OpenSSL Commands
Check Certificate Expiration
Get Expiration from Remote System
openssl s_client -showcerts -servername mysite.com -connect mysite.com:443 | openssl x509 -noout -dates
Get Expiration from Local PEM/CRT File
Certificate Validation
Show Certificate Chain
Get Info from PEM/CRT
View Private Key Info
Generating Keys and CSRs
RSA
Generate Key and CSR
Generate 2048bit RSA Key
Generate CSR Using Existing Key
Generate Key and CSR, Answer Questions
openssl req -new \
-newkey rsa:2048 -nodes -keyout private.key \
-out mysite.com.csr \
-subj "/C=US/ST=Colorado/L=Denver/O=Your Company, Inc./OU=Operations/CN=mysite.com"
Generate CSR and specify SANs
Create a file named mysite.com.cnf with the contents:
[req]
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[req_distinguished_name]
C = US
ST = Colorado
L = Denver
O = Company Name
OU = Company Org
CN = www.mysite.com
[req_ext]
subjectAltName = @alt_names
[alt_names]
IP.1 = 192.168.4.3
DNS.1 = mysite.com
DNS.2 = www.mysite.com
Generate the CSR creating a new KEY and using CNF:
Generate the CSR using an existing key and using the cnf:
ECDSA
Generate ECDSA Key and CSR
# generate the key
openssl genpkey -genparam -algorithm ec -pkeyopt ec_paramgen_curve:P-256 -out ecparam.pem
# generate the CSR
openssl req -newkey ec:ecparam.pem -keyout private.key -out mysite.com.csr
# or all-in-one
openssl req -newkey ec:<(openssl genpkey -genparam -algorithm ec -pkeyopt ec_paramgen_curve:P-256) -keyout private.key -out mysite.com.csr