OpenSSL usage tips and examples
The OpenSSL (http://openssl.org/) toolkit can be a complicated beast for the new user. This tutorial page intends to shed some light on how to accomplish some typical operations, such as viewing an x.509 (also called SSL/TLS) certificate details or creating a SSL (client) connection to an email server that supports STARTTLS.
Keywords: openssl, tutorial, instructions, cheatsheet, howto, how-to, guide, ssl, tls, encryption, pki, x509, x.509, certificate, key, cert, crt, csr, pem, request, sign, signer, signing, authority, revoke, revocation, crl, ocsp, online, protocol, sha1, md5
Create 2 year self-signed certificate (and key)
openssl req -new -newkey rsa:1024 -days 730 -nodes -x509 -keyout www.example.com.key -out www.example.com.crt
Create 2 year self-signed certificate with existing key
openssl req -key www.example.com.key -new -days 730 -nodes -x509 -out www.example.com.crt
Generate a new CSR with a new key
openssl req -new -nodes -keyout <newkeyfile>.key -out <commonname>.csr
Generate a new CSR with an existing key
openssl req -new -key <keyfile>.key -out <commonname>.csr
View certificates details
openssl x509 -in filename.crt -noout -text
Where filename corresponds to the X.509 certificate file, which typically would end in .crt, .cert or .pem.
View the details of a certificate revocation list (CRL)
openssl crl -in filename.crl -noout -text
Where filename corresponds to the CRL file, which typically would end in .crl or .pem
Convert DER (binary) to PEM (base-64) format
Converts a DER format certificate to PEM - which is more widely used in applications such as apache.
openssl x509 -out exported-pem.crt -outform pem -text -in derfile.crt -inform der
Generate the hash value from a certificate
Sometimes useful when you want to store multiple CA certificates as separate files in a directory configured into your application.
openssl x509 -hash -noout -in certfile.pem
Put another way, here is how to generate the linkage required for a certificate CA path of /etc/ssl/certs for a given cert.
cd /etc/ssl/certs sudo ln -s certfile.pem `openssl x509 -hash -noout -in certfile.pem`.0
Verify a key & certificate match
Use the modulus flag for x509 or rsa
$ openssl x509 -noout -modulus -in example.crt | openssl md5 (stdin)= dcdcc62746914ff3fd951e624a0431f8 $ openssl rsa -noout -modulus -in example.key | openssl md5 (stdin)= dcdcc62746914ff3fd951e624a0431f8
If the two hashes match, the cert and key are a valid pair.
Connects to a mail server and starts TLS session, shows all the server certs (certificate chain) with -showcerts.
openssl s_client -connect test.smtp.org:25 -starttls smtp -showcerts
Note: only support in newer versions of openssl (check man page for -starttls option)