OpenSSL

From Dogtag
Jump to: navigation, search


OpenSSL Configuration

HOME                            = .
RANDFILE                        = $ENV::HOME/.rnd

####################################################################
[ ca ]
default_ca                      = CA_default

[ CA_default ]

default_days                    = 1000
default_crl_days                = 30
default_md                      = sha256
preserve                        = no

x509_extensions                 = ca_extensions

email_in_dn                     = no
copy_extensions                 = copy

####################################################################
[ req ]
default_bits                    = 4096
default_keyfile                 = cakey.pem
distinguished_name              = ca_distinguished_name
x509_extensions                 = ca_extensions
string_mask                     = utf8only

####################################################################
[ ca_distinguished_name ]
countryName                    = Country Name (2 letter code)
countryName_default            = US

stateOrProvinceName            = State or Province Name (full name)
stateOrProvinceName_default    = Maryland

localityName                   = Locality Name (eg, city)
localityName_default           = Baltimore

organizationName               = Organization Name (eg, company)
organizationName_default       = Test CA, Limited

organizationalUnitName         = Organizational Unit (eg, division)
organizationalUnitName_default = Server Research Department

commonName                     = Common Name (e.g. server FQDN or YOUR name)
commonName_default             = Test CA

emailAddress                   = Email Address
emailAddress_default           = test@example.com

CA Extensions

[ ca_extensions ]
subjectKeyIdentifier           = hash
authorityKeyIdentifier         = keyid:always, issuer
basicConstraints               = critical, CA:true
keyUsage                       = critical, digitalSignature, nonRepudiation, keyCertSign, cRLSign

Keys

Generating a Key

To generate RSA key:

$ openssl genrsa -out testuser.key 2048
$ openssl rsa -in testuser.key -pubout -out testuser.pub

To generate ECC key:

$ openssl ecparam -name secp256k1 -genkey -noout -out testuser.key
$ openssl ec -in testuser.key -pubout -out testuser.pub

Displaying Key Info

$ openssl rsa -noout -text -in testuser.key

Generating Certificate Request

To generate a certificate request with a new key:

$ openssl req -newkey rsa:2048 -keyout testuser.key -nodes -new -out testuser.csr -subj "/UID=testuser/O=Example" -days 365

To generate a certificate request with an existing key:

$ openssl req -key testuser.key -nodes -new -out testuser.csr -subj "/UID=testuser/O=Example" -days 365

To generate a certificate request with SAN, prepare a configuration file (e.g. san.cnf):

[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = req_ext

[ req_distinguished_name ]
organizationName   = Example
commonName         = server.example.com

[ req_ext ]
subjectAltName     = @alt_names

[alt_names]
DNS.1              = www.example.com
DNS.2              = www.example.org

Then execute the following command:

$ openssl req -out sslcert.csr -newkey rsa:2048 -nodes -keyout private.key -config san.cnf

Generating Self-Signed CA Certificate

$ openssl genrsa -out ca.key 2048
$ openssl req -new -x509 -key ca.key -out ca.crt -subj "/CN=Certificate Authority/O=EXAMPLE"

Issuing End-Entity Certificate

$ openssl x509 -req -in testuser.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out testuser.crt

See also:

