Table of Contents
November 6, 2023
|29m
The Most Useful OpenSSL Commands to Work With SSL Certificates
OpenSSL is an open-source software library designed to secure digital communications and certificates. It is used by many websites and organizations worldwide to encrypt information in transit, such as emails, web traffic, and other data exchanged over the internet or computer networks. OpenSSL also provides a way for trusted entities to sign documents or digital certificates in order to verify the authenticity and integrity of the data. OpenSSL provides an invaluable security layer that helps to protect online transactions from malicious actors.
This article provides an overview of commonly used OpenSSL commands to work with SSL certificates. It covers various operations such as generating a new certificate, checking the details of an existing certificate, converting the certificate into a different format, debugging when there is an error occurs, and pretty much everything that you need to know about OpenSSL.
The commands we have provided here can be more useful for creating, managing, and troubleshooting SSL certificates on various platforms. All this content made this article a valuable resource for system administrators and security professionals. The article also provides examples of how to use these commands in real-world scenarios with screenshots to give you a practical solution, helping readers to quickly and efficiently work with SSL certificates using OpenSSL.
What is OpenSSL?
OpenSSL is an open-source software library that provides cryptographic protocols and security algorithms for implementing secure communications over computer networks. It can be used to protect data from eavesdropping, and encryption of email messages, payment transactions other sensitive information. OpenSSL supports a wide range of cryptographic functions, including digital signature, key exchange, and public-key encryption schemes. It is widely used for web-based applications and can be integrated into a variety of software programs.
The OpenSSL library is available on Linux, macOS, and Windows, making it a popular choice amongst developers who need secure communication protocols. By leveraging the functions of OpenSSL, developers can create highly secure applications that protect user data from malicious actors.
What is OpenSSL Used For?
OpenSSL is a powerful and versatile tool that can be used for a wide range of tasks. Some of the things that can be done using OpenSSL include the following:
Creating and managing SSL certificates: OpenSSL allows users to easily create and manage SSL certificates, which can be used to prove the identity of the entity.
Creating and verifying digital signatures: OpenSSL’s libraries can be used to create digital signatures, which can be used to authenticate the identity of the sender and the integrity of the message.
Generating private keys and certificate signing requests: OpenSSL can be used to generate private keys and CSRs, which are used in the process of obtaining an SSL certificate from a certificate authority.
Creating and managing Certificate Authorities and Certificate Revocation Lists: OpenSSL can be used to create and manage CAs and CRLs, which are used to issue and revoke SSL certificates that have been compromised or are no longer needed.
Converting certificate formats: OpenSSL can be used to convert certificates between different formats, such as CRT, CER, PEM, DER, CRT, PKCS7, and PKCS#12.
Inspecting SSL Certificates: OpenSSL can be used to check the details of existing certificates, such as the validity period, the subject and issuer, and other details.
SSL/TLS Testing: OpenSSL can be used to test the SSL/TLS configurations of servers and clients.
Please read these posts to learn more about OpenSSL and Digital Certificate:
How To Generate A CSR For A Multi-Domain SSL Certificate Using OpenSSL?
Step-By-Step Procedure To Install OpenSSL On The Windows Platform
How To Set Up A Certificate Authority On Ubuntu Using OpenSSL?
What Is A PKI Certificate? What Are The Different Types Of PKI Certificates?
What Is The Difference Between A Standalone And An Enterprise CA
How Do You Check That OpenSSL is Installed on Your Machine?
This verification procedure depends on the type of operating system platform. The different operating systems will have different procedures.
Windows: On Windows, you can check if OpenSSL is installed by going to the Add/Remove Programs underneath Control Panel and searching for “OpenSSL”. If it’s installed, it will appear in the list of installed programs.
macOS: you can check by searching for OpenSSL in the Applications folder.
Linux: Open a terminal window and type “openssl version” (without quotes). If OpenSSL is installed, it will display the version number of your installed version.
