Skip to content
Latchkey

openssl: Usage, Options & Common CI Errors

openssl is the multi-tool for certificates, keys, hashing, and TLS debugging.

openssl shows up in CI for inspecting certs, generating keys, encrypting secrets, and probing TLS endpoints. Its subcommand-per-task design and PEM-vs-DER formats cause most confusion.

What it does

openssl exposes the OpenSSL library through dozens of subcommands: x509 for certificates, s_client for TLS connections, genrsa/genpkey for keys, dgst for hashing, enc for symmetric encryption, and rand for randomness.

Common usage

Terminal
openssl x509 -in cert.pem -noout -dates -subject     # inspect cert
echo | openssl s_client -connect host:443 -servername host
openssl genrsa -out key.pem 4096
openssl rand -hex 32                                  # random token
openssl dgst -sha256 file.bin
openssl enc -aes-256-cbc -pbkdf2 -in f -out f.enc

Options

SubcommandWhat it does
x509Inspect/convert X.509 certificates
s_clientOpen a TLS connection (debug certs/chains)
genrsa / genpkeyGenerate a private key
dgst -sha256Compute a digest
encSymmetric encrypt/decrypt
randGenerate random bytes

Common errors in CI

"unable to load certificate" / "PEM routines: no start line" usually means the file is DER not PEM, or has wrong/missing headers - convert with openssl x509 -inform der. "verify error:num=20:unable to get local issuer certificate" in s_client means the chain is incomplete or CA bundle is missing. OpenSSL 3.x dropped some legacy ciphers (you may need -provider legacy), and enc now expects -pbkdf2 - omitting it warns and weakens key derivation.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →