Create, Manage & Convert SSL Certificates with OpenSSL
One of the most popular commands in SSL to
manage the SSL Certificates is OpenSSL.
There will be many situations where you have to deal with OpenSSL in various ways, and here I have listed them for you as a handy cheat sheet.
In this article, I will talk about frequently used OpenSSL commands to help you in the real world.
Some of the abbreviations related to certificates.
Note: SSL/TLS operation course would be helpful if you are not familiar with the terms.
openssl req -out pzzqz.csr -newkey rsa:2048 -nodes -keyout pzzqz.key
The above command will generate CSR and a 2048-bit RSA key file. If you intend to use this certificate in Apache or Nginx, then you need to send this CSR file to certificate issuer authority, and they will give you a signed certificate mostly in
pem format which you need to configure in Apache or Nginx web server.
openssl req -x509 -sha256 -nodes -newkey rsa:2048 -keyout pzselfsigned.key -out pzcert.pem
The above command will generate a self-signed certificate and key file with 2048-bit RSA. I have also included sha256 as it’s considered most secure at the moment.
Tip: by default, it will generate a self-signed certificate valid for only one month so you may consider defining –days parameter to extend the validity.
Ex: to have self-signed valid for two years.
openssl req -x509 -sha256 -nodes -days 730 -newkey rsa:2048 -keyout pzselfsigned.key -out pzcert.pem
openssl req -noout -text -in pzzqz.csr
Verification is essential to ensure you are sending CSR to issuer authority with the required details.
openssl genrsa -out private.key 2048
openssl rsa -in certkey.key -out nopassphrase.key
If you are using passphrase in key file and using Apache then every time you start, you have to enter the password. If you are annoyed with entering a password, then you can use the above openssl rsa -in pzzqz.key -check to remove the passphrase key from an existing key.
openssl rsa -in certkey.key –check
If you doubt your key file, you can use the above command to check.
openssl x509 -in certfile.pem -text –noout
If you would like to validate certificate data like CN, OU, etc. then you can use an above command which will give you certificate details.
openssl x509 -in certfile.pem -noout -issuer -issuer_hash
openssl x509 -noout -hash -in bestflare.pem
openssl x509 –inform der –in sslcert.der –out sslcert.pem
openssl x509 –outform der –in sslcert.pem –out sslcert.der
openssl pkcs12 –export –out sslcert.pfx –inkey key.pem –in sslcert.pem
If you need to use a cert with the java application or with any other who accept only PKCS#12 format, you can use the above command, which will generate single pfx containing certificate & key file.
Tip: you can also include chain certificate by passing –chain as below.
openssl pkcs12 –export –out sslcert.pfx –inkey key.pem –in sslcert.pem -chain cacert.pem
openssl req –out certificate.csr –key existing.key –new
If you don’t want to create a new private key instead of using an existing one, you can go with the above command.
openssl pkcs12 –info –nodes –in cert.p12
PKCS12 is a binary format so you won’t be able to view the content in notepad or another editor. The above command will help you to see the contents of the PKCS12 file.
openssl pkcs12 –in cert.p12 –out cert.pem
If you wish to use existing pkcs12 format with Apache or just in pem format, this will be useful.
openssl s_client -connect yoururl.com:443 –showcerts
openssl x509 -noout -in certificate.pem -dates
[[email protected] opt]# openssl x509 -noout -in bestflare.pem -dates notBefore=Jul 4 14:02:45 2015 GMT notAfter=Aug 4 09:46:42 2015 GMT [[email protected] opt]#
openssl s_client -connect secureurl.com:443 2>/dev/null | openssl x509 -noout –enddate
[[email protected] opt]# openssl s_client -connect google.com:443 2>/dev/null | openssl x509 -noout -enddate notAfter=Dec 8 00:00:00 2015 GMT
// To check SSL V2 openssl s_client -connect secureurl.com:443 -ssl2 // To Check SSL V3 openssl s_client -connect secureurl.com:443 –ssl3 // To Check TLS 1.0 openssl s_client -connect secureurl.com:443 –tls1 // To Check TLS 1.1 openssl s_client -connect secureurl.com:443 –tls1_1 // To Check TLS 1.2 openssl s_client -connect secureurl.com:443 –tls1_2
If you are securing a web server and need to validate if SSL V2/V3 is enabled or not, you can use the above command. If activated, you will get “CONNECTED” else “handshake failure.”
openssl s_client -cipher 'ECDHE-ECDSA-AES256-SHA' -connect secureurl:443
Of course, you will have to change the cipher and URL, which you want to test against. If the mentioned cipher is accepted, then you will get CONNECTED else handshake failure.
I hope the above commands help you to know more about OpenSSL to manage SSL certificates for your website.