Generally, you can use the Linux method on Windows and mac. It works on all the operating systems. Check the OpenSSL documentation: If you are not sure where OpenSSL is installed, you can check the OpenSSL documentation. This usually contains information on how to install OpenSSL on various platforms.
Commands to Check the Version of OpenSSL
Run this command on the terminal to check the version of OpenSSL.
$ openssl version
Important Abbreviations Related to the Digital Certificates:
Here are some important abbreviations related to certificates:
SSL: Secure Sockets Layer, a protocol used to establish secure connections over the internet.
TLS: Transport Layer Security, a successor to SSL, which is used to establish secure connections over the internet.
CA: Certificate Authority, an organization that issues digital certificates used to establish trust in SSL/TLS connections.
CSR: Certificate Signing Request, a file that contains information about the certificate holder and the public key. It is used to apply for a certificate from a CA.
CRT: Certificate, a digital certificate issued by a CA that contains information about the certificate holder and the public key.
PEM: Privacy-enhanced Electronic Mail, a Base64 encoded file format that is used to store SSL/TLS certificates, private keys, and other cryptographic objects.
DER: Distinguished Encoding Rules, a binary format used to store SSL/TLS certificates, private keys, and other cryptographic objects.
PKCS: Public-Key Cryptography Standards, a set of standards for public-key cryptography, which includes formats for storing certificates and keys.
X.509: A standard that defines the format of digital certificates used in SSL/TLS connections.
CRL: Certificate Revocation List, a list of revoked certificates that is used to revoke SSL/TLS certificates that have been compromised or are no longer needed.
SAN: Subject Alternative Name, a field in an SSL/TLS certificate that allows multiple hostnames or IP addresses to be associated with a single certificate.
OV: Organization Validation, a type of SSL/TLS certificate that requires additional validation of the organization’s identity before the certificate is issued.
EV: Extended Validation, a type of SSL/TLS certificate that requires the highest level of validation of the organization’s identity before the certificate is issued.
OCSP: Online Certificate Status Protocol, a protocol used to check the revocation status of a certificate in real time.
CAA: Certificate Authority Authorization, a DNS record that specifies which CAs are authorized to issue certificates for a domain.
ECC: Elliptic Curve Cryptography, a type of public-key cryptography that uses elliptic curve mathematics to provide the same level of security as traditional methods with smaller key sizes.
RSA: Rivest–Shamir–Adleman, a widely used public-key encryption algorithm that is based on the mathematical properties of large prime numbers.
DH: Diffie-Hellman, a key-agreement protocol that allows two parties to establish a shared secret over an insecure communication channel.
AES: Advanced Encryption Standard, a widely used symmetric encryption algorithm that can be used to encrypt and decrypt data.
SHA: Secure Hash Algorithm, a widely used cryptographic hash function that can be used to create a unique digital fingerprint of a message or data.
HSM: Hardware Security Module, a physical device that can store and manage cryptographic keys, and perform cryptographic operations.
PKI: Public Key Infrastructure, a set of policies, procedures, and technologies used to manage digital certificates and public-key encryption.
DSA: Digital Signature Algorithm, a standard for digital signatures, based on the mathematical properties of modular arithmetic and the discrete logarithm problem.
DH: Diffie-Hellman, a key-agreement protocol that allows two parties to establish a shared secret over an insecure communication channel.
ECDSA: Elliptic Curve Digital Signature Algorithm, a digital signature algorithm based on elliptic curve cryptography, that can be used to create digital signatures.
How to Generate A Self-Signed Certificate Using OpenSSL?
Generating a self-signed certificate using OpenSSL is a relatively simple process. The first step is to generate the key pair, which has a private key as well as a public key. This will be used to sign the certificate in Step 4. The second step is to extract the public key from the key pair. The third step is to generate a Certificate Signing Request (CSR). This will be used by the certificate authority (CA) to create the self-signed certificate. You will be prompted to enter a variety of information, such as the common name, organization name, organization unit, country code, email address, and many more. Finally, generate the self-signed certificate using the private key and CSR. Simple, Isn’t it?