Displaying Certificate Request

$ openssl req -text -noout -in ca.csr
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: CN=CA Certificate, O=Example
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c6:5a:73:8b:e6:9b:f6:4e:36:88:c6:d4:f9:74:
                    94:81:3d:75:0e:da:83:f1:13:a5:ff:cb:8b:1a:1a:
                    14:a1:68:a5:bf:42:78:03:75:74:a8:91:99:a2:bd:
                    25:62:b7:e9:83:e9:26:e2:0f:f0:6f:17:f2:2b:a4:
                    45:c8:17:fa:fd:4d:a2:68:6c:01:15:50:03:19:ca:
                    01:97:23:ab:31:64:d9:eb:64:09:73:25:36:92:f7:
                    2f:16:7b:56:3d:f8:b8:5f:88:60:7e:42:98:95:d6:
                    90:57:30:9d:f4:e9:35:98:70:3f:30:d6:91:8e:75:
                    98:d1:c9:ca:85:ce:f2:d6:b1:7f:74:1f:74:98:01:
                    36:c7:69:8c:2a:b8:21:c8:15:ff:5a:a2:7c:18:1d:
                    1e:76:b2:c0:32:43:09:21:6a:c5:86:7c:1e:a4:7d:
                    db:6f:5e:d3:ac:dc:20:4f:db:af:fa:8d:c8:6b:74:
                    70:74:c6:42:9a:a9:47:08:0a:36:39:81:0e:e8:ba:
                    89:2f:97:1e:db:da:63:89:40:75:31:e7:b3:53:67:
                    fe:76:07:8f:c9:0a:8d:fd:0a:f6:bd:fd:96:75:bb:
                    d3:ee:68:8f:51:93:a1:fd:d0:c7:e8:50:7a:f7:66:
                    85:ec:0a:a4:b5:20:14:98:c4:6d:ab:69:65:30:31:
                    f8:1f
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption
         03:cd:f3:47:9a:8a:14:3d:0a:8e:09:be:62:f8:89:b1:65:86:
         6b:bf:fc:7f:85:9e:a7:71:b6:6e:ea:9e:94:e4:16:95:93:fa:
         69:cf:a2:4f:79:5b:3d:e8:65:36:36:a8:7a:0c:69:68:47:6b:
         15:b2:2a:49:ae:e2:83:3c:98:bb:7e:2b:13:fa:bc:08:13:a7:
         44:0e:dc:64:5b:a4:a9:90:42:d6:52:74:8c:42:7c:15:56:8e:
         53:4f:f2:08:14:de:73:33:83:8e:c6:58:1e:f8:51:aa:a3:12:
         e5:7f:63:09:db:be:80:1d:0f:5f:c1:1a:a0:83:2e:67:0a:be:
         e4:21:cd:e1:63:5e:2c:58:85:f6:75:94:fc:68:52:a6:38:3d:
         75:25:2f:89:56:e7:95:dd:9b:1f:ed:8a:f4:d2:f9:d5:1c:43:
         89:57:eb:3d:77:fa:ac:27:5f:ad:20:dc:e6:28:8b:aa:54:fb:
         4f:f9:d1:6f:dd:73:c6:29:28:b7:bf:9c:38:23:35:8e:de:da:
         2e:4d:ed:e9:e2:16:f1:cd:38:9f:86:03:49:d3:a4:d6:bc:6c:
         22:9b:7e:c0:82:b4:b6:60:77:a7:a3:d8:d5:c3:fc:64:81:43:
         e4:1e:52:04:4e:8c:cf:1b:a7:0f:43:24:6c:8f:a5:55:ed:bd:
         db:7f:08:74


