$ openssl genrsa -out privateKey.key 2048
$ openssl req -new -key privateKey.key -out CSR.csr
# or
$ openssl req -out CSR.csr \
-new -newkey rsa:2048 \
-nodes \
-keyout privateKey.key \
-subj "/C=US/ST=Florida/L=Saint Petersburg/O=Your Company, Inc./OU=IT/CN=yourdomain.com"
$ openssl req -x509 \
-sha256 \
-nodes \
-days 365 \
-newkey rsa:2048 \
-keyout privateKey.key \
-out certificate.crt
$ echo -n |
openssl s_client \
[-servername <domain.com>] \
-connect <domain.com>:<port> 2>/dev/null |
openssl x509 -noout -issuer
$ echo -n |
openssl s_client \
[-servername <domain.com>] \
-connect <domain.com>:<port> 2>/dev/null |
openssl x509 -noout -subject
$ echo -n |
openssl s_client \
[-servername <domain.com>] \
-connect <domain.com>:<port> 2>/dev/null |
openssl x509 -noout -dates
# or
$ openssl x509 -enddate -noout -in /path/to/name.pem
# i.e.:
$ echo -n |
openssl s_client \
[-servername <domain.com>] \
-connect <domain.com>:<port> 2>/dev/null |
openssl x509 -noout -dates
notBefore=Sep 8 00:00:00 2021 GMT
notAfter=Aug 18 23:59:59 2022 GMT
$ echo -n |
openssl s_client \
[-servername <domain.com>] \
-connect <domain.com>:<port> 2>/dev/null |
openssl x509 -noout -serial
serial=038**************************9CE
$ openssl x509 -noout -serial -in server.crt
serial=038**************************9CE
$ echo -n |
openssl s_client \
[-servername <domain.com>] \
-connect <domain.com>:<port> 2>/dev/null |
openssl x509 -noout -dates -subject -issuer
$ echo -n |
openssl s_client \
[-servername <domain.com>] \
-connect <domain.com>:<port> 2>/dev/null |
openssl x509 -noout -fingerprint
$ echo -n |
openssl s_client \
[-servername <domain.com>] \
-connect <domain.com>:<port> 2>/dev/null |
openssl x509 -noout -text
$ echo -n |
openssl s_client \
[-servername <domain.com>] \
-connect <domain.com>:<port> 2>/dev/null |
openssl x509
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
$ openssl pkey -pubout -in privateKey.key | openssl sha256
# or
$ openssl req -pubkey -in CSR.csr -noout | openssl sha256
# or
$ openssl x509 -pubkey -in certificate.crt -noout | openssl sha256
$ echo -n |
openssl s_client -connect <domain.com>:<port> 2>/dev/null |
awk '/Certificate chain/,/---/'
# or
$ echo -n |
openssl s_client -connect <domain.com>:<port> 2>/dev/null |
sed -n '/Certificate chain/,/---/p'
# i.e.:
$ echo -n |
openssl s_client -connect google.com:443 2>/dev/null |
awk '/Certificate chain/,/---/'
Certificate chain
0 s:CN = *.google.com
i:C = US, O = Google Trust Services, CN = WR2
a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
v:NotBefore: Jul 30 12:32:53 2024 GMT; NotAfter: Oct 22 12:32:52 2024 GMT
1 s:C = US, O = Google Trust Services, CN = WR2
i:C = US, O = Google Trust Services LLC, CN = GTS Root R1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Dec 13 09:00:00 2023 GMT; NotAfter: Feb 20 14:00:00 2029 GMT
2 s:C = US, O = Google Trust Services LLC, CN = GTS Root R1
i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
v:NotBefore: Jun 19 00:00:42 2020 GMT; NotAfter: Jan 28 00:00:42 2028 GMT
---