OpenSSL Cheatsheet

Having to deal with the recent DigiCert Revocation & Symantec Distrust fiasco led to an opportunity to become more familiar with OpenSSL.

Fortunately only 18 certificates (out of around 45) had to be replaced, unfortunately a client’s monster certificate which has 69 SANs was amongst the 18!

Below is a handful of commands which I used frequently with the replacement certificates, I couldn’t find a concise list which outlined them well so thought why not post about it.

Create private key

openssl genrsa -out private.key 2048

Verify private key

openssl rsa -in private.key –check

Generate CSR with existing private key

openssl req -out csr.csr -key private.key -new

Verify CSR

openssl req -text -noout -verify -in csr.csr

Verify certificate

openssl x509 -text -noout -in cerificate.cer

Verify certificate chain installed on server

openssl s_client -showcerts -host example.com -port 443

Convert certificate and private key to PFX container

openssl pkcs12 -export -out certificate.pfx -inkey private.key -in certificate.cer -chain intermediate.cer

Extract private key from PFX

openssl pkcs12 -in certificate.pfx -nocerts -out private.pem

Remove passphrase from private key

openssl rsa -in private.pem -out private.key