Skip to content

Instantly share code, notes, and snippets.

@karakays

karakays/openssl.md

Last active April 8, 2019 12:23
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save karakays/365c32277697f91ce8d8b247d0e654c3 to your computer and use it in GitHub Desktop.
Save karakays/365c32277697f91ce8d8b247d0e654c3 to your computer and use it in GitHub Desktop.
Download ZIP
Common OpenSSL commands
Raw
openssl.md

Generate a new private key and Certificate Signing Request

openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key

Generate a self-signed certificate (see How to Create and Install an Apache Self Signed Certificate for more info)

openssl req -x509 -sha256 -nodes -days 365 \
-newkey rsa:2048 -keyout privateKey.key \
-out certificate.crt

Generate a certificate signing request (CSR) for an existing private key

openssl req -out CSR.csr -key privateKey.key -new

Generate a CSR with SANs

openssl req -new -sha256 -key domain.key \
-subj "/C=US/ST=CA/CN=example.com" \
-reqexts SAN -config \
<(cat /etc/ssl/openssl.cnf \
<(printf "\n[SAN]\nsubjectAltName=DNS:example.com,DNS:www.example.com")) \
-out domain.csr

Generate a certificate signing request based on an existing certificate

openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key

Remove a passphrase from a private key

openssl rsa -in privateKey.pem -out newPrivateKey.pem

Dump with OpenSSL

Check a Certificate Signing Request (CSR)

openssl req -in csr.csr -text -noout -verify

Check a private key

openssl rsa -in key.key -check

Check a certificate

openssl x509 -in cert.crt -text -noout

Check a PKCS#12 file (.pfx or .p12)

openssl pkcs12 -in keyStore.p12-info

Debugging with OpenSSL

Check an MD5 hash of the public key to ensure that it matches with what is in a CSR or private key

openssl x509 -in certificate.crt -noout -modulus | openssl md5

openssl rsa -in key.key -noout -modulus | openssl md5

openssl req -in csr.csr -noout -modulus | openssl md5

Check an SSL connection. All the certificates (including Intermediates) should be displayed

openssl s_client -connect www.paypal.com:443

Converting with OpenSSL

Convert a DER file (.crt .cer .der) to PEM

openssl x509 -inform der -in certificate.cer -out certificate.pem

Convert a PEM file to DER

openssl x509 -outform der -in certificate.pem -out certificate.der

Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM

openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes

You can add -nocerts to only output the private key or add -nokeys to only output the certificates.

Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment