openssl: Usage, Options & Common CI Errors
openssl is the multi-tool for certificates, keys, hashing, and TLS debugging.
openssl shows up in CI for inspecting certs, generating keys, encrypting secrets, and probing TLS endpoints. Its subcommand-per-task design and PEM-vs-DER formats cause most confusion.
What it does
openssl exposes the OpenSSL library through dozens of subcommands: x509 for certificates, s_client for TLS connections, genrsa/genpkey for keys, dgst for hashing, enc for symmetric encryption, and rand for randomness.
Common usage
openssl x509 -in cert.pem -noout -dates -subject # inspect cert
echo | openssl s_client -connect host:443 -servername host
openssl genrsa -out key.pem 4096
openssl rand -hex 32 # random token
openssl dgst -sha256 file.bin
openssl enc -aes-256-cbc -pbkdf2 -in f -out f.encOptions
| Subcommand | What it does |
|---|---|
| x509 | Inspect/convert X.509 certificates |
| s_client | Open a TLS connection (debug certs/chains) |
| genrsa / genpkey | Generate a private key |
| dgst -sha256 | Compute a digest |
| enc | Symmetric encrypt/decrypt |
| rand | Generate random bytes |
Common errors in CI
"unable to load certificate" / "PEM routines: no start line" usually means the file is DER not PEM, or has wrong/missing headers - convert with openssl x509 -inform der. "verify error:num=20:unable to get local issuer certificate" in s_client means the chain is incomplete or CA bundle is missing. OpenSSL 3.x dropped some legacy ciphers (you may need -provider legacy), and enc now expects -pbkdf2 - omitting it warns and weakens key derivation.