Skip to content

Instantly share code, notes, and snippets.



Last active Feb 25, 2021
What would you like to do?
Certificates cheat sheet

Certificates cheat sheet

Generate Certificate and sign

Generate private key

openssl genrsa -out 4096

Create ssl.conf

cat > ssl.conf <<-EOF
[ req ]
default_bits       = 4096
distinguished_name = req_distinguished_name
req_extensions     = req_ext

[ req_distinguished_name ]
countryName                    = Country Name (2 letter code)
countryName_default            = PT
stateOrProvinceName            = State or Province Name (full name)
stateOrProvinceName_default    = Porto
localityName                   = Locality Name (eg, city)
localityName_default           = Porto
organizationName               = Organization Name (eg, company)
organizationName_default       = Marcelo Almeida
organizationalUnitName         = Organizational Unit Name
organizationalUnitName_default = Marcelo Almeida CA
commonName                     = Common Name (e.g. server FQDN or YOUR name)
commonName_max                 = 64
commonName_default             =

[ req_ext ]
subjectAltName = @alt_names

DNS.1   =
DNS.2   =

Generate CSR

openssl req -new -key -config ssl.conf -out

Read CSR

openssl req -text -noout -in

Sign certificate with with our intermediate key

openssl x509 -req -in -CA bundle.crt -CAkey ca-sre-key.pem -CAcreateserial -out -days 500 -sha256 -extensions req_ext -extfile ssl.conf

Generate certificate bundle

cat bundle.crt >>

View certificate

openssl x509 -in -text -noout

Add root CA to jks

curl -s -L | keytool -keystore cacerts -storepass changeit -noprompt -trustcacerts -importcert -alias GeoTrust_Primary_CA -file /dev/stdin

Verify Certificate against CA

openssl verify -verbose -CAfile cacert.pem

Verify server certificate

echo |openssl s_client -showcerts -servername -connect | openssl x509 -text

Check If Certificate, Private Key and CSR Match

openssl x509 -in -noout -modulus | openssl sha1
openssl rsa -in -noout -modulus | openssl sha1
openssl req -noout -modulus -in | openssl sha1

Check certificate fingerprint

openssl x509 -noout -fingerprint -sha256 -inform pem -in test_com.crt

Print full chain

openssl crl2pkcs7 -nocrl -certfile bundle.crt | openssl pkcs7 -print_certs -noout # -text
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment