OpenSSL Configuration#
HOME = .
RANDFILE = $ENV::HOME/.rnd
####################################################################
[ ca ]
default_ca = CA_default
[ CA_default ]
default_days = 1000
default_crl_days = 30
default_md = sha256
preserve = no
x509_extensions = ca_extensions
email_in_dn = no
copy_extensions = copy
####################################################################
[ req ]
default_bits = 4096
default_keyfile = cakey.pem
distinguished_name = ca_distinguished_name
x509_extensions = ca_extensions
string_mask = utf8only
####################################################################
[ ca_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Maryland
localityName = Locality Name (eg, city)
localityName_default = Baltimore
organizationName = Organization Name (eg, company)
organizationName_default = Test CA, Limited
organizationalUnitName = Organizational Unit (eg, division)
organizationalUnitName_default = Server Research Department
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = Test CA
emailAddress = Email Address
emailAddress_default = test@example.com
CA Extensions#
[ ca_extensions ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, nonRepudiation, keyCertSign, cRLSign
Keys#
Generating a Key#
To generate RSA key:
$ openssl genrsa -out testuser.key 2048
$ openssl rsa -in testuser.key -pubout -out testuser.pub
To generate ECC key:
$ openssl ecparam -name secp256k1 -genkey -noout -out testuser.key
$ openssl ec -in testuser.key -pubout -out testuser.pub
Displaying Key Info#
$ openssl rsa -noout -text -in testuser.key
Generating Certificate Request#
To generate a certificate request with a new key:
$ openssl req -newkey rsa:2048 -keyout testuser.key -nodes -new -out testuser.csr -subj "/UID=testuser/O=Example" -days 365
To generate a certificate request with an existing key:
$ openssl req -key testuser.key -nodes -new -out testuser.csr -subj "/UID=testuser/O=Example" -days 365
To generate a certificate request with SAN, prepare a configuration file (e.g. san.cnf):
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
organizationName = Example
commonName = server.example.com
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = www.example.com
DNS.2 = www.example.org
Then execute the following command:
$ openssl req -out sslcert.csr -newkey rsa:2048 -nodes -keyout private.key -config san.cnf
Generating Self-Signed CA Certificate#
