SSL Howto

A few handy hints and tips for messing with SSL certs and keys


 * Dump the certificate

openssl x509 -in url.crt


 * Dump the certificate details (-noout supresses output of the certificate itself)

openssl x509 -in url.crt -noout -text


 * Find out the issuer of a certificate (useful for determining the chain file needed)

openssl x509 -in url.crt -noout -issuer


 * Display the valid from/valid to dates

openssl x509 -in url.crt -noout -dates

Check that a key and cert match


 * Find the modulus for both the cert and the key

openssl x509 -in url.crt -noout -modulus openssl rsa -in url.key -noout -modulus

If they match, then the key is a pair with the certificate. See also Cert-Key_Match.

pkcs12 is a combined key / cert data format, to convert it to a pem:
 * Convert a .pfx / pkcs12 to PEM

openssl pkcs12 -in url.pfx -out url.pem -nodes

You maybe asked for the password, if the pfx is protected. This will generate a single file with the key and cert's

openssl rsa -in pravatekey.proctected.pem -out privatekey.pem
 * remove the Passsprase from a private key

Test an SSL site

openssl s_client -connect www.example.com:443


 * Check on a csr (Certificate Signing Request)

openssl req -noout -text -in foo.csr


 * Generate a csr (Certificate Signing Request)

openssl req -new -out foo.csr