Common SSL Commands

Here are TLS commands used many times. I will add little by little.

################################################################################
# Let
# server.crt: a server certificate file
# root.crt: a self-signed root certificate file
# All certificates are in the format of PEM.
################################################################################

# View the contents of a certificate:
openssl x509 -in server.crt -text -noout

# Check a certificate chains:
openssl verify -verbose -CAfile root.crt server.crt
openssl verify -verbose -CAfile <(cat interm.crt root.crt) server.crt

# Extract public key from private key
openssl rsa -pubout -in server.key -out server.pub

# Test connection with certificate.
openssl s_client -connect www.example.com:8443 -state -CAfile como.crt

# Save server certificate in PEM
openssl s_client -showcerts -connect www.example.com:443 </dev/null | openssl x509 -outform PEM > example.pem.crt

# Save server certificate in DER
openssl s_client -showcerts -connect www.example.com:443 </dev/null | openssl x509 -outform DER > example.der.crt

# List certificate from pkcs12 keystore
keytool -list -v -keystore example.p12 -storetype PKCS12 -storepass ${storepass}

# Extract certificate from pkcs12 keystore
keytool -export -keystore example.p12 -alias ${alias} -file example.crt

# Create a new JKS trustore
keytool -import -alias rootca -file root.crt -keystore truststore.jks -storepass changeit

Let's see an example says full steps of making root, intermediate, and server certificates:

# Create a CA key pair
openssl genrsa -out root.key 8192
# Create a self-signed CA certificate
openssl req -sha256 -new -x509 -days 3650 -key root.key \
-subj "/C=KR/L=Seoul/OU=Example/CN=Example Root CA" -out root.crt

# Or you can combined above two commands:
openssl req -nodes -x509 -sha256 -newkey rsa:8192 -keyout "root.key" -out "root.crt" -days 3650 \
-subj "/C=KR/L=Seoul/OU=Example/CN=Example Root CA"

# Create a server key pair
openssl genrsa -out server.key 4096

# Create a CSR
openssl req -new -sha256 -key server.key \
-subj "/C=KR/L=Seoul/OU=Example/CN=svc.example.com" -out server.crt

# Create a server certificate
openssl x509 -req -in server.key -CA root.crt -CAkey root.key -set_serial 01 -out server.crt

Do you want to view the contents of certificate chain? Let call the followin script 'chain.sh' and run like "./chain.sh combined_certificates.crt".

#!/bin/bash

chain_pem="${1}"

if [[ ! -f "${chain_pem}" ]]; then
    echo "Usage: $0 BASE64_CERTIFICATE_CHAIN_FILE" >&2
    exit 1
fi

if ! openssl x509 -in "${chain_pem}" -noout 2>/dev/null ; then
    echo "${chain_pem} is not a certificate" >&2
    exit 1
fi

awk -F'\n' '
        BEGIN {
            showcert = "openssl x509 -noout -subject -issuer"
        }

        /-----BEGIN CERTIFICATE-----/ {
            printf "%2d: ", ind
        }

        {
            printf $0"\n" | showcert
        }

        /-----END CERTIFICATE-----/ {
            close(showcert)
            ind ++
        }
    ' "${chain_pem}"

echo
openssl verify -untrusted "${chain_pem}" "${chain_pem}"

Comments

[Yaroslav Polyakov]

If you don't mind, I'd put here a link to my post about showcert: Simple open source utility which makes most of these things very easy.

# openssl x509 -in server.crt -text -noout
showcert server.crt

# openssl s_client -connect www.example.com:8443 -state -CAfile como.crt
# add -i to ignore verification error
showcert www.example.com:8443

# openssl s_client -showcerts -connect www.example.com:443 </dev/null | openssl x509 -outform PEM > example.pem.crt
# add --chain / -c to save full chain
showcert www.example.com -o pem > example.pem.crt

# And bonus:
# check all letsencrypt certificates and warn which one expires in 10 days.
showcert :le -q -w 10 || echo panic