openssl req -new -out fqdn.csr -newkey rsa:2048 -nodes -keyout fqdn.key -subj /C=US/ST=State/L=City/O=Company/CN=fqdn
Create a self signed cert and key
openssl req -x509 -days 365 -out fqdn.crt -newkey rsa:2048 -nodes -keyout fqdn.key -subj /C=US/ST=State/L=City/O=Company/CN=fqdn
Create a csr using an existing key
openssl req -new -out fqdn.csr -key fqdn.key -subj /C=US/ST=State/L=City/O=Company/CN=fqdn
openssl genrsa -out fqdn.key 2048
Show a cert's fingerprint
openssl x509 -in fqdn.crt -noout -fingerprint -sha256
openssl x509 -in fqdn.crt -noout -enddate
openssl x509 -in fqdn.crt -text -noout
openssl req -in fqdn.csr -noout -text
Show a key's contents (not much to see)
openssl rsa -in fqdn.key
Show your openssl version
openssl version
Verify a cert matches a key
openssl x509 -noout -modulus -in fqdn.crt | openssl sha256
openssl rsa -noout -modulus -in fqdn.key | openssl sha256
openssl rsa -in fqdn.key -check
Verify a cert against the system trust store
openssl verify cert.crt
Verify a cert against a specific trust store
openssl verify cert.crt -CAfile /path/to/ca/file
openssl x509 -in fqdn.der -inform der -out fqdn.crt
Show a remote cert's details
openssl s_client -connect google.com:443 2> /dev/null | sed -n '/-BEGIN/,/-END/p' | openssl x509 -noout -text
Only show certificate trust info
openssl s_client -connect google.com:443 -quiet
openssl s_client -connect google.com:443 -showcerts
Make s_client exit immediately
echo | openssl s_client ...