SSL, TLS, OpenSSL security Creating a self signed certificate in one line Creating a CSR (certificate signing request) in one line with AltNames Working with PKCS12 (.pfx, .p12) certificate store Encrypt decrypt key (add or remove password) Showing certificate, key information Certificate key and CA (certificate authority) verification Get SHA (1/256) fingerprint of certificate Check SMTP STARTTLS Check certificates with openssl Check certificates with curl

SSL, TLS, OpenSSL security

Creating a self signed certificate in one line

Creat a new certificate for 'example.com' which is valid for 365 days. The key is in server.key and the cert is in server.crt

openssl req -nodes -x509 -newkey rsa:4096 -keyout server.key -out server.crt -days 365 -subj '/CN=example.com'

With AltNames

openssl req -nodes -x509 -newkey rsa:4096 -keyout server.key -out server.crt -days 365 -subj '/CN=example.com' -addext 'subjectAltName = DNS:*.example.com, IP: 10.10.0.1'

Creating a CSR (certificate signing request) in one line with AltNames

openssl req -new -nodes -newkey rsa:4096 -keyout server.key -out server.csr -subj "/CN=example.com" -addext "subjectAltName=DNS:*.example.com,IP:10.10.0.1"

openssl req -new -nodes -newkey rsa:4096 -keyout server.key -out server.csr -subj "/CN=example.com" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:*.example.com,IP:10.10.0.1"))

Working with PKCS12 (.pfx, .p12) certificate store

Export to PKCS12 file, (certificate and key in X509 (pem) format)

openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12
openssl pkcs12 -export -in server.crt -inkey server.key -certfile ca.crt -out server.p12

You can add -name alias_name to add an alias for the certificate

Import from PKCS12 to X509 (pem) format

# Extract the key:
openssl pkcs12 -in server.p12 -nocerts -nodes -out server.key
# Extract the client certificate:
openssl pkcs12 -in server.p12 -clcerts -nokeys -out server.crt
# Extract the CA chain (if present):
openssl pkcs12 -in server.p12 -cacerts -nokeys -out ca.crt

-nodes will remove the password from the key, if you'd like to keep the password remove -nodes from the command line

Encrypt decrypt key (add or remove password)

openssl rsa -in server-encrypted.key -out server.key

openssl rsa -aes256 -in server.key -out server-encrypted.key

Showing certificate, key information

openssl x509 -in server.crt -noout -text

Check modulus

openssl x509 -noout -modulus -in server.crt | openssl md5
openssl rsa -noout -modulus -in server.key | openssl md5
openssl req -noout -modulus -in server.csr | openssl md5

Certificate key and CA (certificate authority) verification

openssl verify -verbose -CAfile ca.crt server.crt

If server.crt has been signed by ca.crt the output would be a simple OK

Get SHA (1/256) fingerprint of certificate

openssl x509 --fingerprint -sha1 -in cert.pem -noout -text
openssl x509 --fingerprint -sha256 -in cert.pem -noout -text

Check SMTP STARTTLS

Checking whether an smtp server support STARTTLS and dump certificate information

openssl s_client -showcerts -connect smtp.server:25 -starttls smtp

Check certificates with openssl

Check certificates on host example.com (multiple domains are handled with -servername for the same IP)

openssl s_client -showcerts -servername example.com -connect example.com:443

Check certificates with curl

curl -D - -vvI https://example.com