Docu review done: Mon 03 Jul 2023 17:09:28 CEST

Commands

CommandDescription
openssl req -in <domain>.csr -noout -textshows informations from csr (csr..certificate signing request)
openssl x509 -text -noout -in <certfile> shows details about local certificate
openssl s_client -showcerts -servername example.com -connect example.com:443 </dev/nullConnects to server and shows cert
openssl s_client -showcerts -connect example.com:443 </dev/nullConnects to servers and shows cert
echo | openssl s_client -showcerts example.com -connect example.com:443 2>/dev/null | openssl x509 -text Connects to server and show cert details
openssl s_client -starttls postgres -connect my_postgresql_server:5432 | openssl x509 -textConnects to postgresql service and shows cert details

Validate key-file against cert-file (if needed also against csr)

Option 1: via check sum (external binary)

$ openssl x509 -in certificate.crt -pubkey -noout -outform pem | sha512sum
26d0710ae90e9a916b6d1dc5e5c5db891feafc770108c2a83b76e8938ccde7b93a9bf2c30f058303b9ae759b593f5921eb2892a2c12fb1cc452f4b5092b5296b  -
$ openssl pkey -in privateKey.key -pubout -outform pem | sha512sum
26d0710ae90e9a916b6d1dc5e5c5db891feafc770108c2a83b76e8938ccde7b93a9bf2c30f058303b9ae759b593f5921eb2892a2c12fb1cc452f4b5092b5296b  -
$ openssl req -in CSR.csr -pubkey -noout -outform pem | sha256sum
26d0710ae90e9a916b6d1dc5e5c5db891feafc770108c2a83b76e8938ccde7b93a9bf2c30f058303b9ae759b593f5921eb2892a2c12fb1cc452f4b5092b5296b  -

Option 2: via check sum (openssl binary)

$ openssl x509 -text -noout -modulus -in certificate.crt | openssl md5
(stdin)= 5de137fcbec70689b390235cc0de0ab5
$ openssl rsa -text -noout -modulus -in privateKey.key | openssl md5
(stdin)= 5de137fcbec70689b390235cc0de0ab5

Option 3: via matching modulus

$ openssl x509 -text -noout -modulus -in certificate.crt | grep "Modulus="
Modulus=9CD8C9C81E0BF0C40...
$ openssl rsa -text -noout -modulus -in privateKey.key | grep "Modulus="
Modulus=9CD8C9C81E0BF0C40...

convert p12 into pem

check the order of the certificate chain in the pem file. issuer must be below signed certificate. (cert => signed by => signed by => ca) position of private key does aparently not matter I had it at the very end

$ openssl pkcs12 -in path.p12 -out newfile.pem -nodes

Or, if you want to provide a password for the private key, omit -nodes and input a password:

$ openssl pkcs12 -in path.p12 -out newfile.pem

Extract cacerts from pkcs12

$ openssl pkcs12 -in elasticsearch-certificates.p12 -cacerts -nokeys -out ca.crt

Private key handling

# generate a new 4096 bit RSA key without password
$ openssl genrsa -out file.key 4096
# verify a key
$ openssl pkey -in file.key -noout -check
# get some details about a key
$ openssl pkey -in file.key -noout -text

CSR handling

# generate a new csr for an existing key interactively
$ openssl req -out file.csr -key file.key -new
# get some details about a csr:
$ openssl req -in file.csr -noout -text

Generate self signed certificate with one command (e.g. CA)

$ openssl req -x509 -sha256 -nodes -days 3650 -newkey rsa:4096 -keyout ca.key -out ca.crt

Generate new key and csr and sign it with ca (e.g. server cert) serial not correct though

$ openssl req -out server.csr -new -newkey rsa:4096 -nodes -keyout server.key
$ openssl x509 -req -in server.csr -days 365 -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

sign a csr or generate a certificate valid for 5minutes for testing

$ faketime '23hours ago 55min ago' openssl x509 -req -in server.csr -days 1 -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt