Optional Parameters

Use non default config file

-config /path/to/my/own/openssl.cnf

Do not force passwords for private keys

-nodes

Create CSR

CSR including new key

openssl req -newkey rsa:2048 -out request.pem -keyout pub-sec-key.pem

CSR for existing key

openssl req -new -out request.pem -key pub-sec-key.pem

Show CSR content

openssl req -text -noout -in request.pem

Verify signature

openssl req -verify -noout -in request.pem

Create SHA1 fingerprint

openssl req -noout -modulus -in request.pem | openssl sha1 -c

Sign CSR with your CA

openssl ca -out certs/openVPN_name.crt -in openVPN_name.csr

Create Certificates

Self-Signed certificate incl. key

openssl req -x509 -days 365 -newkey rsa:2048 -out self-signed-certificate.pem -keyout pub-sec-key.pem

Self-Signed certificate from existing key

openssl req -x509 -days 365 -new -out self-signed-certificate.pem -key pub-sec-key.pem

Create ECC key

List available curves

openssl ecparam -list_curves

Create elliptic curve key

openssl ecparam -name secp384r1 -genkey -out private.ecc-key.pem
openssl x509 -text -noout -in cert.pem
# openssl x509 -fingerprint -noout -sha256 -in cert.pem
sha256 Fingerprint=84:B6:91:3C:28:8D:45:39:C4:C6:75:35:92:4F:F9:A7:4A:9A:7C:89:AB:04:1D:C9:D7:0A:DC:98:D4:66:5A:88

# openssl x509 -fingerprint -noout -sha1 -in cert.pem
sha1 Fingerprint=DE:A3:E6:0B:F9:B1:58:CD:A8:51:E5:AD:9C:FB:61:C9:1E:7D:A6:05

# openssl x509 -fingerprint -noout -md5 -in cert.pem
md5 Fingerprint=3F:F4:59:7E:F5:3F:70:B0:47:F6:CA:99:35:E9:85:C0
openssl crl -noout -text -CAfile root-chain.pem crl.pem

Verify Certificate

By local file

openssl verify -issuer_checks -CAfile root-chain.pem cert.pem

By internet connection

openssl s_client -showcerts -CAfile root-chain.pem -connect www.thor.de:443

Verify Certificate matching Key

# openssl x509 -noout -modulus -in someCert.pem | openssl md5; \
openssl rsa -noout -modulus -in someKey.pem | openssl md5

MD5(stdin)= a64366ca69925aff94bcd1e6eda4e133
MD5(stdin)= a64366ca69925aff94bcd1e6eda4e133

Verify CSR matching Key

openssl req -noout -modulus -in .\someCSR.pem | openssl md5; \
openssl rsa -noout -modulus -in .\someKey.pem | openssl md5

MD5(stdin)= c0a0c23b384969d1052a05148be3d39d
MD5(stdin)= c0a0c23b384969d1052a05148be3d39d

Verify Certificate matching CA Certificate/Chain

openssl verify -verbose -CAfile root-chain.pem  server.crt.pem

PKCS12 / PFX Conversion

PEM to PFX

You can also simply use .pkcs12 or .p12 extension instead of .pfx
I usually prefer .pfx because it’s cross platform and also known to Windows or MacOS

openssl pkcs12 -export -in myCert.crt -inkey myCert.key -certfile root-chain.pem -out myCert.pfx

PFX to PEM

# openssl pkcs12 -in myCert.pfx -clcerts -nokeys -nodes -out ./myCert.pem
# openssl pkcs12 -in myCert.pfx -cacerts -nokeys -nodes -out ./root-chain.pem
# openssl pkcs12 -in myCert.pfx -nocerts -nodes -out ./myCert.key.pem

PKCS7 Conversion

PKCS7 to PEM

openssl pkcs7 -in cert.p7b -inform DER -print_certs -out cert.pem

PEM / DER Conversion

PEM to DER Certificate

openssl x509 -in input.pem -inform PEM -out output.crt -outform DER

DER to PEM Certificate

openssl x509 -in input.crt -inform DER -out output.pem -outform PEM

PEM to DER Key

openssl rsa -in input.key.pem -inform PEM -out output.der.key -outform DER

DER to PEM Key

openssl rsa -in input.der.key -inform DER -out output.key.pem -outform PEM

Edit Key

Change Password

openssl rsa -in mykey.pem -des3 -out mykey.new.pem

Remove Password

openssl rsa -in mykey.pem -out mykey.new.pem

CRL

Create CRL

openssl ca -gencrl -out crls/crl.pem

Revoke Certificate

# openssl ca -revoke somecert.pem

# openssl ca -revoke ./newcerts/03.pem

Show Revoked Certificates

openssl crl -in crls/crl.pem -noout -text

Convert CRL to DER format

openssl crl -in crls/crl.pem -outform der -out crls/crl.der.crl

Certificate Pinning

PIN from Certificate

openssl x509 -in cert.pem -pubkey -noout \
| openssl pkey -pubin -outform der \
| openssl dgst -sha256 -binary \
| openssl enc -base64

PIN from RSA Key

openssl rsa -in privkey.pem -outform der -pubout \
| openssl dgst -sha256 -binary \
| openssl enc -base64

PIN from EC Key

openssl ec -in privkey.pem -outform der -pubout \
| openssl dgst -sha256 -binary \
| openssl enc -base64

PIN from CSR

openssl req -in signing-request.csr -pubkey -noout \
| openssl pkey -pubin -outform der \
| openssl dgst -sha256 -binary \
| openssl enc -base64

TLSA DNS RR

Fingerprint (for ‘3 0 1’ DNS RRs)

openssl x509 -in cert.pem -noout -fingerprint -sha256 \
| tr -d ":" | sed 's/SHA256 Fingerprint=//'

1D8C5D49EA44E091A454324994A5598DB956542E44520A20AE40CE0450091E5F

S/MIME

Sign Message

openssl smime -sign -in in.txt -text -out mail.msg  -signer mycert.pem -inkey mykey.pem -certfile mycerts.pem

Extract Signing Certificate

The signers certificate will be saved to cert.pem
The e-mail body will be save to textdata.txt

openssl smime -verify -in message.eml -noverify -signer cert.pem -out textdata.txt

Tags:

Leave a Reply

Related News

Par2

10.07.2025

Ghostscript

10.07.2025

You may have missed

Par2

10.07.2025

PF

10.07.2025

Ghostscript

10.07.2025

OpenVPN

09.07.2025

OpenSSL

08.07.2025

FabricOS

26.06.2025