The openssl
command has a vast array of uses and functions.
This post will be an ever growing list of various, useful OpenSSL commands.
View an SSL Certificate
View the SSL Certificate for any protocol using SSL with the following command:
openssl s_client -showcerts -connect FQDN:PORT
To see more documentation on s_client run the following command:
man s_client
View the Contents of an SSL Certificate
openssl x509 -text -noout -in server.crt
View the Contents of a Certificate Signing Request
openssl req -text -noout -in server.csr
Verify SSL Certificate Chain
openssl verify -CAfile <(cat private.key intermediate.crt) signed.crt
Verify an SSL Certificate was Generated from a Certificate Authority
openssl verify -verbose -CAFile ca.crt server.crt
Verify a Private Key Matches an SSL Certificate
If the MD5 hash of each command matches, there is a very high probability the SSL Certificate was signed by the Private Key.
openssl x509 -modulus -noout -in server.crt | openssl md5
openssl rsa -modulus -noout -in server.key | openssl md5
Convert Java Keystore Public and Private Keys to X509
openssl pkcs12 -in keystore.(p12 | pfx) -out private.key -nodes
Convert PKCS7 to X509
openssl pkcs7 -in cert.pkcs7 -print_certs -out cert.crt
Create a Private Key
The following command will create a 2048 bit Private Key:
openssl genrsa -out server.key 2048
Create a Certificate Authority
The following command will create a Certificate Authority that will expire in 5 years:
openssl req -new -x509 -extensions v3_ca -keyout myca.key -out myca.crt -days 1825
Create an Apache Formatted Certificate Signing Request
openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
Create a Self-Signed SSL Certificate
Create the Private Key and the Certificate Signing Request:
openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
Create the SSL Certificate from the Certificate Signing Request and sign it with the Private Key:
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Generate Diffie-Hellman Keys
The following command may take a few minutes to complete.
Change 2048 to 4096 if you want a stronger key size.
openssl dhparam -out dhparam.pem 2048