Sign in Subscribe
Concepts

OpenSSL shell scripting

Andrios Robert

1 min read

OpenSSL shell scripting is the fastest way to integrate encryption, decryption, and certificate management into automated workflows. It removes manual repetition, making secure operations reliable and reproducible. Whether you need to generate keys, sign files, or test TLS connections, it can all be done inside a bash script with a single command chain.

Why Use OpenSSL in Shell Scripts

OpenSSL is installed on most systems by default. Combining it with shell scripting lets you:

  • Generate RSA and EC keys.
  • Create CSRs (Certificate Signing Requests).
  • Sign and verify data.
  • Automate certificate renewal.
  • Test secure endpoints via openssl s_client.

These tasks can be scripted to run unattended, triggered by cron jobs, CI pipelines, or deployment hooks.

Core Commands for OpenSSL Shell Scripting

Generate a 2048-bit RSA key:

openssl genrsa -out private.pem 2048

Create a public key from a private key:

openssl rsa -in private.pem -pubout -out public.pem

Generate a CSR:

openssl req -new -key private.pem -out request.csr

Self-sign a certificate:

openssl req -x509 -key private.pem -in request.csr -out cert.pem -days 365

Encrypt a file:

openssl enc -aes-256-cbc -salt -in secrets.txt -out secrets.enc

Decrypt a file:

openssl enc -d -aes-256-cbc -in secrets.enc -out secrets.txt

Secure Automation Patterns

When embedding these commands inside shell scripts:

  1. Check for OpenSSL availability before running tasks:
command -v openssl >/dev/null 2>&1 || { echo "OpenSSL not found"; exit 1; }
  1. Use absolute paths for keys and certificates in scripts to avoid failures from unexpected working directories.
  2. Store secrets outside the repo and pass file paths via environment variables.
  3. Log operations and error codes for debugging.
  4. Clean up temporary files in a trap to prevent data leakage.

Advanced Example: Automated TLS Endpoint Check

#!/bin/bash
HOST="example.com"
PORT=443

if openssl s_client -connect "${HOST}:${PORT}"-servername "${HOST}"< /dev/null 2>/dev/null | grep -q "Verify return code: 0"; then
 echo "Certificate is valid."
else
 echo "Certificate check failed."
fi

This script can run daily to detect expired or broken certificates before users see errors.

OpenSSL and CI/CD

Integrating OpenSSL into deployment pipelines allows automated creation of ephemeral keys or test certificates. This is critical for staging environments, penetration testing, or load testing encrypted endpoints.

Strong security starts with consistent automation. OpenSSL shell scripting delivers both.

Write, run, and scale your scripts now—see them live in minutes at hoop.dev.