Skip to main content

OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) network protocols and related cryptography standards required by them.

##
# openssl command
#
# OpenSSL cryptographic toolkit.
# https://www.openssl.org
##

# To print a list of available subcommands:
openssl help

# To print options for a specific subcommand:
openssl help <x509>

# To print the version of OpenSSL:
openssl version

##
# openssl req command
#
# OpenSSL command to manage PKCS#10 Certificate Signing Requests.
# https://www.openssl.org/docs/manmaster/man1/openssl-req.html
##

# To generate a certificate signing request to be sent to a certificate authority:
openssl req -new -sha256 -key <filename.key> -out <filename.csr>

# To generate a selfsigned certificate and a corresponding keypair, storing both in a file:
openssl req -new -x509 -newkey <rsa>:<4096> -keyout <filename.key> -out <filename.cert> -subj "</C=XX/CN=foobar>" -days <365>

##
# openssl s_client command
#
# OpenSSL command to create TLS client connections.
# https://www.openssl.org/docs/manmaster/man1/openssl-s_client.html
##

# To display the start and expiry dates for a domain's certificate:
openssl s_client -connect <host>:<port> 2>/dev/null | openssl x509 -noout -dates

# To display the certificate presented by an SSL/TLS server:
openssl s_client -connect <host>:<port> </dev/null

# To display the complete certificate chain of an HTTPS server:
openssl s_client -connect <host>:443 -showcerts </dev/null

##
# openssl x509 command
#
# OpenSSL command to manage X.509 certificates.
# https://www.openssl.org/docs/manmaster/man1/openssl-x509.html
##

# To display certificate information:
openssl x509 -in <filename.crt> -noout -text

# To display a certificate's expiration date:
openssl x509 -enddate -noout -in <filename.pem>

# To convert a certificate between binary DER encoding and textual PEM encoding:
openssl x509 -inform <der> -outform <pem> -in <original_certificate_file> -out <converted_certificate_file>

# To store a certificate's public key in a file:
openssl x509 -in <certificate_file> -noout -pubkey -out <output_file>

# ---

# To check an SSL connection:
openssl s_client -connect <host>:<port>

# To generate new private key and CSR:
openssl req -out <filename.csr> -new -newkey rsa:2048 -nodes -keyout <filename.key>

# To read contents of a private key:
openssl rsa -check -in <private.key>

# To verify a CSR file:
openssl req -text -noout -verify -in <filename.csr>

# To check MD5 hash of a certificate:
openssl x509 -noout -modulus -in <filename.crt> | openssl md5

# To check MD5 hash of a private key:
openssl rsa -noout -modulus -in <filename.key> | openssl md5

# To check MD5 hash of a CSR file:
openssl req -noout -modulus -in <filename.csr> | openssl md5