Skip to content

Instantly share code, notes, and snippets.

Last active August 21, 2023 14:08
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save marceloalmeida/52431501185f23f07edd3c1b15b9ac2e to your computer and use it in GitHub Desktop.
Certificates cheat sheet

Certificates cheat sheet

Generate Certificate and sign

Generate private key

openssl genrsa -out 4096

Create ssl.conf

cat > ssl.conf <<-EOF
[ req ]
default_bits       = 4096
distinguished_name = req_distinguished_name
req_extensions     = req_ext

[ req_distinguished_name ]
countryName                    = Country Name (2 letter code)
countryName_default            = PT
stateOrProvinceName            = State or Province Name (full name)
stateOrProvinceName_default    = Porto
localityName                   = Locality Name (eg, city)
localityName_default           = Porto
organizationName               = Organization Name (eg, company)
organizationName_default       = Marcelo Almeida
organizationalUnitName         = Organizational Unit Name
organizationalUnitName_default = Marcelo Almeida CA
commonName                     = Common Name (e.g. server FQDN or YOUR name)
commonName_max                 = 64
commonName_default             =

[ req_ext ]
subjectAltName = @alt_names

DNS.1   =
DNS.2   =

Generate CSR

openssl req -new -key -config ssl.conf -out

Read CSR

openssl req -text -noout -in

Sign certificate with with our intermediate key

openssl x509 -req -in -CA bundle.crt -CAkey ca-sre-key.pem -CAcreateserial -out -days 500 -sha256 -extensions req_ext -extfile ssl.conf

Generate certificate bundle

cat bundle.crt >>

View certificate

openssl x509 -in -text -noout

Add root CA to jks

curl -s -L | keytool -keystore cacerts -storepass changeit -noprompt -trustcacerts -importcert -alias GeoTrust_Primary_CA -file /dev/stdin

Verify Certificate against CA

openssl verify -verbose -CAfile cacert.pem

Verify server certificate

echo |openssl s_client -showcerts -servername -connect | openssl x509 -text

Check If Certificate, Private Key and CSR Match

openssl x509 -in -noout -modulus | openssl sha1
openssl rsa -in -noout -modulus | openssl sha1
openssl req -noout -modulus -in | openssl sha1

Check certificate fingerprint

openssl x509 -noout -fingerprint -sha256 -inform pem -in test_com.crt

Print full chain

openssl crl2pkcs7 -nocrl -certfile bundle.crt | openssl pkcs7 -print_certs -noout # -text

Convert PEM to PFX (PKCS#12) without private key

openssl pkcs12 -export -nokeys -in certificate.cer -out pkcs12.pfx

Display information of PFX / P12 file

openssl pkcs12 -in pkcs12.pfx -info
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment