wiki:openssl_commands
This is an old revision of the document!
Table of Contents
Openssl commands
Get cert expiration date from cert file
openssl x509 -enddate -noout -in /etc/letsencrypt/live/example.com/cert.pem
Verfiy certs
openssl verify -CAfile certs/rootCA.crt certs/client.crt
openssl verify -CAfile certs/rootCA.crt certs/server.crt
Query site for expiration date
echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -dates -issuer
Determine a Key Size from
Private Key
openssl rsa -in secret.key -text -noout | grep "Private-Key"
Public Key
openssl pkey -inform PEM -pubin -in pub.key -text -noout
Display the contents of a PEM formatted certificate
openssl x509 -in example.com.pem -text
Test explicit TLS with FTPS server
openssl s_client -starttls ftp -connect localhost:21
Get cert file from site
openssl s_client -connect example.com:443 -servername example.com:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -in - -text -noout
-connect can be the IP address of a server and is not necessarily the same as the -servername
Get OCSP stapling info
echo QUIT | openssl s_client -servername www.example.com:443 -connect xx.xxx.xxx.xx:443 -status 2> /dev/null | grep -A 17 'OCSP response:' | grep -B 17 'Next Update'
Check if certificate is valid with private key
If you get an error like
Oct 23 17:55:05 hpb01-rp nginx[2837]: nginx: [emerg] SSL_CTX_use_PrivateKey_file("/etc/nginx/ssl/some.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
Check certificate and private key
openssl x509 -in /path/to/yourdomain.crt -noout -modulus | openssl sha1
openssl rsa -in /path/to/your.key -noout -modulus | openssl sha1
You need to get the same sha sum from both commands.
Additional commands that can be used to inspect Certificates
The openssl x509 utility also allows you to extract specific pieces of information from the certificate file instead of the entire content of a certificate in text.
openssl x509 -in google.com-cert -noout -serial
openssl x509 -in google.com-cert -noout -issuer
openssl x509 -in google.com-cert -noout -dates
openssl x509 -in google.com-cert -noout -subject
openssl x509 -in google.com-cert -noout -pubkey
openssl x509 -in google.com-cert -noout -modulus
openssl x509 -in google.com-cert -noout -ocsp_uri
Note: Last command may not work in all versions of OpenSSL
You can also mix and match arguments from the last step:
openssl x509 -in google.com-cert -noout -subject -issuer
openssl x509 -in google.com-cert -noout -serial -dates
You can also request specific extensions from the certificate:
openssl x509 -in google.com-cert -noout -ext subjectAltName
openssl x509 -in google.com-cert -noout -ext basicConstraints
openssl x509 -in google.com-cert -noout -ext crlDistributionPoints
openssl x509 -in google.com-cert -noout -ext keyUsage
openssl x509 -in google.com-cert -noout -ext extendedKeyUsage
openssl x509 -in google.com-cert -noout -ext authorityInfoAccess
openssl x509 -in google.com-cert -noout -ext subjectKeyIdentifier
openssl x509 -in google.com-cert -noout -ext authorityKeyIdentifier
See also
References
wiki/openssl_commands.1679065908.txt.gz · Last modified: 2023/03/17 16:11 by antisa