Hi,

here are some command line examples for openssl:

Generate a self signed certificate for a (apache) webserver with a 2048 Bit RSA encryption and valid for 365 days.

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.crt

Add x509_v3 extensions from command line (>= V1.1.1)
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.crt -extension 'subjectAltName = DNS:myHost.myDOmain.org, DNS:myHost2.myDOmain.org' -extension 'certificatePolicies = 1.2.3.4.5'\

Get the certificate of a webserver

openssl s_client -connect michlstechblog.info:443

This establish a connection to a webserver and displays the details for the certificate on a webserver, i.e the expiration date

openssl s_client -connect michlstechblog.info:443| openssl x509 -text

Same for a UDP port where DTLS is running
openssl s_client -host michlstechblog.info -port 8888 -dtls1| openssl x509 -text

Show details of a certificate file
openssl x509 -text -in server.crt -noout

Create pfx (pkcs12) file from key and certificate

openssl pkcs12 -export -out file.pfx -inkey host.domain.key -in host.domain.crt

Create pfx (pkcs12) file from key, certificate and the root CA(s), If necessary copy the root and the intermediate certificates in to one CACert.crt file.

openssl pkcs12 -export -out file.pfx -inkey host.domain.key -in host.domain.crt -certfile CACert.crt

Extract a key from a pkcs12 or pfx file
openssl pkcs12 -in file.pfx -nocerts -out host.domain.key

And extract a cert(s) from a pkcs12 or pfx file
openssl pkcs12 -in file.pfx -nokeys -out host.domain.crt

Creating a self signed Certification Authority

To be continued….

See also this post. It describes how to setup a CA for OpenVPN from the scratch.

Generate a CA revokation list

openssl ca -gencrl -passin pass:${CA_PASSWORD} -out crl.pem

Show details of certificate revocation list (crl)

openssl crl -in crl.pem -text

Verify a certificate chain where yourCertificate is directly signed by the CA
openssl verify -CAfile CARootCertificate.cer yourCertificate.cer

Verify a certificate chain where yourCertificate is signed by a intermediate certificate
openssl verify -CAfile CARootCertificate.cer -untrusted Intermediate.cer yourCertificate.cer

or copy CARootCertificate.cer and Intermediate.cer to one file

# Windows
copy CARootCertificate.cer+Intermediate.cer fullChain.cer
# Linux/UNIX
cat CARootCertificate.cer Intermediate.cer > fullChain.cer
openssl verify -CAfile fullChain.cer yourCertificate.cer


Check a certificate against a crl
Copy the chain(root CA cert, intermediate cert) and the crl to a file

cat ca.pem intermediate.pem crl.pem > wholeChain.pem

and check

openssl verify -crl_check -CAfile wholeChain.pem myCert.pem


Create a signing request to renew an existing certificate

openssl x509 -x509toreq -in server.crt -signkey server.key -out server.csr


With some x509v3 extensions. File x509v3_extensions.ext

extensions = x509v3
[ x509v3 ]
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
extendedKeyUsage = serverAuth,clientAuth
keyUsage = nonRepudiation,digitalSignature, keyEncipherment



openssl x509 -req -days 3650 -in CARootCertificate.cer -signkey CARoot.key \
-out ca_crt.pem -extfile x509v3_extensions.ext -extensions x509v3


List of valid ciphersuites from a given allowed SSL_CTX_set_cipher_list

openssl ciphers '!aNULL:ECDHE+AESGCM:ECDHE+AES' | tr ":" "\n"


Michael