A list of my commonly used openssl
commands.
View the Contents of an SSL Certificate
openssl x509 -text -noout -in cert.pem
View the SSL Certificate of a Remote Server
View the SSL certificate for any protocol using SSL/TLS with the following command:
openssl s_client -showcerts -connect FQDN:PORT
To see more documentation on s_client run the following command:
man s_client
Verify SSL Certificate Chain
bundle.pem could contain Intermediate Certificate(s) and/or a Root Certificate provided by your Certificate Authority.
openssl verify -CAfile bundle.pem cert.pem
Verify a Private Key is Valid
Output will be RSA key ok if the Private Key is valid.
openssl rsa -check -noout -in key.pem
Verify a Private Key Matches the Signed SSL Certificate
If the hash outputted by each of the following commands match, then the Private Key signed the SSL certificate.
openssl x509 -modulus -noout -in cert.pem | openssl sha256
openssl rsa -modulus -noout -in key.pem | openssl sha256
Same commands but in a single line with string matching:
[[ "$(openssl x509 -modulus -noout -in cert.pem | openssl sha256)" == "$(openssl rsa -modulus -noout -in key.pem | openssl sha256)" ]] && echo "MATCH" || echo "NO MATCH"
Create a Self-Signed Certificate Authority and Server Certificate
Generate a Private Key for the Root Certificate (you will be prompted to input a passphrase):
openssl genrsa -des3 -out myCA.key 2048
Generate a Root Certificate (you will be prompted for the passphrase of the previously created Private Key):
openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -out myCA.pem
Generate a Private Key for the Server CSR:
openssl genrsa -out server.key 2048
Create the Server CSR:
openssl req -new -key server.key -out server.csr
Create the Certificate Extension Config by creating file server.ext with the following contents:
subjectAltName = @alt_names
[alt_names]
DNS.1 = self-signed.example.com
Finally, create the Server Certificate with Extensions:
openssl x509 -req -in server.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out server.crt -days 365 -sha256 -extfile server.ext
Read the Server Certificate to verify it was created as desired:
openssl x509 -text -noout -in server.crt
Shell Script to Quickly Check SSL Certificate Serial Number, Issuer, Issue and Expiry Dates, Subject, and Subject Alternate Names
Create file cert-check.sh with the following content:
#!/bin/bash
hostname="$1"
echo | openssl s_client -showcerts -servername "$hostname" -connect "$hostname":443 2>/dev/null | openssl x509 -serial -issuer -dates -subject -ext subjectAltName -noout
Set the executable permission:
chmod +x cert-check.sh
Run the script with the following command:
./cert-check.sh thornelabs.net
Extract the Private Key from a PFX File
openssl pkcs12 -in file.pfx -nocerts -out key.pem
If the Private Key is password protected, remove the password with the following command:
openssl rsa -in key.pem -out key-nopass.pem
Extract the Public Certificate Chain from a PFX File
openssl pkcs12 -in file.pfx -nokeys -out certs.pem