LINUXMAKER, OpenSource, Tutorials

Useful SSL commands

Query the SSL port of the certificates

openssl s_client -connect localhost:636 -showcerts

SSL certificate verification

openssl verify -CApath /etc/pki/tls/certs -verbose <certificate-name.crt>

Cert Publishers

openssl x509 -noout -issuer -in <certificate-name.crt>

Certificate fingerprint

openssl x509 -noout -fingerprint -in <certificate-name.crt>

Display of the SSL certificate

Show the certificate completely

openssl x509 -text -in <certificate-name.crt>

Show without certificate text

openssl x509 -noout -text -in <certificate-name.crt>

Display of the publisher of the certificate

openssl x509 -noout -issuer -in <certificate-name.crt>

Display of certificate owner

openssl x509 -noout -subject -in <certificate-name.crt>

Display of the certificate validity period

openssl x509 -noout -dates -in <certificate-name.crt>

Combined certificate display

openssl x509 -noout -issuer -subject -dates -in <certificate-name.crt>

Display of the hash value

openssl x509 -noout -hash -in <certificate-name.crt>

Display of the MD5 fingerprint

openssl x509 -noout -fingerprint -in <certificate-name.crt>

Display of certificate request (CSR)

openssl req -noout -text -in <request.csr>

Removal of the passphrase the keyfile

openssl rsa -in <certificate-name.key> -out <neueskeyfile.key>

Change the passphrase of the keyfile

openssl rsa -des3 -in <certificate-name.key> -out <neueskeyfile.key>

Convert the certificate to other formats

The DER format

The DER format is a binary form of a certificate, rather than the ASCII PEM format

The PKCS#7/P7B format

It is usually stored in Base64 ASCII format and has a file extension of P7B or .p7c. P7B. A P7B file contains only certificates and chain certificates, not the private key. Some platforms support P7B files, including Microsoft Windows and Java Tomcat.

The PKCS#12/PFX format

It is a binary format for storing the server certificate, all intermediate certificates and the private key in an encrypted file. PFX files usually have extensions like .pfx and .p12. PFX files are usually used on windows machines, import and export of certificates and private keys.

Conversion from PEM to PFX (* .p12 * .pfx)

openssl pkcs12 -export -in Zertifikat.crt.pem -inkey Zertifikat.key.pem -out Zertifikat.p12 -certfile SSLCertifikateChainFile.pem

Conversion from PEM to DER

openssl x509 -outform der -in certificate.pem -out certificate.der

Conversion from PEM to P7B

openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cer

Conversion from DER to PEM

openssl x509 -inform der -in certificate.cer -out certificate.pem

Conversion from P7B to PEM

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

Conversion from P7B to PFX

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.cer

Conversion from PFX to PEM

openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes

Generation of the CSR and the keyfile

To apply for the certificate, the csr file is sent to the certifying body after the generation has been completed.

Generation of a 2048 bit RSA key

openssl genrsa -out <certificate-name.key> 2048

Generation of the associated CSR

openssl req -new -key <certificate-name.key> -out <certificate-name.csr>

Create a passphrase to the key

openssl rsa -des3 -in <certificate-name.key> -out <certificate-name.key.sec>