book
  • README
  • cheatsheet
    • bash
      • builtin
      • syntactic sugar
      • cmd
      • havefun
    • text-processing
      • awk
      • sed
      • html
      • json
      • regex
      • unicode
    • osx
    • curl
    • tricky
    • widget
    • proxy
    • colors
    • math
    • media
    • ssl
      • cheatsheet
      • keystore
      • verification
      • server
      • client
      • tricky
    • windows
      • powershell
      • choco
      • wsl
      • wt
      • shortcut
      • clsid
      • env
      • shell:folder
  • vim
    • nvim
    • install
    • color
    • plugins
      • usage
      • other plugins
      • deprecated
    • tricky
    • viml
    • windows
    • troubleshooting
  • devops
    • admin tools
    • ssh
    • git
      • config
      • alias
      • submodule
      • eol
      • example
      • gerrit
        • gerrit API
      • github
      • troubleshooting
      • tricky
      • statistics
    • pre-commit
    • release-tools
    • tmux
      • cheatsheet
    • ansible
    • vault
    • artifactory
      • api
      • cli
      • aql
      • nginx cert
    • klocwork
      • kwadmin
      • kwserver
      • api
      • q&a
    • elk
    • mongodb
    • android
    • mobile
  • jenkins
    • config
      • windows
    • appearance
    • troubleshooting
    • jenkinsfile
      • utility
      • parallel
      • build
      • envvar
      • properties
      • trigger
      • node
    • script
      • job
      • build
      • stage
      • agent
      • security & authorization
      • exception
      • monitor
      • tricky
    • api
      • blueocean
    • cli
    • plugins
      • kubernetes
      • docker
      • shared-libs
      • lockable-resource
      • ansicolor
      • badge
      • groovy-postbuild
      • simple-theme
      • customizable-header
      • artifactory
      • jira-steps
      • job-dsl
      • build-timeline
      • crumbIssuer
      • coverage
      • uno-choice
      • tricky
  • virtualization
    • kubernetes
      • init
        • kubespray
        • kubeadm
          • environment
          • crio v1.30.4
          • docker v1.15.3
          • HA
        • addons
        • etcd
      • kubectl
        • pod
        • deploy
        • replicasets
        • namespace
        • secrets
      • node
      • certificates
      • events
      • kubeconfig
      • kubelet
      • troubleshooting
      • cheatsheet
      • auth
      • api
      • tools
        • monitor
        • helm
        • network
        • minikube
    • docker
      • run & exec
      • voume
      • remove
      • show info
      • dockerfile
      • dockerd
      • tricky
      • troubleshooting
      • windows
    • crio
    • podman
  • ai
    • prompt
  • osx
    • apps
      • init
      • brew
    • defaults
    • system
    • network
    • script
    • tricky
  • linux
    • devenv
    • util
      • time & date
      • output formatting
      • params
      • tricky
    • nutshell
    • disk
    • network
    • troubleshooting
    • system
      • apt/yum/snap
      • authorization
      • apps
      • x11
    • ubuntu
      • systemctl
      • x
    • rpi
  • programming
    • groovy
    • python
      • config
      • basic
      • list
      • pip
      • q&a
    • others
    • archive
      • angular
      • maven
      • mysql
        • installation
        • logs
      • ruby
        • rubyInstallationQ&A
  • tools
    • fonts
    • html & css
    • Jira & Confluence
    • node & npm
      • gitbook
      • hexo
      • github.page
      • code themes
    • app
      • microsoft office
      • vscode
      • virtualbox
      • iterm2
      • browser
      • skype
      • teamviewer
      • others
  • quotes
  • english
Powered by GitBook
On this page
  • generate private key and csr
  • generate a self-signed certificate
  • check ssl certificate
  • get issuer
  • get subject
  • get expiration date
  • get serial number
  • show multiple information
  • show fingerprint
  • extract from the ssl certificate (decoded)
  • show the ssl certificate
  • verifying the keys match
  • check remote certificate chain

Was this helpful?

  1. cheatsheet
  2. ssl

cheatsheet

PrevioussslNextkeystore

Last updated 2 days ago

Was this helpful?

reference:

generate private key and csr

$ openssl genrsa -out privateKey.key 2048
$ openssl req -new -key privateKey.key -out CSR.csr

# or
$ openssl req -out CSR.csr \
              -new -newkey rsa:2048 \
              -nodes \
              -keyout privateKey.key \
              -subj "/C=US/ST=Florida/L=Saint Petersburg/O=Your Company, Inc./OU=IT/CN=yourdomain.com"

need to input the following info to generate CSR :

  • Country Name: 2-digit country code where our organization is legally located.

