Usage Tips:
- Click on a keyword to enable inline editing.
- Click inside a code block to copy (excludes comments).
- Use the button to view examples.
- Click outside to collapse all examples.
Basics
Show TLS Certificate of a HTTPS Web Server
echo | openssl s_client -showcerts -servername <TARGET> -connect <TARGET>:443 2>/dev/null | openssl x509 -inform pem -noout -text
Sample Output:
TO-DODecrypt a Password Protected Private Key
openssl rsa -in <KEY_FILE> -out decrypted_<KEY_FILE>
Sample Output:
TO-DOCreate a Personal Information Exchange File (.pfx)
openssl pkcs12 -export -out <PFX_FILE> -inkey <KEY_FILE> -in <CRT_FILE>
Sample Output:
TO-DOView RSA Private Key (.key)
openssl rsa -in <KEY_FILE> -noout -text
Sample Output:
TO-DOView Certificate (.crt)
openssl x509 -in <CRT_FILE> -noout -text
Sample Output:
TO-DOView Personal Information Exchang (.pfx)
openssl pkcs12 -in <PFX_FILE> -info -nodes
Sample Output:
TO-DOView Certificate Signing Request (.csr)
openssl req -in <CSR_FILE> -noout -text
Sample Output:
TO-DOCreate a Client Certificate
1. Generate a Private Key
openssl genrsa -out <KEY_FILE> 2048
Sample Output:
TO-DO2. Create a Certificate Signing Request
openssl req -new -key <KEY_FILE> -out <CSR_FILE>
Sample Output:
# Settings
+-----------------------------------------------------------------------------+
| You are about to be asked to enter information that will be incorporated |
| into your certificate request. |
| What you are about to enter is what is called a Distinguished Name or a DN. |
| There are quite a few fields but you can leave some blank |
| For some fields there will be a default value, |
| If you enter '.', the field will be left blank. |
| ----- |
| Country Name (2 letter code) [AU]:US |
| State or Province Name (full name) [Some-State]: |
| Locality Name (eg, city) []: |
| Organization Name (eg, company) [Internet Widgits Pty Ltd]:COMPANY_NAME |
| Organizational Unit Name (eg, section) []:COMPANY_NAME |
| Common Name (e.g. server FQDN or YOUR name) []:USER |
| Email Address []:EMAIL |
| |
| Please enter the following 'extra' attributes |
| to be sent with your certificate request |
| A challenge password []: |
| An optional company name []: |
+-----------------------------------------------------------------------------+
3. Sign the Request with a Valid Key and Certificate Pair
openssl x509 -req -in <CSR_FILE> -CA <CERT_PEM_FILE> -CAkey <CERT_KEY_FILE> -CA createserial -out <PEM_FILE> -days 1024
Sample Output:
TO-DO4. Usages
# Convert pem to pfx that Firefox can import
openssl pkcs12 -export -out <PFX_FILE> -inkey <KEY_FILE> -in <PEM_FILE> -certfile <CERT_PEM_FILE>
Sample Output:
# Settings
+------------------------------------+
| Enter Export Password: |
| Verifying - Enter Export Password: |
+------------------------------------+
curl -k --cert <PEM_FILE> --key <KEY_FILE> <TARGET>
Sample Output:
TO-DOConvert .p12 to .key and .crt
# Create cert.key
openssl pkcs12 -in <P12_FILE> -nocerts -out <KEY_FILE>
Sample Output:
TO-DO# Create cert.crt
openssl pkcs12 -in <P12_FILE> -clcerts -nokeys -out <CRT_FILE>
Sample Output:
TO-DOBase64 Encode/Decode
# base64 encode a file
openssl base64 -in <FILE>
Sample Output:
TO-DO# base64 decode a file and output to a file
cat <BASE64_ENCODED_FILE> | openssl enc -d -base64 -out <FILE>
Sample Output:
TO-DO