{{tag>ssl cli}} ====== Openssl commands ====== ===== Get cert expiration date from cert file ===== openssl x509 -enddate -noout -in /etc/letsencrypt/live/example.com/cert.pem ===== Verfiy certs ===== openssl verify -CAfile certs/rootCA.crt certs/client.crt openssl verify -CAfile certs/rootCA.crt certs/server.crt ===== Query site for expiration date ===== echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -dates -issuer ===== Determine a Key Size from ===== ==== Private Key ==== openssl rsa -in secret.key -text -noout | grep "Private-Key" ==== Public Key ==== openssl pkey -inform PEM -pubin -in pub.key -text -noout ===== Display the contents of a PEM formatted certificate ===== openssl x509 -in example.com.pem -text ===== Test explicit TLS with FTPS server ===== openssl s_client -starttls ftp -connect localhost:21 ===== Get cert file from site ===== openssl s_client -connect example.com:443 -servername example.com < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -text -noout -connect can be the IP address of a server and is not necessarily the same as the -servername. Use -servername when sharing multiple SSL hosts on a single IP address, ===== Get OCSP stapling info ===== echo QUIT | openssl s_client -servername www.example.com:443 -connect xx.xxx.xxx.xx:443 -status 2> /dev/null | grep -A 17 'OCSP response:' | grep -B 17 'Next Update' ===== Check if certificate is valid with private key ===== If you get an error like Oct 23 17:55:05 hpb01-rp nginx[2837]: nginx: [emerg] SSL_CTX_use_PrivateKey_file("/etc/nginx/ssl/some.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch) Check certificate and private key openssl x509 -in /path/to/yourdomain.crt -noout -modulus | openssl sha1 openssl rsa -in /path/to/your.key -noout -modulus | openssl sha1 You need to get the same sha sum from both commands. ===== Additional commands that can be used to inspect Certificates ===== The openssl x509 utility also allows you to extract specific pieces of information from the certificate file instead of the entire content of a certificate in text. openssl x509 -in google.com-cert -noout -serial openssl x509 -in google.com-cert -noout -issuer openssl x509 -in google.com-cert -noout -dates openssl x509 -in google.com-cert -noout -subject openssl x509 -in google.com-cert -noout -pubkey openssl x509 -in google.com-cert -noout -modulus openssl x509 -in google.com-cert -noout -ocsp_uri Note: Last command may not work in all versions of OpenSSL You can also mix and match arguments from the last step: openssl x509 -in google.com-cert -noout -subject -issuer openssl x509 -in google.com-cert -noout -serial -dates You can also request specific extensions from the certificate: openssl x509 -in google.com-cert -noout -ext subjectAltName openssl x509 -in google.com-cert -noout -ext basicConstraints openssl x509 -in google.com-cert -noout -ext crlDistributionPoints openssl x509 -in google.com-cert -noout -ext keyUsage openssl x509 -in google.com-cert -noout -ext extendedKeyUsage openssl x509 -in google.com-cert -noout -ext authorityInfoAccess openssl x509 -in google.com-cert -noout -ext subjectKeyIdentifier openssl x509 -in google.com-cert -noout -ext authorityKeyIdentifier ====== See also ====== * [[wiki:creating_ca_and_signing_server_and_client_certs_with_openssl|Creating CA and signing server and client certs with openssl]] ====== References ====== * https://www.xolphin.com/support/OpenSSL/Frequently_used_OpenSSL_Commands * https://www.namecheap.com/support/knowledgebase/article.aspx/9781/2238/nginx-ssl-error0b080074x509-certificate-routines-x509checkprivatekeykey-values-mismatch * https://stackoverflow.com/questions/7885785/using-openssl-to-get-the-certificate-from-a-server