Displaying Certificate Info

$ openssl x509 -text -noout -in testuser.crt
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            f5:8c:f2:55:9a:5a:13:01
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=CA Certificate, O=Example
        Validity
            Not Before: Jun 13 22:51:06 2016 GMT
            Not After : Jul 13 22:51:06 2016 GMT
        Subject: UID=testuser, O=Example
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ab:92:66:0c:96:3f:43:93:65:3f:52:67:19:e5:
                    40:74:1d:85:ba:a8:e2:8c:f9:fd:cd:25:36:94:77:
                    b1:24:10:1f:23:58:f7:38:3d:2a:e0:23:bf:3d:d3:
                    fa:c3:6a:55:d6:ac:46:8c:14:56:f2:0a:a2:a1:0a:
                    0f:eb:ee:64:ec:85:c2:df:f1:0a:1f:73:12:98:da:
                    fa:d6:72:d5:26:f3:45:d5:9b:dd:34:5b:8a:6b:23:
                    92:2a:31:9c:db:f0:1e:a4:13:08:ad:5a:86:29:aa:
                    17:86:b3:da:83:de:b5:7b:65:4d:12:f9:d5:2f:45:
                    29:66:0f:ac:8c:83:63:52:17:be:9e:43:50:d9:2f:
                    55:74:a8:a9:ee:53:17:2d:ff:2c:6b:25:df:cb:6d:
                    fb:3f:f4:e1:ba:83:34:b2:be:93:46:92:7b:66:f4:
                    f9:9f:5e:fd:04:5e:81:db:cb:43:36:b3:2d:f5:0a:
                    38:19:c0:c0:0e:68:cc:80:67:b4:12:68:6c:04:28:
                    e1:96:15:78:55:5f:8d:f2:52:ed:82:60:95:7a:41:
                    f9:36:84:bc:0b:5d:39:ed:7e:63:89:20:ed:e2:ae:
                    a0:1c:35:b3:a3:d0:1d:34:e8:f1:51:76:e2:78:6b:
                    4a:21:46:64:b5:aa:b2:8d:63:5c:fd:7d:09:da:46:
                    fc:d5
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
         27:61:d8:f2:79:1e:fd:91:3b:e9:db:51:fe:42:74:0c:dc:94:
         b9:fc:7b:1c:c5:4a:87:25:1c:43:fc:ca:64:87:4e:21:0e:22:
         31:ef:92:03:f4:de:fb:5b:2e:ba:8b:35:b7:2b:52:4b:f6:d5:
         c4:83:f6:f5:ef:cc:f1:15:d5:67:75:ad:8b:77:be:5a:21:fb:
         30:e1:71:d2:5d:4f:db:65:7f:38:ae:4d:7b:25:60:d1:5e:19:
         24:c5:67:49:18:08:bc:5c:64:06:2d:5a:84:25:af:cd:5f:a0:
         5d:9c:d8:69:9a:50:e9:a0:ff:8f:c2:46:7d:2e:5c:3a:b9:a8:
         18:fb:d2:1b:06:92:92:b9:b8:ca:0c:c2:2e:94:b5:e2:2a:18:
         ce:fe:e8:32:fe:ae:cd:d5:5c:f8:ff:24:6a:dd:5e:7b:f2:24:
         2c:01:80:f8:af:95:09:30:81:51:a7:60:fc:ff:c5:df:f7:3e:
         fa:1e:32:d3:c3:ff:9d:0c:5c:1e:eb:30:d6:0b:23:50:3a:ad:
         57:8d:7c:26:f7:dd:f1:10:bd:65:0a:dd:02:6f:83:54:35:23:
         76:b4:1b:63:18:1b:97:0e:3c:3a:de:88:fe:c6:14:e7:5f:e0:
         52:b5:c3:d3:82:8f:d7:50:11:ee:b1:cb:5c:a4:e6:67:01:88:
         bc:63:41:2e

Displaying PKCS #12 File

$ openssl pkcs12 -in example.p12 -passin file:password.txt

Importing Certificate and Key into PKCS #12 File

$ openssl pkcs12 -export \
 -in ca_signing.crt \
 -inkey ca_signing.key \
 -out example.p12 \
 -name "CA Signing Certificate" \
 -passout file:password.txt

Exporting Key from PKCS #12 File

$ openssl pkcs12 \
 -in example.p12 \
 -passin file:password.txt \
 -out ca_signing.key \
 -nodes \
 -nocerts

Exporting Certificate from PKCS #12 File

$ openssl pkcs12 \
 -in example.p12 \
 -passin file:password.txt \
 -out ca_signing.crt \
 -clcerts \
 -nokeys

Exporting CA Certificate from PKCS #12 File

$ openssl pkcs12 \
 -in example.p12 \
 -passin file:password.txt \
 -out ca_signing.crt \
 -cacerts \
 -nokeys

Exporting Certificate Chain from PKCS #12 File

$ openssl pkcs12 \
 -in example.p12 \
 -passin file:password.txt \
 -out ca_signing.crt \
 -nokeys