Step 1. Generate Key pair using OpenSSL
To create the key pair, run this command in your terminal:
$ openssl genrsa -out private.key 2048
This command will generate an RSA key pair with a length of 2048.
Step 2. Extract the public key from the key pair
Run this command to extract the public key from the key pair generated in step 1.
$ openssl rsa -in private.key -pubout -out public.key
Step 3. Generate a Certificate Signing Request (CSR)
The next step is to generate a Certificate Signing Request (CSR). This will be used by the certificate authority (CA) to create the self-signed certificate. To generate the CSR, run this command in your terminal:
You will be prompted to enter a variety of information, such as the common name, organization name, organization unit, country code, email address, optional password, and many more. Enter the valid input it asks to generate the CSR. For example, the country name should be two char country codes. The common name should be the FQDN or IP to which you are going to get the certificate. The CSR is now ready for the CA to generate a self-signed certificate.
$ openssl req -new -key private.key -out certificate.csr
We suggest verifying the CSR generated before you submit it to the Certificate Authority. Run this command to verify the details of your CSR.
$ openssl req -text -in certificate.csr -noout -verify
Step 4. Generate the self-signed certificate
Finally, generate the self-signed certificate using the private key and CSR. Run this command to generate the self-signed certificate on the terminal:
$ openssl x509 -in certificate.csr -out certificate.crt -req -signkey private.key -days 365
Most Useful OpenSSL Commands to Work With SSL Certificates
Before we head toward the most useful OpenSSL commands to work with SSL certificates, let’s see the structure of OpenSSL commands.
Structure of a typical OpenSSL command:
The structure of a simple OpenSSL command typically looks like this:
openssl <command> <options>The main command is ‘openssl’ which is followed by a subcommand <command> and <options>. It is allowed to use multiple subcommands and options in a single line so that multiple things can be performed in a single command.
The subcommand can be any of the cryptographic functions supported by the OpenSSL library. Some examples of subcommands include genpkey, req, x509, pkcs12, rsa, verify, etc. These subcommands are used to perform specific cryptographic operations.
Options <options> are any additional arguments required to work the command. Typically options are used to give input or get the output of the comment. Examples: -req, -days, -in, -out, etc.
If you struggle to identify the ‘subcommands’ over ‘options’ in lengthy OpenSSL commands, here is the tip. The key identifier that differentiates ‘subcommands’ from ‘options’ is the ‘-‘ symbol.
Example for a simple OpenSSL command:
$ openssl genrsa -out private.key 2048In the above command, ‘genrsa’ is the subcommand, ‘-out’ is an option, ‘private.key’ specifies the output file name, and ‘2048’ is the key pair length.
Example of an OpenSSL with multiple subcommands and options:
$ openssl x509 -in certificate.csr -out certificate.crt -req -signkey private.key -days 365OpenSSL Commands to Generate SSL Certificates and Keys
In this section, we are going to see the Most Useful OpenSSL Commands to Work With SSL Certificates.
#1. OpenSSL Command to Generate a Private Key or Key Pair
$ openssl genrsa -out private.key 2048This command generates a new RSA key pair and saves it in a file named “private.key” in the current directory.
#2. OpenSSL Command to Extract the Pubic Key from the Key pair
$ openssl rsa -in private.key -pubout -out public.keyThis command extracts the public key from the ‘private.key’ key pair and saves it in ‘public.key’ file.
#3. OpenSSL Commands to a Generate CSR
$ openssl req -new -key private.key -out certificate.csr This command will prompt you to enter a variety of information, such as the common name, organization name, organization unit, country code, email address, optional password, and many more. Enter the valid input it asks to generate the CSR. This command generates a CSR and saves it in a file named ‘certificate.csr.’
#4. OpenSSL Command to Generate a self-signed Certificate
$ openssl x509 -in certificate.csr -out certificate.crt -req -signkey private.key -days 365This command generates a self-signed certificate and saves it in a file named ‘certificate.crt.’
#5. OpenSSL Command to Generate a new Private Key and Certificate Signing Request in a Single Command
openssl req -out certificate.csr -new -newkey rsa:2048 -nodes -keyout private.keyThis command generates a new private key and CSR and saves them in a file named ‘certificate.csr’ and ‘private.key.’
#6. OpenSSL Command to Generate a Certificate Signing Request (CSR) for an existing Private Key
openssl req -out newcsr.csr -key private.key -newThis command generates a new CSR and saves it in a file named ‘newcsr.csr’ for the existing private key.
#7. OpenSSL Command to Generate a Certificate Signing Request (CSR) based on an existing Certificate
openssl x509 -x509toreq -in certificate.crt -out newcsr2.csr -signkey private.keyThis command generates a new Certificate Signing Request (CSR) and save it in a file named ‘newcsr2.csr.’
#8. OpenSSL Command to Encrypt or add Passphrase to a Private Key
openssl rsa -aes256 -in private.key -out private_secure.pemOR
openssl rsa -aes256 -in private.key -out private_secure.keyYou can keep the encrypted key pair in .key or .pem format. Both are valid.
#9. OpenSSL Command to Decrypt or Remove a Passphrase from a Private Key
openssl rsa -in private_secure.pem -out newprivate.pemOR
openssl rsa -in private_secure.key -out newprivate.keyThis command removes the passphrase and decrypts the private key, and saves it in a file named newprivate.key.
OpenSSL Commands to Convert SSL Certificates
There could be several reasons why you may need to convert SSL certificates from one format to another. The main reason would be compatibility. Different systems and applications may require certificates to be in a specific format. Some systems or applications may not be able to handle certain file formats. In such cases, it is necessary to convert the certificate to a different format that the system or application can understand. For example, some web servers may require certificates to be in PEM format, while others may require them to be in PKCS#12 format.
OpenSSL can be used to convert SSL certificates between different formats. Let’s see how to convert from one file format to another.
#1. OpenSSL Commands to Convert a Certificate from CRT to PEM
openssl x509 -inform der -in certificate.crt -out certificate.pemThis command will convert the certificate in CRT format named “certificate.crt” to PEM format and save it in a file named “certificate.pem” in the current directory. Note: this command can be used to convert .cer certificates.
PEM Certificate vs PEM Key file
Both the PEM Certificate and PEM Key file are different entities and made for different purposes. They can’t be interchangeable. Don’t be confused between them.
PEM stands for Privacy Enhanced Mail. A PEM Certificate is a file that is used to store X.509 certificates. Where a PEM Key file is a file used to store private and public key pairs.
A PEM certificate typically contains the public key of a certificate and not the private key.
A PEM certificate file typically contains the following information:
The X.509 certificate in base64 encoded format
The certificate’s public key
Optionally, any intermediate CA certificates
Use ‘cat’ command to differentiate the PEM Key file from the PEM Certificate. A PEM Key file contains a private key would typically have a header that says “BEGIN RSA PRIVATE KEY” or “BEGIN PRIVATE KEY”.
#2. OpenSSL Commands to Convert a Certificate from CRT to PKCS7
openssl crl2pkcs7 -nocrl -certfile certificate.crt -out certificate.p7bThis command will convert the certificate in CRT format named “certificate.crt” to PKCS7 format and save it in a file named “certificate.p7b” in the current directory.
#3. OpenSSL Commands to Convert a Certificate from CRT to PKCS#12
PKCS#12 and PFX are both file formats that are used to store X.509 certificates and private keys. The main difference between them is the file extension, PKCS#12 uses the file extension .p12 or .pfx, and PFX uses the file extension .pfx. Both formats are used for the same purpose, which is to provide a secure way to store and transport digital certificates and private keys. PKCS#12 is the standard for storing the certificate and private key developed by RSA Laboratories, while PFX is Microsoft’s variant of the PKCS#12 standard.
openssl pkcs12 -export -in certificate.crt -inkey private.key -out certificate.p12OR
openssl pkcs12 -export -in certificate.crt -inkey private.key -out certificate.pfxThis command will convert the certificate in CRT format named “certificate.crt” and private key named “private.key” to PKCS#12 format and save it in a file named “certificate.p12” in the current directory.
It’s important to note that PKCS#12 format is also known as P12 format, and it is used to store one or more certificates and private key. It’s encrypted by default and can’t be decoded in base64, and It will prompt you to enter a password to protect the certificate and key.
It’s important to note that PKCS#12 format is also known as P12 format, and it is used to store one or more certificates and private key. It’s encrypted by default and can’t be decoded in base64, and It will prompt you to enter a password to protect the certificate and key.
#4. OpenSSL Commands to Convert a Certificate from CRT to DER
openssl x509 -in certificate.crt -outform DER -out certificate.derThis command will convert the certificate in CRT format named “certificate.crt” to DER format and save it in a file named “certificate.der” in the current directory.
It’s important to note that DER is a binary format and can’t be decoded in base64, and it is typically used to store X.509 certificates and CRLs (Certificate Revocation Lists) in a compact and efficient way.
#5. OpenSSL Commands to Convert a Certificate from DER to PEM
openssl x509 -inform DER -in certificate.der -out certificate.pemThis command will convert the certificate in DER format named “certificate.der” to PEM format and save it in a file named “certificate.pem” in the current directory.
#6. OpenSSL Commands to Convert a Certificate from DER to CRT
openssl x509 -inform DER -in certificate.der -out certificate.crtThis command will convert the certificate in DER format named “certificate.der” to CRT format and save it in a file named “certificate.crt” in the current directory.
It’s important to note that the CRT file format is just a container format, and the data inside it can be encoded in various ways, and it is commonly used to store X.509 certificates.
#7. OpenSSL Commands to Convert a Certificate from DER to PKCS7
openssl crl2pkcs7 -nocrl -certfile certificate.der -out certificate.p7bThis command will convert the certificate in DER format named “certificate.der” to PKCS7 format and save it in a file named “certificate.p7b” in the current directory.
It’s important to note that PKCS7 format is also known as P7B format, and it is used to store one or more certificates, typically including the end-user certificate and any intermediate CA certificates, but it doesn’t contain the private key.
#8. OpenSSL Commands to Convert a Certificate from DER to PKCS#12
Practically, it is not possible to convert DER to PKCS#12, since DER is an unreadable binary file. The Certificate should be in either CRT or CER to convert to PKCS#12 or P12. Please refer to the #3 command for more information.
#9. OpenSSL Commands to Convert a Certificate from PKCS7 to CRT
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.crtThis command will convert the certificate in PKCS7 format named “certificate.p7b” to CRT format and save it in a file named “certificate.crt” in the current directory.
#10. OpenSSL Commands to Convert a Certificate from PKCS7 to PEM
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.pemThis command will convert the certificate in PKCS7 format named “certificate.p7b” to PEM format and save it in a file named “certificate.pem” in the current directory.
#11. OpenSSL Commands to Convert a Certificate from PKCS7 to PKCS#12
It is not possible to directly convert a certificate from PKCS7 format to PKCS#12 format. Because PKCS7 format is used for storing one or more certificates, typically including the end-user certificate and any intermediate CA certificates, but it doesn’t contain the private key. At the same time, PKCS#12 format is used to store one or more certificates and a private key.
In order to convert a certificate from PKCS7 format to PKCS#12 format, you will need to first extract the private key and the certificate in PEM format and then use the OpenSSL command to create a PKCS#12 file which includes both the certificate and the private key.
Here is an example command:
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.pem
openssl pkcs12 -export -in certificate.pem -inkey private.key -out certificate.p12This command will convert the certificate in PKCS7 format named “certificate.p7b” to PEM format using the first command and then using the second command. It will convert the PEM format certificate and private key to PKCS#12 format and save it in a file named “certificate.p12” in the current directory.
#12. OpenSSL Commands to Convert a Certificate from PKCS7 to DER
It is not possible to directly convert a certificate from PKCS7 format to DER format. Because PKCS7 format is used for storing one or more certificates, typically including the end-user certificate and any intermediate CA certificates, but it doesn’t contain the private key. While DER format is a binary format, and it is typically used to store X.509 certificates and CRLs (Certificate Revocation Lists) in a compact and efficient way.
In order to convert a certificate from PKCS7 format to DER format, you will need to first extract the certificate in PEM format and then use the OpenSSL command to convert PEM to DER format.
Here is an example command:
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.pem
openssl x509 -in certificate.pem -outform DER -out certificate.derThis command will convert the certificate in PKCS7 format named “certificate.p7b” to PEM format using the first command, and then using the second command, it will convert the PEM format certificate to DER format and save it in a file named “certificate.der” in the current directory.
#13. OpenSSL Commands to Convert a Certificate from PEM to CRT
The PEM format and CRT format are both base64 container formats that are used to store X.509 certificates. PEM is used to store public certificates or the entire certificate chain (private key, public key, root certificates). So, a certificate in the PEM format can be used as it is in a CRT format because it’s the same format, and it just depends on the file extension. PEM can be used where ever CRT is being used. No conversion is required.
#14. OpenSSL Commands to Convert a Certificate from PEM to PKCS#12
openssl pkcs12 -export -in certificate.pem -inkey private.key -out certificate.p12This command will convert the certificate in PEM format named “certificate.pem” and the private key named “private.key” to PKCS#12 format and save it in a file named “certificate.p12” in the current directory.
#15. OpenSSL Commands to Convert a Certificate from PEM to PKCS7
It is not possible to directly convert a certificate from PEM format to PKCS7 format. Because PKCS7 format is used for storing one or more certificates, typically including the end-user certificate and any intermediate CA certificates, but it doesn’t contain the private key. While PEM format can include just the public certificate or the entire certificate chain (private key, public key, root certificates), and it is base64 encoded.
In order to convert a certificate from PEM format to PKCS7 format, you will need to first extract the public certificate and any intermediate CA certificates from the PEM file, then use the OpenSSL command to create a PKCS7 file.
#16. OpenSSL Commands to Convert a Certificate from PEM to DER
openssl x509 -in certificate.pem -outform DER -out certificate.derThis command will convert the certificate in PEM format named “certificate.pem” to DER format and save it in a file named “certificate.der” in the current directory.
#17. OpenSSL Commands to Convert a Certificate from PKCS#12 to PEM
openssl pkcs12 -in certificate.p12 -out certificate.pem -nodesThis command will convert the certificate in PKCS#12 format named “certificate.p12” to PEM format and save it in a file named “certificate.pem” in the current directory. It will prompt you to enter the password that was used to encrypt the certificate in PKCS#12 format. If the certificate was not encrypted, you don’t have to use the -nocerts option.
#18. OpenSSL Commands to Convert a Certificate from PKCS#12 to CRT
The CRT format and PKCS#12 format are both container formats that are used to store X.509 certificates. The CRT file format is used to store X.509 certificates, While PKCS#12 format is used to store one or more certificates and private key. It’s also encrypted by default.
It’s important to note that a certificate in the PKCS#12 format can be used as it is in a CRT format because it’s the same format, and it just depends on the file extension.
#19. OpenSSL Commands to Convert a Certificate from PKCS#12 to DER
openssl pkcs12 -in certificate.p12 -out certificate.der -nodes -nokeysThis command will convert the certificate in PKCS#12 format named “certificate.p12” to DER format and save it in a file named “certificate.der” in the current directory. It will prompt you to enter the password that was used to encrypt the certificate in PKCS#12 format.
#20. OpenSSL Commands to Convert a Certificate from PKCS#12 to PKCS7
It is not possible to directly convert a certificate from PKCS#12 format to PKCS7 format. Because PKCS7 format is used for storing one or more certificates, typically including the end-user certificate and any intermediate CA certificates, but it doesn’t contain the private key. At the same time, PKCS#12 format is used to store one or more certificates and private key. It’s also encrypted by default.
In order to convert a certificate from PKCS#12 format to PKCS7 format, you will need to first extract the public certificate and any intermediate CA certificates from the PKCS#12 file using OpenSSL, then use the OpenSSL command to create a PKCS7 file.
Here is an example command:
openssl pkcs12 -in certificate.p12 -out certificate.p7b -nokeys -nodesThis command will convert the certificate in PKCS#12 format named “certificate.p12” to PKCS7 format and save it in a file named “certificate.p7b” in the current directory. It will prompt you to enter the password that was used to encrypt the certificate in PKCS#12 format.
OpenSSL Commands to Debug SSL Certificates and Keys
OpenSSL is a powerful tool that can be used to debug SSL certificates and keys. In this section, we tried showing a few important commands that you can try when you are ended up in some trouble.
#1. OpenSSL Command to Verify the Certificate
openssl x509 -in certificate.crt -text -nooutThis command will display the details of the certificate, including the subject, issuer, and the public key.
#2. OpenSSL Commands to Check the Expiration date of a Certificate
openssl x509 -in certificate.crt -enddate -nooutThis command will display the expiration date of the certificate.
#3. OpenSSL Command to Check a Private key
openssl rsa -in private.key -checkThis command will check the private key and display any errors or warnings.
#4. OpenSSL Command to Verify the Certificate Signing Request (CSR)
openssl req -text -in certificate.csr -noout -verifyThis command will display the details of the certificate signing request (CSR), including the subject, issuer, and public key.
#5. OpenSSL Commands to Check the Hash Value of A Certificate
OpenSSL can be used to calculate the hash value of an X.509 certificate. A hash value is a unique value that is calculated based on the content of the certificate. It can be used to check the integrity of the certificate and to verify that it has not been tampered with. Here are some common OpenSSL commands that can be used to check the hash value of a certificate:
openssl x509 -noout -fingerprint -md5 -inform pem -in certificate.crtopenssl x509 -noout -fingerprint -sha1 -inform pem -in certificate.crtopenssl x509 -noout -fingerprint -sha256 -inform pem -in certificate.crtopenssl x509 -noout -fingerprint -sha512 -inform pem -in certificate.crtNote: It’s important to note that the above command will work only if the certificate is in PEM format. If you have a certificate in DER format, you need to use the -inform DER option.
openssl x509 -noout -fingerprint -sha1 -inform der -in certificate.crt
#6. OpenSSL Command to Verify the SSL/TLS version Accepted by a Site
openssl s_client -connect host:portThis command will initiate an SSL connection to the specified host and port and display the details of the SSL connection, including the certificate chain and the cipher suite.
openssl s_client -connect host:port -ssl2This command will initiate an SSL connection to the specified host and port using SSL2 and display the details of the SSL connection.
openssl s_client -connect host:port -ssl2This command will initiate an SSL connection to the specified host and port using SSL3 and display the details of the SSL connection.
openssl s_client -connect host:port -tls1_1This command will initiate an SSL connection to the specified host and port using TLS 1.1 and display the details of the SSL connection.
openssl s_client -connect host:port -tls1_2This command will initiate an SSL connection to the specified host and port using TLS 1.2 and display the details of the SSL connection.
openssl s_client -connect host:port -tls1_3This command will initiate an SSL connection to the specified host and port using TLS 1.3 and display the details of the SSL connection.
#7. OpenSSL Commands to Check the Certificate Expiry of a Site
echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -enddateWhere “example.com” is the URL you want to check the SSL certificate for and “443” is the port number for HTTPS connections.
This command uses the openssl s_client command to initiate an SSL connection to the specified URL and port and the openssl x509 command to extract the expiration date of the certificate.
#8. OpenSSL Commands to Check A Particular Cipher is Accepted by a Site
openssl s_client -connect example.com:443 -cipher ECDHE-RSA-AES256-GCM-SHA384Where “example.com” is the URL you want to check the SSL certificate for, “443” is the port number for HTTPS connections, and “ECDHE-RSA-AES256-GCM-SHA384” is the cipher you want to check for.
#9. OpenSSL Commands to List all the Cipher Supported by a Server
openssl ciphers -v 'ALL:COMPLEMENTOFALL' | grep -i -o -w -E 'TLS_.*'It’s important to note that this command will only check the ciphers that are supported by the server and not the client.
#10. OpenSSL Command to Verify the Certificate Chain
openssl verify -verbose -CAfile ca-bundle.crt certificate.crtWhere “ca-bundle.crt” is the file that contains the root and intermediate CA certificates, and “certificate.crt” is the end-entity certificate file. This command uses the openssl verify command to verify the certificate chain, using the CA certificates from the file “ca-bundle.crt”. It will display the result of the verification process and indicate whether the certificate chain is valid or not.
#11. OpenSSL Commands to Retrieve or Download the Certificate of a Site
openssl s_client -connect example.com:443 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM > certificate.pemThis command uses the openssl s_client command to initiate an SSL connection to the specified URL and port and the -showcerts option to display the entire certificate chain. The openssl x509 command is used to convert the certificate from DER format to PEM format and the > symbol is used to redirect the output to a file named “certificate.pem”
#12. OpenSSL Commands to Verify the Same Public Key File in Key Pair, CSR, and Certificate
It is important to verify that the public key and the certificate match to ensure the security of the SSL/TLS connection. OpenSSL can be used to verify that the public key and the certificate match.
openssl pkey -pubout -in private.key | openssl sha256This command extracts the public key from the ‘private.key’ key pair and generates the sha256 hash of the public key.
openssl req -pubkey -in certificate.csr -noout | openssl sha256This command extracts the public key from the ‘certificate.csr’ CSR and generates the sha256 hash of the public key.
openssl x509 -pubkey -in certificate.crt -noout | openssl sha256This command extracts the public key from the ‘certificate.crt’ certificate and generates the sha256 hash of the public key.
#13. OpenSSL Commands to Verify the Same Private Key File in Key Pair, CSR, and Certificate
It is important to verify that the private key and the certificate match to ensure the security of the SSL/TLS connection. OpenSSL can be used to verify that the private key and the certificate match.
openssl rsa -noout -modulus -in private.key | openssl sha256This command extracts the private key from the ‘private.key’ key pair and generates the sha256 hash of the private key.
openssl req -noout -modulus -in certificate.csr | openssl sha256This command extracts the private key from the ‘certificate.csr’ CSR and generates the sha256 hash of the private key.
openssl x509 -noout -modulus -in certificate.crt | openssl sha256This command extracts the private key from the ‘certificate.crt’ certificate and generates the sha256 hash of the private key.
That’s it.
We hope this post will help you know what is OpenSSL, what OpenSSL is used for, how to generate a sell-signed certificate, how to convert an SSL certificate from one to another format, troubleshooting, debugging, and other most useful OpenSSL commands to work with SSL certificates. Please share this post if you find this interesting. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, and subscribe to receive updates like this.
You may also like these articles:
How To Generate A CSR For A Multi-Domain SSL Certificate Using OpenSSL?
How to Set Up A Certificate Authority On Ubuntu Using OpenSSL?
What is a Self Signed Certificate? How to Create a Self Signed Certificate Using OpenSSL?
How To Check Certificate, CSR, and Private Key with OpenSSL?
Step-By-Step Procedure To Install OpenSSL on a Windows Machine
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
