Skip to content

Instantly share code, notes, and snippets.

@p3t3r67x0
Last active May 22, 2024 02:19
Show Gist options
  • Save p3t3r67x0/5313b0d7abc25e06c2d78f8b767d4bc3 to your computer and use it in GitHub Desktop.
Save p3t3r67x0/5313b0d7abc25e06c2d78f8b767d4bc3 to your computer and use it in GitHub Desktop.
Some list of openssl commands for check and verify your keys

openssl

Install

Install the OpenSSL on Debian based systems

sudo apt-get install openssl

Commands

Create a private key

openssl genrsa -out server.key 4096

Generate a new private key and certificate signing request

openssl req -out server.csr -new -newkey rsa:4096 -nodes -keyout server.key

Generate a self-signed certificate

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:4096 -keyout server.key -out server.crt

Generate a certificate signing request (CSR) for an existing private key

openssl req -out server.csr -key server.key -new

Generate a certificate signing request based on an existing certificate

openssl x509 -x509toreq -in server.crt -out server.csr -signkey server.key

Remove a passphrase from a private key

openssl rsa -in server.pem -out newserver.pem

Parse a list of revoked serial numbers

openssl crl -inform DER -text -noout -in list.crl

Check a certificate signing request (CSR)

openssl req -text -noout -verify -in server.csr

Check a private key

openssl rsa -in server.key -check

Check a public key

openssl rsa -inform PEM -pubin -in pub.key -text -noout
openssl pkey -inform PEM -pubin -in pub.key -text -noout

Check a certificate

openssl x509 -in server.crt -text -noout
openssl x509 -in server.cer -text -noout

Check a PKCS#12 file (.pfx or .p12)

openssl pkcs12 -info -in server.p12

Verify a private key matches an certificate

openssl x509 -noout -modulus -in server.crt | openssl md5
openssl rsa -noout -modulus -in server.key | openssl md5
openssl req -noout -modulus -in server.csr | openssl md5

Display all certificates including intermediates

openssl s_client -connect www.paypal.com:443

Convert a DER file (.crt .cer .der) to PEM

openssl x509 -inform der -in server.cer -out server.pem

Convert a PEM file to DER

openssl x509 -outform der -in server.pem -out server.der

Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM

openssl pkcs12 -in server.pfx -out server.pem -nodes

Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)

openssl pkcs12 -export -out server.pfx -inkey server.key -in server.crt -certfile CACert.crt

Generate a Diffie Hellman key

openssl dhparam -out dhparam.pem 2048

Encrypt files with rsautl

openssl rsautl -encrypt -in plaintext.txt -out encrypted.txt -pubin -inkey pubkey.pem

Decrypt files with rsautl

openssl rsautl -decrypt -in encrypted.txt -out plaintext.txt -inkey privkey.pem
@endermetin60
Copy link

<script src="https://gist.github.com/webtobesocial/5313b0d7abc25e06c2d78f8b767d4bc3.js"></script>

@rustymagnet3000
Copy link

do you know to check a hex formatted public key?

For example, if you extract Public Key from Cert in Hex format

openssl x509 -modulus -noout < stackexchangecom.crt | sed s/Modulus=//

@lolgear
Copy link

lolgear commented Jul 31, 2018

@webtobesocial

It would be nice to extend this list by:

  • openssl req utility with -subj flag.
  • openssl pkcs12 output with -passout flag.

@christianlaguerre
Copy link

Verifying that a Certificate is issued by a CA

openssl verify -verbose -CAfile cacert.pem server.crt

@egberts
Copy link

egberts commented Mar 18, 2022

Expert OpenSSL Stuff

Insert selected attributes into a specific section of openssl.cnf (only with 'openssl ca', or 'openssl x509 -req'; sorry, nothing for 'openssl req')

openssl ... -extfile <(printf "subjectAltName=DNS:example.com,DNS:www.example.com") ...

as in:

openssl genrsa -out ca.key 2048
openssl req -new -x509 -days 365 -key ca.key -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=Acme Root CA" -out ca.crt
openssl req -newkey rsa:2048 -nodes -keyout server.key -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=*.example.com" -out server.csr
openssl x509 -req -extfile <(printf "subjectAltName=DNS:example.com,DNS:www.example.com") -days 365 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt

Be not influenced by default settings provided by /usr/lib/ssl/openssl.cnf

env OPENSSL_CONF=/dev/null openssl -config your-config ...

Strip "/-BEGIN CERTIFICATE-/" (caused by -text) from PEM file using sed before using as pure PEM

  openssl s_client -connect ${CERT} 2>/dev/null |\
  sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' |\
  openssl x509 -noout -subject -dates

@egberts
Copy link

egberts commented Mar 18, 2022

Verifying that a Certificate is issued by a CA

openssl verify -verbose -CAfile cacert.pem server.crt

Yeah, good one, @christianlaguerre.

one may want to ALSO add the following -no-CApath CLI option as well.

That is, unless you do not mind openssl checking against the /etc/ssl/certs trusted certs for all your execution of openssl.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment