cheatsheet
generate private key and csr
$ openssl genrsa -out privateKey.key 2048
$ openssl req -new -key privateKey.key -out CSR.csr
# or
$ openssl req -out CSR.csr \
-new -newkey rsa:2048 \
-nodes \
-keyout privateKey.key \
-subj "/C=US/ST=Florida/L=Saint Petersburg/O=Your Company, Inc./OU=IT/CN=yourdomain.com"generate a self-signed certificate
$ openssl req -x509 \
-sha256 \
-nodes \
-days 365 \
-newkey rsa:2048 \
-keyout privateKey.key \
-out certificate.crtcheck ssl certificate
check private key info
$ openssl rsa -noout -text -in privateKey.keycheck csr info
$ openssl req -text -noout -in CSR.csrview ssl certificate info
$ openssl x509 -text -noout -in certificate.crt
get issuer
$ echo -n |
openssl s_client \
[-servername <domain.com>] \
-connect <domain.com>:<port> 2>/dev/null |
openssl x509 -noout -issuerget subject
$ echo -n |
openssl s_client \
[-servername <domain.com>] \
-connect <domain.com>:<port> 2>/dev/null |
openssl x509 -noout -subjectget expiration date
$ echo -n |
openssl s_client \
[-servername <domain.com>] \
-connect <domain.com>:<port> 2>/dev/null |
openssl x509 -noout -dates
# or
$ openssl x509 -enddate -noout -in /path/to/name.pem
# i.e.:
$ echo -n |
openssl s_client \
[-servername <domain.com>] \
-connect <domain.com>:<port> 2>/dev/null |
openssl x509 -noout -dates
notBefore=Sep 8 00:00:00 2021 GMT
notAfter=Aug 18 23:59:59 2022 GMTget serial number
$ echo -n |
openssl s_client \
[-servername <domain.com>] \
-connect <domain.com>:<port> 2>/dev/null |
openssl x509 -noout -serial
serial=038**************************9CE
$ openssl x509 -noout -serial -in server.crt
serial=038**************************9CEshow multiple information
$ echo -n |
openssl s_client \
[-servername <domain.com>] \
-connect <domain.com>:<port> 2>/dev/null |
openssl x509 -noout -dates -subject -issuershow fingerprint
$ echo -n |
openssl s_client \
[-servername <domain.com>] \
-connect <domain.com>:<port> 2>/dev/null |
openssl x509 -noout -fingerprintextract from the ssl certificate (decoded)
$ echo -n |
openssl s_client \
[-servername <domain.com>] \
-connect <domain.com>:<port> 2>/dev/null |
openssl x509 -noout -textshow the ssl certificate
$ echo -n |
openssl s_client \
[-servername <domain.com>] \
-connect <domain.com>:<port> 2>/dev/null |
openssl x509
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----verifying the keys match
$ openssl pkey -pubout -in privateKey.key | openssl sha256
# or
$ openssl req -pubkey -in CSR.csr -noout | openssl sha256
# or
$ openssl x509 -pubkey -in certificate.crt -noout | openssl sha256check remote certificate chain
[!NOTE|label:see also:]
$ echo -n |
openssl s_client -connect <domain.com>:<port> 2>/dev/null |
awk '/Certificate chain/,/---/'
# or
$ echo -n |
openssl s_client -connect <domain.com>:<port> 2>/dev/null |
sed -n '/Certificate chain/,/---/p'
# i.e.:
$ echo -n |
openssl s_client -connect google.com:443 2>/dev/null |
awk '/Certificate chain/,/---/'
Certificate chain
0 s:CN = *.google.com
i:C = US, O = Google Trust Services, CN = WR2
a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
v:NotBefore: Jul 30 12:32:53 2024 GMT; NotAfter: Oct 22 12:32:52 2024 GMT
1 s:C = US, O = Google Trust Services, CN = WR2
i:C = US, O = Google Trust Services LLC, CN = GTS Root R1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Dec 13 09:00:00 2023 GMT; NotAfter: Feb 20 14:00:00 2029 GMT
2 s:C = US, O = Google Trust Services LLC, CN = GTS Root R1
i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
v:NotBefore: Jun 19 00:00:42 2020 GMT; NotAfter: Jan 28 00:00:42 2028 GMT
---Last updated
Was this helpful?