  • State/Province: Write the full name of the state where the organization is legally located.

  • City: Write the full name of the city where our organization is legally located.

  • Organization Name: Write the legal name of our organization.

  • Organization Unit: Name of the department

  • Common Name: Fully Qualified Domain Name

generate a self-signed certificate

$ openssl req -x509 \
              -sha256 \
              -nodes \
              -days 365 \
              -newkey rsa:2048 \
              -keyout privateKey.key \
              -out certificate.crt

check ssl certificate

  • check private key info

    $ openssl rsa -noout -text -in privateKey.key
  • check csr info

    $ openssl req -text -noout -in CSR.csr
  • view ssl certificate info

    $ openssl x509 -text -noout -in certificate.crt

get issuer

$ echo -n |
       openssl s_client \
               [-servername <domain.com>] \
               -connect <domain.com>:<port> 2>/dev/null |
       openssl x509 -noout -issuer

get subject

$ echo -n |
       openssl s_client \
               [-servername <domain.com>] \
               -connect <domain.com>:<port> 2>/dev/null |
       openssl x509 -noout -subject

get expiration date

$ echo -n |
       openssl s_client \
               [-servername <domain.com>] \
               -connect <domain.com>:<port> 2>/dev/null |
       openssl x509 -noout -dates

# or
$ openssl x509 -enddate -noout -in /path/to/name.pem

# i.e.:
$ echo -n |
       openssl s_client \
               [-servername <domain.com>] \
               -connect <domain.com>:<port> 2>/dev/null |
       openssl x509 -noout -dates
notBefore=Sep  8 00:00:00 2021 GMT
notAfter=Aug 18 23:59:59 2022 GMT

get serial number

$ echo -n |
       openssl s_client \
               [-servername <domain.com>] \
               -connect <domain.com>:<port> 2>/dev/null |
       openssl x509 -noout -serial
serial=038**************************9CE

$ openssl x509 -noout -serial -in server.crt
serial=038**************************9CE

show multiple information

$ echo -n |
       openssl s_client \
               [-servername <domain.com>] \
               -connect <domain.com>:<port> 2>/dev/null |
       openssl x509 -noout -dates -subject -issuer

show fingerprint

$ echo -n |
       openssl s_client \
               [-servername <domain.com>] \
               -connect <domain.com>:<port> 2>/dev/null |
       openssl x509 -noout -fingerprint

extract from the ssl certificate (decoded)

$ echo -n |
       openssl s_client \
               [-servername <domain.com>] \
               -connect <domain.com>:<port> 2>/dev/null |
       openssl x509 -noout -text

show the ssl certificate

$ echo -n |
       openssl s_client \
               [-servername <domain.com>] \
               -connect <domain.com>:<port> 2>/dev/null |
       openssl x509
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

verifying the keys match

$ openssl pkey -pubout -in privateKey.key | openssl sha256
# or
$ openssl req -pubkey -in CSR.csr -noout | openssl sha256
# or
$ openssl x509 -pubkey -in certificate.crt -noout | openssl sha256

check remote certificate chain

[!NOTE|label:see also:]

$ echo -n |
       openssl s_client -connect <domain.com>:<port> 2>/dev/null |
       awk '/Certificate chain/,/---/'
# or
$ echo -n |
       openssl s_client -connect <domain.com>:<port> 2>/dev/null |
       sed -n '/Certificate chain/,/---/p'

# i.e.:
$ echo -n |
       openssl s_client -connect google.com:443 2>/dev/null |
       awk '/Certificate chain/,/---/'
Certificate chain
 0 s:CN = *.google.com
   i:C = US, O = Google Trust Services, CN = WR2
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jul 30 12:32:53 2024 GMT; NotAfter: Oct 22 12:32:52 2024 GMT
 1 s:C = US, O = Google Trust Services, CN = WR2
   i:C = US, O = Google Trust Services LLC, CN = GTS Root R1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Dec 13 09:00:00 2023 GMT; NotAfter: Feb 20 14:00:00 2029 GMT
 2 s:C = US, O = Google Trust Services LLC, CN = GTS Root R1
   i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jun 19 00:00:42 2020 GMT; NotAfter: Jan 28 00:00:42 2028 GMT
---

* cheatsheet: Check SSL Certificate with OpenSSL
* cheatsheet: Check SSL Certificate Chain with OpenSSL Examples
generate private key and csr
generate a self-signed certificate
check ssl certificate
get issuer
get subject
get expiration date
get serial number
show multiple information
show fingerprint
extract from the ssl certificate (decoded)
show the ssl certificate
verifying the keys match
check remote certificate chain
* iMarslo: get lines between 2 patterns