A few handy hints and tips for messing with SSL certs and keys
- Dump the certificate
openssl x509 -in url.crt
- Dump the certificate details (-noout supresses output of the certificate itself)
openssl x509 -in url.crt -noout -text
- Find out the issuer of a certificate (useful for determining the chain file needed)
openssl x509 -in url.crt -noout -issuer
- Display the valid from/valid to dates
openssl x509 -in url.crt -noout -dates
Check that a key and cert match
- Find the modulus for both the cert and the key
openssl x509 -in url.crt -noout -modulus openssl rsa -in url.key -noout -modulus
If they match, then the key is a pair with the certificate. See also Cert-Key_Match.
- Convert a .pfx / pkcs12 to PEM
pkcs12 is a combined key / cert data format, to convert it to a pem:
openssl pkcs12 -in url.pfx -out url.pem -nodes
You maybe asked for the password, if the pfx is protected. This will generate a single file with the key and cert's
- remove the Passsprase from a private key
openssl rsa -in pravatekey.proctected.pem -out privatekey.pem
Test an SSL site
openssl s_client -connect www.example.com:443
- Check on a csr (Certificate Signing Request)
openssl req -noout -text -in foo.csr
- Generate a csr (Certificate Signing Request)
openssl req -new -out foo.csr