Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Useful openssl commands
[ req ]
default_bits = 4096
default_md = sha256
default_keyfile = private.key
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_user_req
req_extensions = v3_user_req
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = DE
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Baden-Wuerttemberg
localityName = Locality Name (eg, city)
localityName_default = Stuttgart
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Klingele
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default =
commonName = Common Name (eg, fully qualified host name)
commonName_max = 64
emailAddress = Email Address
emailAddress_default = security@leonklingele.de
emailAddress_max = 64
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
[ v3_ca ]
basicConstraints = critical,CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
[ v3_user_req ]
basicConstraints = critical,CA:FALSE
subjectKeyIdentifier = hash
keyUsage = digitalSignature, keyEncipherment
# CSR, RSA 4096 bit
umask 0177
openssl genrsa 4096 > private.key
umask 0022
openssl req -new -key private.key -sha256 -nodes -out request.csr
# CSR, Curve secp384r1
umask 0177
openssl ecparam -genkey -name secp384r1 -out private.key
umask 0022
openssl req -new -nodes -key private.key -out request.csr
# Self-signed certificate, RSA 4096, validity: 1 year
umask 0177
openssl genrsa 4096 > private.key
umask 0022
openssl req -new -key private.key -sha256 -nodes -x509 -days 365 -out public.crt
# Show certificate fingerprint
openssl x509 -noout -sha1 -fingerprint -in public.crt
openssl x509 -noout -sha256 -fingerprint -in public.crt
# View certificate
openssl x509 -noout -text -in public.crt
# View CSR
openssl req -noout -text -verify -in request.csr
# HPKP
openssl x509 -noout -pubkey -in public.crt | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
openssl req -noout -pubkey -in request.csr | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
# TLSA
openssl x509 -outform der -in public.crt | openssl sha256
openssl x509 -noout -pubkey -in public.crt | openssl rsa -pubin -outform der | openssl sha256
# Generate Diffie-Hellman parameters
openssl dhparam -out dhparam4096.pem 4096
# Supported TLS1.0+ ciphers
openssl ciphers -v -tls1
# Benchmark
openssl speed
openssl speed aes
openssl speed rsa
openssl speed ecdsa
# Show curves
openssl ecparam -list_curves
# Test TLS
openssl s_client -connect leonklingele.de:443 -tlsextdebug -showcerts -status
# Check certificate validity date (notBefore / notAfter)
openssl s_client -connect leonklingele.de:443 2> /dev/null | openssl x509 -noout -dates
# Check if private key and certificate match, both need to have same pubkey checksum
## 1. Validate private key
openssl rsa -noout -check -in private.key
## 2. Verify that private key and certificate use the same public key
openssl pkey -pubout -in private.key | openssl dgst -sha256
openssl x509 -noout -pubkey -in public.crt | openssl dgst -sha256
## 3. If the last two commands did return the same hash: the private key was used to generate the certificate
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.