Skip to content

Instantly share code, notes, and snippets.

@egberts
Forked from Hakky54/openssl_commands.md
Last active March 19, 2022 23:15
Show Gist options
  • Save egberts/773a13b56b0eaa1b0108730347f39d79 to your computer and use it in GitHub Desktop.
Save egberts/773a13b56b0eaa1b0108730347f39d79 to your computer and use it in GitHub Desktop.
Some list of openssl commands for check and verify your keys

openssl 🔐

Install

Install the OpenSSL on Debian based systems

sudo apt-get install openssl

Commands

Create a private key

openssl genrsa -out server.key 4096

Generate a new private key and certificate signing request

openssl req -out server.csr -new -newkey rsa:4096 -nodes -keyout server.key

Generate a self-signed certificate

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:4096 -keyout server.key -out server.crt

Generate a certificate signing request (CSR) for an existing private key

openssl req -out server.csr -key server.key -new

Generate a certificate signing request based on an existing certificate

openssl x509 -x509toreq -in server.crt -out server.csr -signkey server.key

Remove a passphrase from a private key

openssl rsa -in server.pem -out newserver.pem

Parse a list of revoked serial numbers

openssl crl -inform DER -text -noout -in list.crl

Check a certificate signing request (CSR)

openssl req -text -noout -verify -in server.csr

Check a private key

openssl rsa -in server.key -check

Check a public key

openssl rsa -inform PEM -pubin -in pub.key -text -noout
openssl pkey -inform PEM -pubin -in pub.key -text -noout

Check a certificate

openssl x509 -in server.crt -text -noout
openssl x509 -in server.cer -text -noout

Check a PKCS#12 file (.pfx or .p12)

openssl pkcs12 -info -in server.p12

Verify a request certificate (.csr)

openssl req -verify -inform PEM -noout -in intCA.csr.pem
openssl req -verify -inform PEM -noout -in server.csr.pem

Verify a signed certificate (.crt)

openssl req -verify -inform PEM -noout -in server.crt.pem 

Verify a signed certificate against the CAs

openssl verify -verbose -no-CApath -CAfile rootCA.crt.pem server.crt.pem
openssl verify -verbose -no-CApath -CAfile intCA.crt.pem server.crt.pem 

Verify a private key matches an certificate

openssl x509 -noout -modulus -in server.crt | openssl md5
openssl rsa -noout -modulus -in server.key | openssl md5
openssl req -noout -modulus -in server.csr | openssl md5

Verify a certificate against the CA chain

openssl verify -show_chain -untrusted intermediate-cert.pem  leaf-cert.pem

Display all certificates including all parent CAs (offline, fullchain file)

openssl crl2pkcs7 -nocrl -certfile chain.pem | openssl pkcs7 -print_certs -noout

Display all certificates including intermediates (online)

openssl s_client -connect www.paypal.com:443

Convert a DER file (.crt .cer .der) to PEM

openssl x509 -inform der -in server.cer -out server.pem

Convert a PEM file to DER

openssl x509 -outform der -in server.pem -out server.der

Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM

openssl pkcs12 -in server.pfx -out server.pem -nodes

Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)

openssl pkcs12 -export -out server.pfx -inkey server.key -in server.crt -certfile CACert.crt

Generate a Diffie Hellman key

openssl dhparam -out dhparam.pem 2048

Encrypt files with rsautl

openssl rsautl -encrypt -in plaintext.txt -out encrypted.txt -pubin -inkey pubkey.pem

Decrypt files with rsautl

openssl rsautl -decrypt -in encrypted.txt -out plaintext.txt -inkey privkey.pem

View when the CRL will next be updated

openssl crl -in intCA.crl.pem -nextupdate -noout

Expert OpenSSL Stuff

Insert selected attributes into a specific section of openssl.cnf (only with 'openssl ca', or 'openssl x509 -req'; sorry, nothing for 'openssl req')

openssl ... -extfile <(printf "subjectAltName=DNS:example.com,DNS:www.example.com") ...

as in:

openssl genrsa -out ca.key 2048
openssl req -new -x509 -days 365 -key ca.key -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=Acme Root CA" -out ca.crt
openssl req -newkey rsa:2048 -nodes -keyout server.key -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=*.example.com" -out server.csr
openssl x509 -req -extfile <(printf "subjectAltName=DNS:example.com,DNS:www.example.com") -days 365 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt

Be not influenced by default settings provided by /usr/lib/ssl/openssl.cnf

env OPENSSL_CONF=/dev/null openssl -config your-config ...

Strip "/-BEGIN CERTIFICATE-/" (caused by -text) from PEM file using sed before using as pure PEM

  openssl s_client -connect ${CERT} 2>/dev/null |\
  sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' |\
  openssl x509 -noout -subject -dates
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment