Basic usage for OpenSSL

openssl_basics.md

OpenSSL Basics

Certificate information

Print certificate information. Works for .pem, .crt, .cer formats

openssl x509 -text -noout -in <domain.crt>

Print private-key information:

openssl rsa -noout -text -in <PRIVATE_KEY>

DER files are byte-encoded, while pem-files are base64 encoded with ---BEGIN... wrapped

View .der files

openssl x509 -in <certificate.der> -inform der -text -noout

View pkcs12 formatted files

openssl pkcs12 -info -in <path to cert>

Connections

Donnect and print certificate details (tls 1.2 specified)

echo | openssl s_client -connect <domain>:<port> -tls1_2 2>/dev/null | openssl x509 -noout -text

Connect to a server with openssl

openssl s_client -connect servername:443

Use a certificate for authentication

openssl s_client -connect servername:443 -ssl3 -cert <certname>

Specify protokol for a connection
-ssl2, -ssl3, -tls1, -tls1_1, -tls1_2, -no_ssl3, -no_tls1, -no_tls1_1, -no_tls1_2

openssl s_client -connect servername:443 -ssl3

Checks

Verify a Private Key Matches a Certificate and CSR

openssl rsa -noout -modulus -in domain.key | openssl md5
openssl x509 -noout -modulus -in domain.crt | openssl md5
openssl req -noout -modulus -in domain.csr | openssl md5

Verify a Certificate was Signed by a CA

openssl verify -verbose -CAFile ca.crt domain.crt

Check key

openssl rsa -check -in domain.key

if the key is password-protected, you will see a prompt to insert the password.

Encrypt

Take unencrypted key and encrypt with passphrase

openssl rsa -des3 -in unencrypted.key -out encrypted.key