OpenSSL Oneliners

Creating

Create a csr and key

openssl req -new -out fqdn.csr -newkey rsa:4096 -nodes -keyout fqdn.key -subj /C=US/ST=State/L=City/O=Company/CN=fqdn

Create a self signed cert and key

openssl req -x509 -days 3650 -out fqdn.crt -newkey rsa:4096 -nodes -keyout fqdn.key -subj /C=US/ST=State/L=City/O=Company/CN=fqdn

Create a csr using an existing key

openssl req -new -out fqdn.csr -key fqdn.key -subj /C=US/ST=State/L=City/O=Company/CN=fqdn

Create just a key

openssl genrsa -out fqdn.key 4096

Reading

Show a cert’s fingerprint

openssl x509 -in fqdn.crt -noout -fingerprint -sha256

Show a cert’s expiration

openssl x509 -in fqdn.crt -noout -enddate

Show a cert’s details

openssl x509 -in fqdn.crt -noout -text

Show a csr’s details

openssl req -in fqdn.csr -noout -text 

Show your openssl version

openssl version

Verifying

Verify a cert matches a key

openssl x509 -noout -modulus -in fqdn.crt | openssl sha256
openssl rsa -noout -modulus -in fqdn.key | openssl sha256

Verify a key is valid

openssl rsa -in fqdn.key -check

Verify a cert against the system trust store

openssl verify cert.crt

Verify a cert against a specific trust store

openssl verify cert.crt -CAfile /path/to/ca/file 

Converting

Convert der to pem

openssl x509 -in fqdn.der -inform der -out fqdn.crt

Inspecting remote certs with s_client

Show a cert’s details

echo | openssl s_client -connect google.com:443 2> /dev/null | sed -n '/-BEGIN/,/-END/p' | openssl x509 -noout -text

Only show certificate trust info

openssl s_client -connect google.com:443 -quiet

Show intermediate certs

openssl s_client -connect google.com:443 -showcerts

Make s_client exit when it’s complete

echo | openssl s_client ...