$ openssl genrsa -out ca.key 2048$ openssl req -new -x509 -key ca.key -out ca.crt -subj "/CN=Certificate Authority/O=EXAMPLE"Issuing End-Entity Certificate#
$ openssl x509 -req -in testuser.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out testuser.crt
Displaying Certificate Request#
$ openssl req -text -noout -in ca.csr
Certificate Request:
Data:
Version: 0 (0x0)
Subject: CN=CA Certificate, O=Example
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c6:5a:73:8b:e6:9b:f6:4e:36:88:c6:d4:f9:74:
94:81:3d:75:0e:da:83:f1:13:a5:ff:cb:8b:1a:1a:
14:a1:68:a5:bf:42:78:03:75:74:a8:91:99:a2:bd:
25:62:b7:e9:83:e9:26:e2:0f:f0:6f:17:f2:2b:a4:
45:c8:17:fa:fd:4d:a2:68:6c:01:15:50:03:19:ca:
01:97:23:ab:31:64:d9:eb:64:09:73:25:36:92:f7:
2f:16:7b:56:3d:f8:b8:5f:88:60:7e:42:98:95:d6:
90:57:30:9d:f4:e9:35:98:70:3f:30:d6:91:8e:75:
98:d1:c9:ca:85:ce:f2:d6:b1:7f:74:1f:74:98:01:
36:c7:69:8c:2a:b8:21:c8:15:ff:5a:a2:7c:18:1d:
1e:76:b2:c0:32:43:09:21:6a:c5:86:7c:1e:a4:7d:
db:6f:5e:d3:ac:dc:20:4f:db:af:fa:8d:c8:6b:74:
70:74:c6:42:9a:a9:47:08:0a:36:39:81:0e:e8:ba:
89:2f:97:1e:db:da:63:89:40:75:31:e7:b3:53:67:
fe:76:07:8f:c9:0a:8d:fd:0a:f6:bd:fd:96:75:bb:
d3:ee:68:8f:51:93:a1:fd:d0:c7:e8:50:7a:f7:66:
85:ec:0a:a4:b5:20:14:98:c4:6d:ab:69:65:30:31:
f8:1f
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha256WithRSAEncryption
03:cd:f3:47:9a:8a:14:3d:0a:8e:09:be:62:f8:89:b1:65:86:
6b:bf:fc:7f:85:9e:a7:71:b6:6e:ea:9e:94:e4:16:95:93:fa:
69:cf:a2:4f:79:5b:3d:e8:65:36:36:a8:7a:0c:69:68:47:6b:
15:b2:2a:49:ae:e2:83:3c:98:bb:7e:2b:13:fa:bc:08:13:a7:
44:0e:dc:64:5b:a4:a9:90:42:d6:52:74:8c:42:7c:15:56:8e:
53:4f:f2:08:14:de:73:33:83:8e:c6:58:1e:f8:51:aa:a3:12:
e5:7f:63:09:db:be:80:1d:0f:5f:c1:1a:a0:83:2e:67:0a:be:
e4:21:cd:e1:63:5e:2c:58:85:f6:75:94:fc:68:52:a6:38:3d:
75:25:2f:89:56:e7:95:dd:9b:1f:ed:8a:f4:d2:f9:d5:1c:43:
89:57:eb:3d:77:fa:ac:27:5f:ad:20:dc:e6:28:8b:aa:54:fb:
4f:f9:d1:6f:dd:73:c6:29:28:b7:bf:9c:38:23:35:8e:de:da:
2e:4d:ed:e9:e2:16:f1:cd:38:9f:86:03:49:d3:a4:d6:bc:6c:
22:9b:7e:c0:82:b4:b6:60:77:a7:a3:d8:d5:c3:fc:64:81:43:
e4:1e:52:04:4e:8c:cf:1b:a7:0f:43:24:6c:8f:a5:55:ed:bd:
db:7f:08:74
Displaying Certificate Info#
To display PEM certificate:
$ openssl x509 -text -noout -in testuser.crt
To display DER certificate:
$ openssl x509 -text -noout -in testuser.crt -inform der
The output will look like the following:
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
f5:8c:f2:55:9a:5a:13:01
