< Back to Notes

SSL: useful commands

A collection of openssl commands I find useful when working with certificates. By no means a comprehensive list.

Basic understanding of openssl outputs is required. Might add someday.

Replace the underlined parts as relevant (host, IP address, file name, etc.).

Contents

Show certificates of remote server

Both commands produce more or less the same output. Not yet sure what is the difference.

$ openssl s_client -host 192.168.1.100 -port 8080 -prexit -showcerts
$ openssl s_client -showcerts -connect www.example.com:443

Connect behind proxy

If connecting from behind a proxy to a remote server, add -proxy and the proxy host and port.

Requires with openssl 1.1.0+, as per https://michlstechblog.info/blog/openssl-establish-a-http-connect-behind-a-proxy/

$ openssl s_client -proxy myProxy.myDomain.org:8080 ...

Show certificate expiry of remote server

$ openssl s_client -showcerts -connect HOSTNAME:PORT </dev /null 2>/dev/null | 
openssl x509 -enddate -noout -subject -issuer

Bash sidenote: Line continuation \ not required if newline comes after pipe |.

Download certificate from server

$ openssl s_client -showcerts -connect 192.168.1.100:8081 </dev /null 2>/dev/null | 
openssl x509 -outform PEM > /tmp/remote-cert.pem

Show expiration, subject and issuer of PEM certificate

$ openssl x509 -in cert.crt -enddate -noout -subject -issuer

Show full details of x509 certificate

$ openssl x509 -in cert.crt -text

Show full details of pkcs12 certificate

$ openssl pkcs12 -nodes -in cert.p12 | openssl x509 -text

Verify certificate file chain

CAfile must come before cert file to verify.

$ openssl verify -verbose -CAfile CA.crt fullchain.crt

Verify pkc12 chain

$ openssl pkcs12 -nodes -in cert.p12 | openssl verify -verbose -CAfile CA.crt

Check CSR content

$ openssl req -in request.csr -noout -text

Convert PEM to DER

$ openssl x509 -outform der -in certificate.pem -out certificate.der

Convert PEM to PFX/P12

$ openssl pkcs12 -export -out certificate.pfx \
-inkey privateKey.key \
-in certificate.crt \
-certfile CAcert.crt

Convert DER to PEM

$ openssl x509 -inform der -in certificate.cer -out certificate.pem

Convert PFX to PEM

$ openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes

NOTE: While converting PFX to PEM format, openssl will put all the Certificates and Private Key into a single file. You will need to open the file in Text editor and copy each Certificate & Private key (including the BEGIN/END statements) to its own individual text file and save them as certificate.cer, CAcert.cer, privateKey.key respectively.

Check if private key matches the certificate

Run both commands. The output hashes must be identical.

https://www.ibm.com/support/pages/how-verify-if-private-key-matches-certificate

$ openssl x509 -noout -modulus -in cert.crt | openssl md5
$ openssl rsa -noout -modulus -in priv.key | openssl md5

Generate new private key

-nodes means that key will not be encrypted (no DES), i.e. does not ask for password.

$ openssl req -x509 -nodes -days <number_of_days> -newkey rsa:2048 -keyout private.key -out public.crt

Verify integrity of private key

$ openssl rsa -in private.key -check -noout

Generate CSR

Asks for subject again. Can add -subj not to ask.

$ openssl req -new -sha256 -key private.key -out request.csr
$ openssl req -new -sha256 -key private.key -out request.csr \
-subj "/CN=host.lan/C=SI/ST=state/L=city/O=org/OU=orgUnit"

Generate key with extensions, such as subjectAltNames

-newkey creates a new key and request, takes algorithm as param.

Using -new instead would also create a new cert request, but using the default algorithm.

https://stackoverflow.com/a/53826340/1945146 has a handy script

$ openssl req -x509 -newkey rsa:2048 \
-subj"/CN=host.lan/C=SI/ST=state/L=city/O=org/OU=orgUnit" \
-addext "subjectAltName = DNS:host.si,IP:10.10.131.196" \
-nodes -keyout key.pem -out cert.pem

Fields of Subject
C = country, ST = state, L = city, O = org, OU = orgUnit, CN = commonName