A list of my commonly used openssl
commands.
View the SSL Certificate of a Remote Server
View the SSL certificate for any protocol using SSL/TLS with the following command:
openssl s_client -showcerts -connect FQDN:PORT
To see more documentation on s_client run the following command:
man s_client
View the Contents of an SSL Certificate
openssl x509 -text -noout -in cert.pem
Verify SSL Certificate Chain
bundle.pem could contain Intermediate Certificate(s) and/or a Root Certificate provided by your Certificate Authority.
openssl verify -CAfile bundle.pem cert.pem
Verify a Private Key is Valid
Output will be RSA key ok if the Private Key is valid.
openssl rsa -check -noout -in key.pem
Verify a Private Key Matches the Signed SSL Certificate
If the hash outputted by each of the following commands match, then the Private Key signed the SSL certificate.
openssl x509 -modulus -noout -in cert.pem | openssl sha256
openssl rsa -modulus -noout -in key.pem | openssl sha256
Same commands but in a single line with string matching:
[[ "$(openssl x509 -modulus -noout -in cert.pem | openssl sha256)" == "$(openssl rsa -modulus -noout -in key.pem | openssl sha256)" ]] && echo "MATCH" || echo "NO MATCH"
Shell Script to Quickly Check SSL Certificate Serial Number, Issuer, Issue and Expiry Dates, Subject, and Subject Alternate Names
Create file cert-check.sh with the following content:
#!/bin/bash
hostname="$1"
echo | openssl s_client -showcerts -servername "$hostname" -connect "$hostname":443 2>/dev/null | openssl x509 -serial -issuer -dates -subject -ext subjectAltName -noout
Set the executable permission:
chmod +x cert-check.sh
Run the script with the following command:
./cert-check.sh thornelabs.net
Extract the Private Key from a PFX File
openssl pkcs12 -in file.pfx -nocerts -out key.pem
If the Private Key is password protected, remove the password with the following command:
openssl rsa -in key.pem -out key-nopass.pem
Extract the Public Certificate Chain from a PFX File
openssl pkcs12 -in file.pfx -nokeys -out certs.pem
Create a Self-Signed SSL Certificate
Create the Private Key and the Certificate Signing Request:
openssl req -new -newkey rsa:2048 -nodes -keyout key.pem -out server.csr
Create the SSL Certificate from the Certificate Signing Request and sign it with the Private Key:
openssl x509 -req -days 365 -in server.csr -signkey key.pem -out cert.pem