Openssl commands

Get cert expiration date from cert file

 openssl x509 -enddate -noout -in /etc/letsencrypt/live/example.com/cert.pem

Verfiy certs

 openssl verify -CAfile certs/rootCA.crt certs/client.crt

 openssl verify -CAfile certs/rootCA.crt certs/server.crt

Query site for expiration date

echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -dates -issuer

Determine a Key Size from

Private Key

 openssl rsa -in secret.key -text -noout | grep "Private-Key"

Public Key

 openssl pkey -inform PEM -pubin -in pub.key -text -noout

Display the contents of a PEM formatted certificate

 openssl x509 -in example.com.pem -text

Test explicit TLS with FTPS server

 openssl s_client -starttls ftp -connect localhost:21

Get cert file from site

openssl s_client -connect example.com:443 -servername example.com:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -in - -text -noout

-connect can be the IP address of a server and is not necessarily the same as the -servername

Get OCSP stapling info

echo QUIT | openssl s_client -servername www.example.com:443 -connect xx.xxx.xxx.xx:443 -status 2> /dev/null | grep -A 17 'OCSP response:' | grep -B 17 'Next Update'

Check if certificate is valid with private key

If you get an error like

Oct 23 17:55:05 hpb01-rp nginx[2837]: nginx: [emerg] SSL_CTX_use_PrivateKey_file("/etc/nginx/ssl/some.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)

Check certificate and private key

openssl x509 -in /path/to/yourdomain.crt -noout -modulus | openssl sha1

openssl rsa -in /path/to/your.key -noout -modulus | openssl sha1

You need to get the same sha sum from both commands.

Additional commands that can be used to inspect Certificates

The openssl x509 utility also allows you to extract specific pieces of information from the certificate file instead of the entire content of a certificate in text.

openssl x509 -in google.com-cert -noout -serial

openssl x509 -in google.com-cert -noout -issuer

openssl x509 -in google.com-cert -noout -dates

openssl x509 -in google.com-cert -noout -subject

openssl x509 -in google.com-cert -noout -pubkey

openssl x509 -in google.com-cert -noout -modulus

openssl x509 -in google.com-cert -noout -ocsp_uri

Note: Last command may not work in all versions of OpenSSL

You can also mix and match arguments from the last step:

openssl x509 -in google.com-cert -noout -subject -issuer

openssl x509 -in google.com-cert -noout -serial -dates

You can also request specific extensions from the certificate:

openssl x509 -in google.com-cert -noout -ext subjectAltName

openssl x509 -in google.com-cert -noout -ext basicConstraints

openssl x509 -in google.com-cert -noout -ext crlDistributionPoints

openssl x509 -in google.com-cert -noout -ext keyUsage

openssl x509 -in google.com-cert -noout -ext extendedKeyUsage

openssl x509 -in google.com-cert -noout -ext authorityInfoAccess

openssl x509 -in google.com-cert -noout -ext subjectKeyIdentifier

openssl x509 -in google.com-cert -noout -ext authorityKeyIdentifier

antisaWiki

Table of Contents