generate private key and csr

$ openssl genrsa -out privateKey.key 2048
$ openssl req -new -key privateKey.key -out CSR.csr

# or
$ openssl req -out CSR.csr \
              -new -newkey rsa:2048 \
              -nodes \
              -keyout privateKey.key \
              -subj "/C=US/ST=Florida/L=Saint Petersburg/O=Your Company, Inc./OU=IT/CN=yourdomain.com"

need to input the following info to generate CSR :

  • Country Name: 2-digit country code where our organization is legally located.
  • State/Province: Write the full name of the state where the organization is legally located.
  • City: Write the full name of the city where our organization is legally located.
  • Organization Name: Write the legal name of our organization.
  • Organization Unit: Name of the department
  • Common Name: Fully Qualified Domain Name

generate a self-signed certificate

$ openssl req -x509 \
              -sha256 \
              -nodes \
              -days 365 \
              -newkey rsa:2048 \
              -keyout privateKey.key \
              -out certificate.crt

check ssl certificate

  • check private key info
    $ openssl rsa -noout -text -in privateKey.key
    
  • check csr info
    $ openssl req -text -noout -in CSR.csr
    
  • view ssl certificate info
    $ openssl x509 -text -noout -in certificate.crt
    

get issuer

$ echo -n |
       openssl s_client \
               [-servername <domain.com>] \
               -connect <domain.com>:<port> 2>/dev/null |
       openssl x509 -noout -issuer

get subject

$ echo -n |
       openssl s_client \
               [-servername <domain.com>] \
               -connect <domain.com>:<port> 2>/dev/null |
       openssl x509 -noout -subject

get expiration date

$ echo -n |
       openssl s_client \
               [-servername <domain.com>] \
               -connect <domain.com>:<port> 2>/dev/null |
       openssl x509 -noout -dates

# or
$ openssl x509 -enddate -noout -in /path/to/name.pem

# i.e.:
$ echo -n |
       openssl s_client \
               [-servername <domain.com>] \
               -connect <domain.com>:<port> 2>/dev/null |
       openssl x509 -noout -dates
notBefore=Sep  8 00:00:00 2021 GMT
notAfter=Aug 18 23:59:59 2022 GMT

get serial number

$ echo -n |
       openssl s_client \
               [-servername <domain.com>] \
               -connect <domain.com>:<port> 2>/dev/null |
       openssl x509 -noout -serial
serial=038**************************9CE

$ openssl x509 -noout -serial -in server.crt
serial=038**************************9CE

show multiple information

$ echo -n |
       openssl s_client \
               [-servername <domain.com>] \
               -connect <domain.com>:<port> 2>/dev/null |
       openssl x509 -noout -dates -subject -issuer

show fingerprint

$ echo -n |
       openssl s_client \
               [-servername <domain.com>] \
               -connect <domain.com>:<port> 2>/dev/null |
       openssl x509 -noout -fingerprint

extract from the ssl certificate (decoded)

$ echo -n |
       openssl s_client \
               [-servername <domain.com>] \
               -connect <domain.com>:<port> 2>/dev/null |
       openssl x509 -noout -text

show the ssl certificate

$ echo -n |
       openssl s_client \
               [-servername <domain.com>] \
               -connect <domain.com>:<port> 2>/dev/null |
       openssl x509
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

verifying the keys match

$ openssl pkey -pubout -in privateKey.key | openssl sha256
# or
$ openssl req -pubkey -in CSR.csr -noout | openssl sha256
# or
$ openssl x509 -pubkey -in certificate.crt -noout | openssl sha256

check remote certificate chain

[!NOTE|label:see also:]

$ echo -n |
       openssl s_client -connect <domain.com>:<port> 2>/dev/null |
       awk '/Certificate chain/,/---/'
# or
$ echo -n |
       openssl s_client -connect <domain.com>:<port> 2>/dev/null |
       sed -n '/Certificate chain/,/---/p'

# i.e.:
$ echo -n |
       openssl s_client -connect google.com:443 2>/dev/null |
       awk '/Certificate chain/,/---/'
Certificate chain
 0 s:CN = *.google.com
   i:C = US, O = Google Trust Services, CN = WR2
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jul 30 12:32:53 2024 GMT; NotAfter: Oct 22 12:32:52 2024 GMT
 1 s:C = US, O = Google Trust Services, CN = WR2
   i:C = US, O = Google Trust Services LLC, CN = GTS Root R1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Dec 13 09:00:00 2023 GMT; NotAfter: Feb 20 14:00:00 2029 GMT
 2 s:C = US, O = Google Trust Services LLC, CN = GTS Root R1
   i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jun 19 00:00:42 2020 GMT; NotAfter: Jan 28 00:00:42 2028 GMT
---
Copyright © marslo 2020-2024 all right reserved,powered by GitbookLast Modified: 2025-06-04 00:04:52

results matching ""

    No results matching ""