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=CA Certificate, O=Example
Validity
Not Before: Jun 13 22:51:06 2016 GMT
Not After : Jul 13 22:51:06 2016 GMT
Subject: UID=testuser, O=Example
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ab:92:66:0c:96:3f:43:93:65:3f:52:67:19:e5:
40:74:1d:85:ba:a8:e2:8c:f9:fd:cd:25:36:94:77:
b1:24:10:1f:23:58:f7:38:3d:2a:e0:23:bf:3d:d3:
fa:c3:6a:55:d6:ac:46:8c:14:56:f2:0a:a2:a1:0a:
0f:eb:ee:64:ec:85:c2:df:f1:0a:1f:73:12:98:da:
fa:d6:72:d5:26:f3:45:d5:9b:dd:34:5b:8a:6b:23:
92:2a:31:9c:db:f0:1e:a4:13:08:ad:5a:86:29:aa:
17:86:b3:da:83:de:b5:7b:65:4d:12:f9:d5:2f:45:
29:66:0f:ac:8c:83:63:52:17:be:9e:43:50:d9:2f:
55:74:a8:a9:ee:53:17:2d:ff:2c:6b:25:df:cb:6d:
fb:3f:f4:e1:ba:83:34:b2:be:93:46:92:7b:66:f4:
f9:9f:5e:fd:04:5e:81:db:cb:43:36:b3:2d:f5:0a:
38:19:c0:c0:0e:68:cc:80:67:b4:12:68:6c:04:28:
e1:96:15:78:55:5f:8d:f2:52:ed:82:60:95:7a:41:
f9:36:84:bc:0b:5d:39:ed:7e:63:89:20:ed:e2:ae:
a0:1c:35:b3:a3:d0:1d:34:e8:f1:51:76:e2:78:6b:
4a:21:46:64:b5:aa:b2:8d:63:5c:fd:7d:09:da:46:
fc:d5
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
27:61:d8:f2:79:1e:fd:91:3b:e9:db:51:fe:42:74:0c:dc:94:
b9:fc:7b:1c:c5:4a:87:25:1c:43:fc:ca:64:87:4e:21:0e:22:
31:ef:92:03:f4:de:fb:5b:2e:ba:8b:35:b7:2b:52:4b:f6:d5:
c4:83:f6:f5:ef:cc:f1:15:d5:67:75:ad:8b:77:be:5a:21:fb:
30:e1:71:d2:5d:4f:db:65:7f:38:ae:4d:7b:25:60:d1:5e:19:
24:c5:67:49:18:08:bc:5c:64:06:2d:5a:84:25:af:cd:5f:a0:
5d:9c:d8:69:9a:50:e9:a0:ff:8f:c2:46:7d:2e:5c:3a:b9:a8:
18:fb:d2:1b:06:92:92:b9:b8:ca:0c:c2:2e:94:b5:e2:2a:18:
ce:fe:e8:32:fe:ae:cd:d5:5c:f8:ff:24:6a:dd:5e:7b:f2:24:
2c:01:80:f8:af:95:09:30:81:51:a7:60:fc:ff:c5:df:f7:3e:
fa:1e:32:d3:c3:ff:9d:0c:5c:1e:eb:30:d6:0b:23:50:3a:ad:
57:8d:7c:26:f7:dd:f1:10:bd:65:0a:dd:02:6f:83:54:35:23:
76:b4:1b:63:18:1b:97:0e:3c:3a:de:88:fe:c6:14:e7:5f:e0:
52:b5:c3:d3:82:8f:d7:50:11:ee:b1:cb:5c:a4:e6:67:01:88:
bc:63:41:2e
Displaying PKCS #12 File#
$ openssl pkcs12 -in example.p12 -passin file:password.txt -passout file:password.txt
Importing Certificate and Key into PKCS #12 File#
$ openssl pkcs12 -export \
-in ca_signing.crt \
-inkey ca_signing.key \
-out example.p12 \
-name "CA Signing Certificate" \
-passout file:password.txt
Exporting Certificate and Key from PKCS #12 File#
$ openssl pkcs12 \
-in example.p12 \
-passin file:password.txt \
-out testuser.pem \
-nodes
Exporting Key from PKCS #12 File#
$ openssl pkcs12 \
-in example.p12 \
-passin file:password.txt \
