtrust serverAuth -addreject clientAuth -days 3650 -sha256 -in server.csr -out server.crt
openssl x509 -in server.crt -noout -text

# Sign a certificate signing request (for client-role, according to IEEE-802.1x) on the machine maintaining the CA key.
openssl x509 -req -CA CA.crt -CAkey CA.key -subj '/CN=client/' -addtrust clientAuth -addreject serverAuth -days 3650 -sha256 -in client.csr -out client.crt
openssl x509 -in client.crt -noout -text

Note that this uses subcommand x509, thus avoiding the need for an openssl.cnf configuration-file that contains a selection of prescribed CA-related fields and values. For regular or long-term use, subcommand ca and an openssl.cnf file is probably better. In these one-off cases, I like to be able to generate certificates using the info I provide in command-line arguments.

Combine private key, certificate, and CA-certificate in PKCS12

Generate a PKCS12 (.pfx) for easy transport and import. This is accepted, for example, by Android-devices.

# Generate a PKCS12 (`.pfx`) file composed of private key and certificates.
# `-certfile <cert-file>` may be repeated to include other (intermediate) certificates.
openssl pkcs12 -in client.crt -inkey client.key -certfile CA.crt -export -out client.pfx

Generate an RSA key-pair

# Generate a 2048-bit RSA key-pair for use in SecureBoot.
openssl req -new -x509 -newkey rsa:2048 -subj "/CN=PK/" -keyout PK.key -out PK.crt -days 3650 -nodes -sha256

Check your UEFI-firmware or TPM for supported algorithms. These often have a select few supported algorithms and key-sizes, usually 2048-bit RSA

Convert certificate-formats

# Convert a PEM-formatted certificate into a DER-formatted certificate.
# (You can include `inform PEM` to be explicit.)
openssl x509 -in test.crt -out test.der -outform DER

Generate a safe DH parameter for use in cryptographic applications.

Some security applications, such as OpenVPN, allow providing a (custom) DH-parameter for use in establishing ephemeral session-keys. (Usually, without such a DH-parameter, unless standardized DH-parameters are used, it means no ephemeral session-keys are established.)

# Generate a DH parameter, with `3072` the parameter size.
openssl dhparam -out dh.pem 3072

IIUC, this is used mainly in combination with RSA and necessarily with DSA algorithms.

Other tools

Some notes for other tooling.

`tpm2-tools`

# Check available subcommands.
tpm2_getcap -l
# Check TPM2 supported capabilities.
tpm2_getcap algorithms
# Check TPM2 supported ECC curves.
tpm2_getcap ecc-curves

These are low-level fundamental tools for interacting with TPM2. These are not recommended for any practical use. There are high-level tools available for that, as well as integration in security tooling such as GnuPG.

`efitools`

cert-to-efi-sig-list: create a bundle for use in EFI-firmware.
sign-efi-sig-list: sign a bundle for use in SecureBoot.

# Read an EFI-firmware SecureBoot variable.
efi-readvar -v db
# Unlock and update an EFI-firmware SecureBoot variable.
chattr -i /sys/firmware/efi/efivars/db-...
# Key needs only be specified if SecureBoot is in setup-mode (keys cleared).
efi-updatevar -a -k KEK.key -c db.crt db
# Update/Write PK certificate, usually must be signed auth-file.
cert-to-efi-sig-list PK.crt PK.esl
sign-efi-sig-list -k PK.key PK PK.esl PK.auth
efi-updatevar -f PK.auth PK
# An empty, i.e. 0-byte, PK.esl that is signed into an PK.auth can be used to clear the SecureBoot PK variable from a running system in (SecureBoot-enabled) user-mode. This file can be generated for later use.
touch empty.esl
sign-efi-sig-list -k PK.key PK empty.esl clear-PK.auth

`sbsigntools`

Tools for handling signatures and EFI-programs.

sbverify --list program.efi: list signatures in EFI-program.
sbverify --cert <cert> program.efi: check if program.efi can be validated using <cert>.
sbsign --key myboot.key --cert myboot.crt program.efi: sign a EFI-program-binary with specified myboot key-pair for use in SecureBoot-enabled environment.

`mokutil`

mokutil --sb-state: check SecureBoot state of the running system.

`bootctl` (systemd)

bootctl status: check boot-state of the system, though this command is most thorough if systemd-boot is in use.

`efibootmgr`

# List EFI boot-entries, which are enabled, currently booted, and the boot order.
efibootmgr
# Delete entry `0001`.
efibootmgr -b 0001 -B
# Configure boot-order.
efibootmgr -o 0001,0002,0003

Notes

cryptsetup allows dumping (displaying) the LUKS-header. The header includes an offset, where the header ends and the encrypted content begins. This information can be used in case you want to erase the LUKS-header on the encrypted partition, after having backed it up using cryptsetup luksHeaderBackup and used as detached header. This is more complicated to set up, but makes it possible to set up a situation where the encrypted content exists without the corresponding symmetric key. This must then be provided through the detached header that is explicitly specified during LUKS unlocking.
dmcrypt uses internal workqueues. These are known to cause delays in case fast and slow block-devices are mixed. LUKS2-encrypted partitions can be preconfigured to disable work-queues. This makes dmcrypt-devices pass through to underlying block-device. Consequently, file-systems can more reliable work their caches and scheduling-mechanisms.
- With unlocked LUKS-partition: cryptsetup refresh --persistent --perf-no_read_workqueue --perf-no_write_workqueue device_crypt.

Changelog

This article will receive updates, if necessary.

2026-02-12 Initial version.

Timelessness