Creating PKCS #7 Certificate Chain

$ openssl crl2pkcs7 -nocrl -certfile rootca.crt -certfile subca.crt -out cert_chain.p7b
$ cat cert_chain.p7b
-----BEGIN PKCS7-----
MIIHdgYJKoZIhvcNAQcCoIIHZzCCB2MCAQExADALBgkqhkiG9w0BBwGgggdJMIID
qDCCApCgAwIBAgICBGgwDQYJKoZIhvcNAQELBQAwODEQMA4GA1UEChMHRVhBTVBM
RTEkMCIGA1UEAxMbUm9vdCBDQSBTaWduaW5nIENlcnRpZmljYXRlMB4XDTE4MDUw
OTIyNDYxNFoXDTE4MDgwOTIyNDYxNFowODEQMA4GA1UEChMHRVhBTVBMRTEkMCIG
A1UEAxMbUm9vdCBDQSBTaWduaW5nIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAxDarLmDOZFaub7/sEwFbGatR2or4WmuJFI1QbU4p
3Xf/5rMJz5hANuRmWurK68+peeZ7KctfgwJrFTT65RfQdnslKkb8jtlifIxfz63k
PnZmNtJmDVu5rK/iwiMJFCAx36J1y7vwjp2HGQ2A3a3Y1RL7gKHHRzbTPZUTxDVP
Ihl1T+kOJNXZ95MQTEw9pJgj3Fx6N1kjcWeJ2S9Il81WAL3tCs26uC/rNqYk/lWT
AsBmsJUWEgDQfCLNtV/gmZ+IKe9j8lTEmU2dxPj5PcF5TpNId7iwP6LX6J21CSSf
SnDeaGV5AojwFbqa3dB5m3+t8FfRaYeuOkxln3jA7vetywIDAQABo4G7MIG4MFUG
CCsGAQUFBwEBBEkwRzBFBggrBgEFBQcwAYY5aHR0cDovL3ZtLTA2Ni5hYmMuaWRt
LmxhYi5lbmcuYnJxLnJlZGhhdC5jb206ODA4MC9jYS9vY3NwMB0GA1UdDgQWBBR4
YQK+UlGV9/m5JR+D+w9DnSyeADAfBgNVHSMEGDAWgBR4YQK+UlGV9/m5JR+D+w9D
nSyeADAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjANBgkqhkiG9w0B
AQsFAAOCAQEAmcKj74hsHzVdpDzAsLdYAOZxmT36Qgp0Dsa5vZ246d/D22WKKHAT
wly83MHY+H8aieBNRpyMVs1i98jX44ZS/7SACWi8HnkITF/NAuuaL+AGCLcpBZaR
RrndOix8ywOAMMIXgXeYqZo+LOQRXELwrOljMcUsYPmvRBXDqWK5U0H4y85qIdRa
5Jbx3H1DbCz9OJts9IxDtV4ilIJhu1379Lzebiq7sAPFHVIXZxgMgEO1FaMKeZfZ
1JFOKWeS+Af/4+jj1Oncme7+apfmxDxhgFQBeAPW01tl8MYteRSdJpcSiNaSrYMJ
P4uRkuG65Z2AgV+OqqBPIyJICvZyah4A8zCCA5kwggKBoAMCAQICAhySMA0GCSqG
SIb3DQEBCwUAMDgxEDAOBgNVBAoTB0VYQU1QTEUxJDAiBgNVBAMTG1Jvb3QgQ0Eg
U2lnbmluZyBDZXJ0aWZpY2F0ZTAeFw0xODA1MDkyMjQ3NTdaFw0xODA4MDkyMjQ3
NTdaMD8xEDAOBgNVBAoTB0VYQU1QTEUxKzApBgNVBAMTIlN1Ym9yZGluYXRlIENB
IFNpZ25pbmcgQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQCs94tJZQuEAwOpLH9PeHLgZw7cxL+HpzAcyjCYQLxOLOHo0ruEgbzMCpBP
ALssIgpKi0eTUI/g8jSYXZy0v36U4bToOJnpky/29dK621/38xSiNwNq1suXPeCi
Rtko5PKqO1MM2SbnvY07eybsYn1W1FrPkWtCbeWSpfi2PZItfsTJsKfrJCHbYE6M
FWCxzinGmUUGyJWp0UW2gN/us3r5kEzTql4N047Dr2DvgsWSn0OCNLSad5704v2p
gVmuCS/9HvVyKxeaAZg/5A/0NdsQa2F3rg/F4bfkTXORwcin28K16jnoZjVWAtbL
ryVvu0JL2yJ8EQKIa4aaocnHyzg7AgMBAAGjgaUwgaIwVQYIKwYBBQUHAQEESTBH
MEUGCCsGAQUFBzABhjlodHRwOi8vdm0tMDY2LmFiYy5pZG0ubGFiLmVuZy5icnEu
cmVkaGF0LmNvbTo4MDgwL2NhL29jc3AwHQYDVR0OBBYEFCOu4EdmNg6xkNAUtzs3
nlKDAetHMAkGA1UdIwQCMAAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC
AcYwDQYJKoZIhvcNAQELBQADggEBAEdTH8CXVA+nItPe8DjAm/6NuewQtC6ziOWT
wboj4LdJkSorbTkyFzNI4P6aaCH4Gl18Ig3Dr5fFiI3AbeIJ1MChCUqUAG46kboN
XopnHtlAxCj1ZGle+7scEkbpta3eFRwJ7FwhP8R627RDoaTIkcnHttle3tYEj6Zd
dMYH+c6Vkyd+8W1xODzVBAKB60GPQeU5GPPiWUzzeQlRVS5KcTPeSftORCwRJTfJ
iKfMFmU4UBoeQFPYjoLaexBsiyvOg4WgDdveZ96oDEa4lOzoAXd9KGpiqjLsJOry
0jtmXkbZESZGANQxUOv2L1clBuUs9YfSDL/cCUK/JnHFiNS6/6KhADEA
-----END PKCS7-----