-out ca_signing.key \
-nodes \
-nocerts
Exporting Certificate from PKCS #12 File#
$ openssl pkcs12 \
-in example.p12 \
-passin file:password.txt \
-out ca_signing.crt \
-clcerts \
-nokeys
Exporting CA Certificate from PKCS #12 File#
$ openssl pkcs12 \
-in example.p12 \
-passin file:password.txt \
-out ca_signing.crt \
-cacerts \
-nokeys
Exporting Certificate Chain from PKCS #12 File#
$ openssl pkcs12 \
-in example.p12 \
-passin file:password.txt \
-out ca_signing.crt \
-nokeys
Creating PKCS #7 Certificate Chain#
$ openssl crl2pkcs7 -nocrl -certfile rootca.crt -certfile subca.crt -out cert_chain.p7b
$ cat cert_chain.p7b
-----BEGIN PKCS7-----
MIIHdgYJKoZIhvcNAQcCoIIHZzCCB2MCAQExADALBgkqhkiG9w0BBwGgggdJMIID
qDCCApCgAwIBAgICBGgwDQYJKoZIhvcNAQELBQAwODEQMA4GA1UEChMHRVhBTVBM
RTEkMCIGA1UEAxMbUm9vdCBDQSBTaWduaW5nIENlcnRpZmljYXRlMB4XDTE4MDUw
OTIyNDYxNFoXDTE4MDgwOTIyNDYxNFowODEQMA4GA1UEChMHRVhBTVBMRTEkMCIG
A1UEAxMbUm9vdCBDQSBTaWduaW5nIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAxDarLmDOZFaub7/sEwFbGatR2or4WmuJFI1QbU4p
3Xf/5rMJz5hANuRmWurK68+peeZ7KctfgwJrFTT65RfQdnslKkb8jtlifIxfz63k
PnZmNtJmDVu5rK/iwiMJFCAx36J1y7vwjp2HGQ2A3a3Y1RL7gKHHRzbTPZUTxDVP
Ihl1T+kOJNXZ95MQTEw9pJgj3Fx6N1kjcWeJ2S9Il81WAL3tCs26uC/rNqYk/lWT
AsBmsJUWEgDQfCLNtV/gmZ+IKe9j8lTEmU2dxPj5PcF5TpNId7iwP6LX6J21CSSf
SnDeaGV5AojwFbqa3dB5m3+t8FfRaYeuOkxln3jA7vetywIDAQABo4G7MIG4MFUG
CCsGAQUFBwEBBEkwRzBFBggrBgEFBQcwAYY5aHR0cDovL3ZtLTA2Ni5hYmMuaWRt
LmxhYi5lbmcuYnJxLnJlZGhhdC5jb206ODA4MC9jYS9vY3NwMB0GA1UdDgQWBBR4
YQK+UlGV9/m5JR+D+w9DnSyeADAfBgNVHSMEGDAWgBR4YQK+UlGV9/m5JR+D+w9D
nSyeADAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjANBgkqhkiG9w0B
AQsFAAOCAQEAmcKj74hsHzVdpDzAsLdYAOZxmT36Qgp0Dsa5vZ246d/D22WKKHAT
wly83MHY+H8aieBNRpyMVs1i98jX44ZS/7SACWi8HnkITF/NAuuaL+AGCLcpBZaR
RrndOix8ywOAMMIXgXeYqZo+LOQRXELwrOljMcUsYPmvRBXDqWK5U0H4y85qIdRa
5Jbx3H1DbCz9OJts9IxDtV4ilIJhu1379Lzebiq7sAPFHVIXZxgMgEO1FaMKeZfZ
1JFOKWeS+Af/4+jj1Oncme7+apfmxDxhgFQBeAPW01tl8MYteRSdJpcSiNaSrYMJ
P4uRkuG65Z2AgV+OqqBPIyJICvZyah4A8zCCA5kwggKBoAMCAQICAhySMA0GCSqG
SIb3DQEBCwUAMDgxEDAOBgNVBAoTB0VYQU1QTEUxJDAiBgNVBAMTG1Jvb3QgQ0Eg
U2lnbmluZyBDZXJ0aWZpY2F0ZTAeFw0xODA1MDkyMjQ3NTdaFw0xODA4MDkyMjQ3
NTdaMD8xEDAOBgNVBAoTB0VYQU1QTEUxKzApBgNVBAMTIlN1Ym9yZGluYXRlIENB
IFNpZ25pbmcgQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQCs94tJZQuEAwOpLH9PeHLgZw7cxL+HpzAcyjCYQLxOLOHo0ruEgbzMCpBP
ALssIgpKi0eTUI/g8jSYXZy0v36U4bToOJnpky/29dK621/38xSiNwNq1suXPeCi
