ThorneLabs

OpenSSL Commands Cheat Sheet

• Updated January 16, 2024

A list of my commonly used openssl commands.

View the Contents of an SSL Certificate

openssl x509 -text -noout -in cert.pem

View the SSL Certificate of a Remote Server

View the SSL certificate for any protocol using SSL/TLS with the following command:

openssl s_client -showcerts -connect FQDN:PORT

To see more documentation on s_client run the following command:

man s_client

Verify SSL Certificate Chain

bundle.pem could contain Intermediate Certificate(s) and/or a Root Certificate provided by your Certificate Authority.

openssl verify -CAfile bundle.pem cert.pem

Verify a Private Key is Valid

Output will be RSA key ok if the Private Key is valid.

openssl rsa -check -noout -in key.pem

Verify a Private Key Matches the Signed SSL Certificate

If the hash outputted by each of the following commands match, then the Private Key signed the SSL certificate.

openssl x509 -modulus -noout -in cert.pem | openssl sha256

openssl rsa -modulus -noout -in key.pem | openssl sha256

Same commands but in a single line with string matching:

[[ "$(openssl x509 -modulus -noout -in cert.pem | openssl sha256)" == "$(openssl rsa -modulus -noout -in key.pem | openssl sha256)" ]] && echo "MATCH" || echo "NO MATCH"

Create a Self-Signed Certificate Authority and Server Certificate

Generate a Private Key for the Root Certificate (you will be prompted to input a passphrase):

openssl genrsa -des3 -out myCA.key 2048

Generate a Root Certificate (you will be prompted for the passphrase of the previously created Private Key):

openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -out myCA.pem

Generate a Private Key for the Server CSR:

openssl genrsa -out server.key 2048

Create the Server CSR:

openssl req -new -key server.key -out server.csr

Create the Certificate Extension Config by creating file server.ext with the following contents:

subjectAltName = @alt_names

[alt_names]
DNS.1 = self-signed.example.com

Finally, create the Server Certificate with Extensions:

openssl x509 -req -in server.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out server.crt -days 365 -sha256 -extfile server.ext

Read the Server Certificate to verify it was created as desired:

openssl x509 -text -noout -in server.crt

Shell Script to Quickly Check SSL Certificate Serial Number, Issuer, Issue and Expiry Dates, Subject, and Subject Alternate Names

Create file cert-check.sh with the following content:

#!/bin/bash

hostname="$1"

echo | openssl s_client -showcerts -servername "$hostname" -connect "$hostname":443 2>/dev/null | openssl x509 -serial -issuer -dates -subject -ext subjectAltName -noout

Set the executable permission:

chmod +x cert-check.sh

Run the script with the following command:

./cert-check.sh thornelabs.net

Extract the Private Key from a PFX File

openssl pkcs12 -in file.pfx -nocerts -out key.pem

If the Private Key is password protected, remove the password with the following command:

openssl rsa -in key.pem -out key-nopass.pem

Extract the Public Certificate Chain from a PFX File

openssl pkcs12 -in file.pfx -nokeys -out certs.pem

References

If you found this post useful and would like to help support this site - and get something for yourself - sign up for any of the services listed below through the provided affiliate links. I will receive a referral payment from any of the services you sign-up for.

Get faster shipping and more with Amazon Prime: About to order something from Amazon but want to get more value out of the money you would normally pay for shipping? Sign-up for a free 30-day trial of Amazon Prime to get free two-day shipping, access to thousands of movies and TV shows, and more.

Thanks for reading and take care.