Displaying PKCS #7 Certificate Chain

$ openssl pkcs7 -print_certs -in cert_chain.p7b
subject=/O=EXAMPLE/CN=Root CA Signing Certificate
issuer=/O=EXAMPLE/CN=Root CA Signing Certificate
-----BEGIN CERTIFICATE-----
MIIDqDCCApCgAwIBAgICBGgwDQYJKoZIhvcNAQELBQAwODEQMA4GA1UEChMHRVhB
TVBMRTEkMCIGA1UEAxMbUm9vdCBDQSBTaWduaW5nIENlcnRpZmljYXRlMB4XDTE4
MDUwOTIyNDYxNFoXDTE4MDgwOTIyNDYxNFowODEQMA4GA1UEChMHRVhBTVBMRTEk
MCIGA1UEAxMbUm9vdCBDQSBTaWduaW5nIENlcnRpZmljYXRlMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxDarLmDOZFaub7/sEwFbGatR2or4WmuJFI1Q
bU4p3Xf/5rMJz5hANuRmWurK68+peeZ7KctfgwJrFTT65RfQdnslKkb8jtlifIxf
z63kPnZmNtJmDVu5rK/iwiMJFCAx36J1y7vwjp2HGQ2A3a3Y1RL7gKHHRzbTPZUT
xDVPIhl1T+kOJNXZ95MQTEw9pJgj3Fx6N1kjcWeJ2S9Il81WAL3tCs26uC/rNqYk
/lWTAsBmsJUWEgDQfCLNtV/gmZ+IKe9j8lTEmU2dxPj5PcF5TpNId7iwP6LX6J21
CSSfSnDeaGV5AojwFbqa3dB5m3+t8FfRaYeuOkxln3jA7vetywIDAQABo4G7MIG4
MFUGCCsGAQUFBwEBBEkwRzBFBggrBgEFBQcwAYY5aHR0cDovL3ZtLTA2Ni5hYmMu
aWRtLmxhYi5lbmcuYnJxLnJlZGhhdC5jb206ODA4MC9jYS9vY3NwMB0GA1UdDgQW
BBR4YQK+UlGV9/m5JR+D+w9DnSyeADAfBgNVHSMEGDAWgBR4YQK+UlGV9/m5JR+D
+w9DnSyeADAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjANBgkqhkiG
9w0BAQsFAAOCAQEAmcKj74hsHzVdpDzAsLdYAOZxmT36Qgp0Dsa5vZ246d/D22WK
KHATwly83MHY+H8aieBNRpyMVs1i98jX44ZS/7SACWi8HnkITF/NAuuaL+AGCLcp
BZaRRrndOix8ywOAMMIXgXeYqZo+LOQRXELwrOljMcUsYPmvRBXDqWK5U0H4y85q
IdRa5Jbx3H1DbCz9OJts9IxDtV4ilIJhu1379Lzebiq7sAPFHVIXZxgMgEO1FaMK
eZfZ1JFOKWeS+Af/4+jj1Oncme7+apfmxDxhgFQBeAPW01tl8MYteRSdJpcSiNaS
rYMJP4uRkuG65Z2AgV+OqqBPIyJICvZyah4A8w==
-----END CERTIFICATE-----

subject=/O=EXAMPLE/CN=Subordinate CA Signing Certificate
issuer=/O=EXAMPLE/CN=Root CA Signing Certificate
-----BEGIN CERTIFICATE-----
MIIDmTCCAoGgAwIBAgICHJIwDQYJKoZIhvcNAQELBQAwODEQMA4GA1UEChMHRVhB
TVBMRTEkMCIGA1UEAxMbUm9vdCBDQSBTaWduaW5nIENlcnRpZmljYXRlMB4XDTE4
MDUwOTIyNDc1N1oXDTE4MDgwOTIyNDc1N1owPzEQMA4GA1UEChMHRVhBTVBMRTEr
MCkGA1UEAxMiU3Vib3JkaW5hdGUgQ0EgU2lnbmluZyBDZXJ0aWZpY2F0ZTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKz3i0llC4QDA6ksf094cuBnDtzE
v4enMBzKMJhAvE4s4ejSu4SBvMwKkE8AuywiCkqLR5NQj+DyNJhdnLS/fpThtOg4
memTL/b10rrbX/fzFKI3A2rWy5c94KJG2Sjk8qo7UwzZJue9jTt7JuxifVbUWs+R
a0Jt5ZKl+LY9ki1+xMmwp+skIdtgTowVYLHOKcaZRQbIlanRRbaA3+6zevmQTNOq
Xg3TjsOvYO+CxZKfQ4I0tJp3nvTi/amBWa4JL/0e9XIrF5oBmD/kD/Q12xBrYXeu
D8Xht+RNc5HByKfbwrXqOehmNVYC1suvJW+7QkvbInwRAohrhpqhycfLODsCAwEA
AaOBpTCBojBVBggrBgEFBQcBAQRJMEcwRQYIKwYBBQUHMAGGOWh0dHA6Ly92bS0w
NjYuYWJjLmlkbS5sYWIuZW5nLmJycS5yZWRoYXQuY29tOjgwODAvY2Evb2NzcDAd
BgNVHQ4EFgQUI67gR2Y2DrGQ0BS3OzeeUoMB60cwCQYDVR0jBAIwADAPBgNVHRMB
Af8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjANBgkqhkiG9w0BAQsFAAOCAQEAR1Mf
wJdUD6ci097wOMCb/o257BC0LrOI5ZPBuiPgt0mRKittOTIXM0jg/ppoIfgaXXwi
DcOvl8WIjcBt4gnUwKEJSpQAbjqRug1eimce2UDEKPVkaV77uxwSRum1rd4VHAns
XCE/xHrbtEOhpMiRyce22V7e1gSPpl10xgf5zpWTJ37xbXE4PNUEAoHrQY9B5TkY
8+JZTPN5CVFVLkpxM95J+05ELBElN8mIp8wWZThQGh5AU9iOgtp7EGyLK86DhaAN
295n3qgMRriU7OgBd30oamKqMuwk6vLSO2ZeRtkRJkYA1DFQ6/YvVyUG5Sz1h9IM
v9wJQr8mccWI1Lr/og==
-----END CERTIFICATE-----

Displaying PEM Certificate Chain

$ openssl crl2pkcs7 -nocrl -certfile cert_chain.pem | openssl pkcs7 -print_certs -text -noout

Conversions

Converting CSR from DER to PEM

$ openssl req -inform der -in request.der -out request.pem

Converting Certificate from DER to PEM

$ openssl x509 -inform der -in cert.der -out cert.pem

Converting Certificate from PEM to DER

$ openssl x509 -outform der -in cert.pem -out cert.der

Converting Certificate Chain from PKCS #7 to PEM

$ openssl pkcs7 -print_certs -in cert_chain.p7b -out cert_chain.pem

Decoding Certificate

$ openssl asn1parse -in test.pem
$ openssl x509 -outform der -in test.pem | dumpasn1 -

SSL

$ openssl s_client -connect $HOSTNAME:8443 -tls1_2

Ciphers

To display the default ciphers:

$ openssl ciphers DEFAULT

To display all ciphers (except NULL ciphers):

$ openssl ciphers ALL

To display all ciphers (including NULL ciphers):

$ openssl ciphers 'ALL:NULL'

Revocation

To revoke a certificate:

$ openssl ca -config ca.conf -revoke testuser.crt

References