Rtko5PKqO1MM2SbnvY07eybsYn1W1FrPkWtCbeWSpfi2PZItfsTJsKfrJCHbYE6M
FWCxzinGmUUGyJWp0UW2gN/us3r5kEzTql4N047Dr2DvgsWSn0OCNLSad5704v2p
gVmuCS/9HvVyKxeaAZg/5A/0NdsQa2F3rg/F4bfkTXORwcin28K16jnoZjVWAtbL
ryVvu0JL2yJ8EQKIa4aaocnHyzg7AgMBAAGjgaUwgaIwVQYIKwYBBQUHAQEESTBH
MEUGCCsGAQUFBzABhjlodHRwOi8vdm0tMDY2LmFiYy5pZG0ubGFiLmVuZy5icnEu
cmVkaGF0LmNvbTo4MDgwL2NhL29jc3AwHQYDVR0OBBYEFCOu4EdmNg6xkNAUtzs3
nlKDAetHMAkGA1UdIwQCMAAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC
AcYwDQYJKoZIhvcNAQELBQADggEBAEdTH8CXVA+nItPe8DjAm/6NuewQtC6ziOWT
wboj4LdJkSorbTkyFzNI4P6aaCH4Gl18Ig3Dr5fFiI3AbeIJ1MChCUqUAG46kboN
XopnHtlAxCj1ZGle+7scEkbpta3eFRwJ7FwhP8R627RDoaTIkcnHttle3tYEj6Zd
dMYH+c6Vkyd+8W1xODzVBAKB60GPQeU5GPPiWUzzeQlRVS5KcTPeSftORCwRJTfJ
iKfMFmU4UBoeQFPYjoLaexBsiyvOg4WgDdveZ96oDEa4lOzoAXd9KGpiqjLsJOry
0jtmXkbZESZGANQxUOv2L1clBuUs9YfSDL/cCUK/JnHFiNS6/6KhADEA
-----END PKCS7-----
Displaying PKCS #7 Certificate Chain#
$ openssl pkcs7 -print_certs -in cert_chain.p7b
subject=/O=EXAMPLE/CN=Root CA Signing Certificate
issuer=/O=EXAMPLE/CN=Root CA Signing Certificate
-----BEGIN CERTIFICATE-----
MIIDqDCCApCgAwIBAgICBGgwDQYJKoZIhvcNAQELBQAwODEQMA4GA1UEChMHRVhB
TVBMRTEkMCIGA1UEAxMbUm9vdCBDQSBTaWduaW5nIENlcnRpZmljYXRlMB4XDTE4
MDUwOTIyNDYxNFoXDTE4MDgwOTIyNDYxNFowODEQMA4GA1UEChMHRVhBTVBMRTEk
MCIGA1UEAxMbUm9vdCBDQSBTaWduaW5nIENlcnRpZmljYXRlMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxDarLmDOZFaub7/sEwFbGatR2or4WmuJFI1Q
bU4p3Xf/5rMJz5hANuRmWurK68+peeZ7KctfgwJrFTT65RfQdnslKkb8jtlifIxf
z63kPnZmNtJmDVu5rK/iwiMJFCAx36J1y7vwjp2HGQ2A3a3Y1RL7gKHHRzbTPZUT
xDVPIhl1T+kOJNXZ95MQTEw9pJgj3Fx6N1kjcWeJ2S9Il81WAL3tCs26uC/rNqYk
/lWTAsBmsJUWEgDQfCLNtV/gmZ+IKe9j8lTEmU2dxPj5PcF5TpNId7iwP6LX6J21
CSSfSnDeaGV5AojwFbqa3dB5m3+t8FfRaYeuOkxln3jA7vetywIDAQABo4G7MIG4
MFUGCCsGAQUFBwEBBEkwRzBFBggrBgEFBQcwAYY5aHR0cDovL3ZtLTA2Ni5hYmMu
aWRtLmxhYi5lbmcuYnJxLnJlZGhhdC5jb206ODA4MC9jYS9vY3NwMB0GA1UdDgQW
BBR4YQK+UlGV9/m5JR+D+w9DnSyeADAfBgNVHSMEGDAWgBR4YQK+UlGV9/m5JR+D
+w9DnSyeADAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjANBgkqhkiG
9w0BAQsFAAOCAQEAmcKj74hsHzVdpDzAsLdYAOZxmT36Qgp0Dsa5vZ246d/D22WK
KHATwly83MHY+H8aieBNRpyMVs1i98jX44ZS/7SACWi8HnkITF/NAuuaL+AGCLcp
BZaRRrndOix8ywOAMMIXgXeYqZo+LOQRXELwrOljMcUsYPmvRBXDqWK5U0H4y85q
IdRa5Jbx3H1DbCz9OJts9IxDtV4ilIJhu1379Lzebiq7sAPFHVIXZxgMgEO1FaMK
eZfZ1JFOKWeS+Af/4+jj1Oncme7+apfmxDxhgFQBeAPW01tl8MYteRSdJpcSiNaS
rYMJP4uRkuG65Z2AgV+OqqBPIyJICvZyah4A8w==
-----END CERTIFICATE-----
subject=/O=EXAMPLE/CN=Subordinate CA Signing Certificate
