OpenSSL Command
Exmples how to use OpenSSL
General OpenSSL Commands
-
Generate a new private key and Certificate Signing Request
openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
-
Generate a self-signed certificate
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
-
Generate a certificate signing request (CSR) for an existing private key
openssl req -out CSR.csr -key privateKey.key -new
-
Generate a certificate signing request based on an existing certificate
openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key
-
Remove a passphrase from a private key
openssl rsa -in privateKey.pem -out newPrivateKey.pem
-
Generate a certifcate one liner
openssl req -x509 -sha512 -nodes -days 365 -newkey rsa:4096 -keyout fqdn.example.com.key -out fqdn.example.com.crt -subj "/C=Country/L=Locality/O=OrganistationName/CN=fqdn.example.com"
Checking Using OpenSSL
-
Check a Certificate Signing Request (CSR)
openssl req -text -noout -verify -in CSR.csr
-
Check a private key
openssl rsa -in privateKey.key -check
-
Check a certificate
openssl x509 -in certificate.crt -text -noout
-
Check a PKCS#12 file (.pfx or .p12)
openssl pkcs12 -info -in keyStore.p12
Debugging Using OpenSSL
-
Check an MD5 hash of the public key to ensure that it matches with what is in a CSR or private key
openssl x509 -noout -modulus -in certificate.crt | openssl md5 openssl rsa -noout -modulus -in privateKey.key | openssl md5 openssl req -noout -modulus -in CSR.csr | openssl md5
openssl pkey -in privateKey.key -pubout -outform pem | sha256sum openssl x509 -in certificate.crt -pubkey -noout -outform pem | sha256sum openssl req -in CSR.csr -pubkey -noout -outform pem | sha256sum
-
Check an SSL connection. All the certificates (including Intermediates) should be displayed
openssl s_client -connect www.paypal.com:443
-
Check an SSL certificate fingerprint
echo | openssl s_client -servername fqdn.example.com -connect fqdn.example.com:443 2>/dev/null | openssl x509 -noout -fingerprint | sed 's/Thumbprint=//'
-
Check an SSL certificate expire date
echo | openssl s_client -servername fqdn.example.com -connect fqdn.example.com:443 2>/dev/null | openssl x509 -noout -enddate | sed 's/notAfter=//'
Converting Using OpenSSL
-
Convert a DER file (.crt .cer .der) to PEM
openssl x509 -inform der -in certificate.cer -out certificate.pem
-
Convert a PEM file to DER
openssl x509 -outform der -in certificate.pem -out certificate.der
-
Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM
openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes
-
Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
Create certificate from config file
-
Create config file
vi name.cnf
[ req ] default_bits = 4096 default_md = sha512 prompt = no encrypt_key = no distinguished_name = req_distinguished_name req_extensions = req_ext [ req_distinguished_name ] countryName = Coutry stateOrProvinceName = Provice localityName = Locality organizationName = Name organizationalUnitName = OU commonName = fqdn.example.com [mysection] #keyUsage = digitalSignature extendedKeyUsage = serverAuth #extendedKeyUsage = serverAuth,clientAuth # extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection [ req_ext ] subjectAltName = @alt_names [alt_names] DNS.1 = fqdn.example.com #Optional SAN Names #DNS.2 = fqdn.example.com #DNS.3 = fqdn.example.com #DNS.4 = fqdn.example.com #DNS.5 = fqdn.example.com
-
Create certifcate from config
openssl req -new -config name.cnf -nodes -keyout fqdn.example.com.key -out fqdn.example.com.csr