💾 Archived View for gemini.susa.net › openssl_cheats.gmi captured on 2023-07-10 at 13:29:45. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2021-11-30)
-=-=-=-=-=-=-
Generated from https://www.kinamo.be/en/support/faq/useful-openssl-commands
Last updated: 14/06/2018
The openssl 'req' command primarily creates and processes certificate requests, it can additionally create self signed certificates (e.g. for use as root CAs or as client certificates)
To generate a self-signed client certificate with ten year validity period, together with a new 2048-bit key:
openssl req -x509 -newkey rsa:2048 -nodes -keyout kevin.key -out kevin.crt -days 3650 -subj '/CN=Kevin'
Typically, when you order a new SSL certificate you must generate a CSR or certificate signing request, with a new private key:
openssl req -sha256 -nodes -newkey rsa:2048 -keyout www.server.com.key -out www.server.com.csr
Generate a new certificate request using an existing private key:
openssl req -new -sha256 -key www.server.com.key -out www.server.com.csr
Generate a certificate request starting from an existing certificate:
openssl x509 -x509toreq -in www.server.com.crt -out www.server.com.csr -signkey www.server.com.key
Generate a new RSA private key:
openssl genrsa -out www.server.com.key 2048
Encrypt a private key with a passphrase:
openssl rsa -in www.server.com.key -out www.server.com.key -des3
Remove a passphrase from an encrypted private key:
openssl rsa -in www.server.com.key -out www.server.com.key
Generate a new ECC private key:
openssl ecparam -out server.key -name prime256v1 -genkey
Check and display a certificate request (CSR):
openssl req -noout -text -verify -in www.server.com.csr
Verify and display a key pair:
openssl rsa -noout -text -check -in www.server.com.key
View a PEM-encoded certificate:
openssl x509 -noout -text -in www.server.com.crt
View a certificate encoded in PKCS#7 format:
openssl pkcs7 -print_certs -in www.server.com.p7b
View a certificate and key pair encoded in PKCS#12 format:
openssl pkcs12 -info -in www.server.com.pfx
Verify an SSL connection and display all certificates in the chain:
openssl s_client -connect www.server.com:443
Control whether a certificate, a certificate request and a private key have the same public key:
openssl x509 -noout -modulus www.server.com.crt | openssl sha256 openssl req -noout -modulus www.server.com.csr | openssl sha256 openssl rsa -noout -modulus www.server.com.key | openssl sha256
Check a certificate and its intermediate certificate chain for web server purposes:
openssl verify -purpose sslserver -CAfile certificatebundle.pem -verbose www.server.com.crt
Conversion of PKCS#12 ( .pfx .p12, typically used on Microsoft Windows) files with private key and certificate to PEM (typically used on Linux):
openssl pkcs12 -nodes -in www.server.com.pfx -out www.server.com.crt
Conversion of PEM to PKCS#12:
openssl pkcs12 -export -in www.server.com.crt -inkey www.server.com.key -out www.server.com.pfx
Conversion of PKCS#7 format ( .p7b .p7c ) to PEM:
openssl pkcs7 -print_certs -in www.server.com.p7b -out www.server.com.crt
Conversion of PEM format to PKCS#7:
openssl crl2pkcs7 -nocrl -certfile www.server.com.crt -out www.server.com.p7b
Conversion of DER (.crt .cer or .der) to PEM:
openssl x509 -inform der -in certificate.cer -out certificate.pem
Conversion from PEM to DER format:
openssl x509 -outform der -in certificate.pem -out certificate.cer
This will output the website's certificate, including any intermediate certificates
openssl s_client -connect https://www.server.com:443