issuer=/O=EXAMPLE/CN=Root CA Signing Certificate
-----BEGIN CERTIFICATE-----
MIIDmTCCAoGgAwIBAgICHJIwDQYJKoZIhvcNAQELBQAwODEQMA4GA1UEChMHRVhB
TVBMRTEkMCIGA1UEAxMbUm9vdCBDQSBTaWduaW5nIENlcnRpZmljYXRlMB4XDTE4
MDUwOTIyNDc1N1oXDTE4MDgwOTIyNDc1N1owPzEQMA4GA1UEChMHRVhBTVBMRTEr
MCkGA1UEAxMiU3Vib3JkaW5hdGUgQ0EgU2lnbmluZyBDZXJ0aWZpY2F0ZTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKz3i0llC4QDA6ksf094cuBnDtzE
v4enMBzKMJhAvE4s4ejSu4SBvMwKkE8AuywiCkqLR5NQj+DyNJhdnLS/fpThtOg4
memTL/b10rrbX/fzFKI3A2rWy5c94KJG2Sjk8qo7UwzZJue9jTt7JuxifVbUWs+R
a0Jt5ZKl+LY9ki1+xMmwp+skIdtgTowVYLHOKcaZRQbIlanRRbaA3+6zevmQTNOq
Xg3TjsOvYO+CxZKfQ4I0tJp3nvTi/amBWa4JL/0e9XIrF5oBmD/kD/Q12xBrYXeu
D8Xht+RNc5HByKfbwrXqOehmNVYC1suvJW+7QkvbInwRAohrhpqhycfLODsCAwEA
AaOBpTCBojBVBggrBgEFBQcBAQRJMEcwRQYIKwYBBQUHMAGGOWh0dHA6Ly92bS0w
NjYuYWJjLmlkbS5sYWIuZW5nLmJycS5yZWRoYXQuY29tOjgwODAvY2Evb2NzcDAd
BgNVHQ4EFgQUI67gR2Y2DrGQ0BS3OzeeUoMB60cwCQYDVR0jBAIwADAPBgNVHRMB
Af8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjANBgkqhkiG9w0BAQsFAAOCAQEAR1Mf
wJdUD6ci097wOMCb/o257BC0LrOI5ZPBuiPgt0mRKittOTIXM0jg/ppoIfgaXXwi
DcOvl8WIjcBt4gnUwKEJSpQAbjqRug1eimce2UDEKPVkaV77uxwSRum1rd4VHAns
XCE/xHrbtEOhpMiRyce22V7e1gSPpl10xgf5zpWTJ37xbXE4PNUEAoHrQY9B5TkY
8+JZTPN5CVFVLkpxM95J+05ELBElN8mIp8wWZThQGh5AU9iOgtp7EGyLK86DhaAN
295n3qgMRriU7OgBd30oamKqMuwk6vLSO2ZeRtkRJkYA1DFQ6/YvVyUG5Sz1h9IM
v9wJQr8mccWI1Lr/og==
-----END CERTIFICATE-----
Displaying PEM Certificate Chain#
$ openssl crl2pkcs7 -nocrl -certfile cert_chain.pem | openssl pkcs7 -print_certs -text -noout
Conversions#
Converting CSR from DER to PEM#
$ openssl req -inform der -in request.der -out request.pem
Converting Certificate from DER to PEM#
$ openssl x509 -inform der -in cert.der -out cert.pem
Converting Certificate from PEM to DER#
$ openssl x509 -outform der -in cert.pem -out cert.der
Converting Certificate Chain from PKCS #7 to PEM#
$ openssl pkcs7 -print_certs -in cert_chain.p7b -out cert_chain.pem
Decoding Certificate#
$ openssl asn1parse -in test.pem
$ openssl x509 -outform der -in test.pem | dumpasn1 -
SSL#
$ openssl s_client -connect $HOSTNAME:8443 -tls1_2
Ciphers#
To display the default ciphers:
$ openssl ciphers DEFAULT
To display all ciphers (except NULL ciphers):
$ openssl ciphers ALL
To display all ciphers (including NULL ciphers):
$ openssl ciphers 'ALL:NULL'
Revocation#
To revoke a certificate:
$ openssl ca -config ca.conf -revoke testuser.crt