OpenSSL mostly used commands

Here's a list of mostly used openssl commands:

1. Create key + csr:

$> openssl req -new -nodes -keyout server.key -out server.csr -newkey rsa:4096

2. Create key only:

$> openssl genrsa -des3 -out server.key.crypted 4096

3. Remove password from key:

$> openssl rsa -in server.key.crypted -out server.key

4. Generate CSR

$> openssl req -new -key server.key -out server.csr

5. Self generated certificate

$> openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

6. View the details of CSR

$> openssl req -noout -text -in server.csr

7. Check a Certificate Signing Request (CSR)

$> openssl req -text -noout -verify -in CSR.csr

8. Check a private key

$> openssl rsa -in privateKey.key -check

9. Check a certificate

$> openssl x509 -in certificate.crt -text -noout

10. Check a PKCS#12 file (.pfx or .p12)

$> openssl pkcs12 -info -in keyStore.p12

11. Convert .crt to .pfx for IIS server

$> openssl pkcs12 -export -out server.pfx -inkey server.key -in server.crt

How do I extract information from a certificate? (from: )

An SSL certificate contains a wide range of information: issuer, valid dates, subject, and some hardcore crypto stuff. The x509 subcommand is the entry point for retrieving this information. The examples below all assume that the certificate you want to examine is stored in a file named cert.pem.

Using the -text option will give you the full breadth of information.

$> openssl x509 -text -in cert.pem
Other options will provide more targeted sets of data.

# who issued the cert?
$> openssl x509 -noout -in cert.pem -issuer

# to whom was it issued?
$> openssl x509 -noout -in cert.pem -subject

# for what dates is it valid?
$> openssl x509 -noout -in cert.pem -dates

# the above, all at once
$> openssl x509 -noout -in cert.pem -issuer -subject -dates

# what is its hash value?
$> openssl x509 -noout -in cert.pem -hash

$> openssl x509 -noout -in cert.pem -serial

# what is its MD5 fingerprint?
#> openssl x509 -noout -in cert.pem -fingerprint -md5

# what is its SHA1 fingerprint?
$> openssl x509 -noout -in cert.pem -fingerprint -sha1