I know I know, there are plenty of openssl cheat sheets out there already((http://www.sslshopper.com/article-most-common-openssl-commands.html))((https://github.com/stanzgy/wiki/blob/master/network/openssl-self-signed-certs-cheatsheet.md)). But as I keep using googling it again and again to find the most useful openssl commands I decided to do my own – the first version of the blog entries is already 3 years old actually. Another reason for creating the list is that I remember things better when I am writing the down.
Show contents of a certificate (( https://knowledge.symantec.com/support/identity-protection-support/index?page=content&id=SO28771&actp=RSS&viewlocale=en_US ))
openssl x509 -fingerprint -sha256 -noout -text -in domain.com.crt
Show contents of a certificate request (CSR)
openssl req -text -noout -verify -in CSR.csr
OpenSSL HTTPS Client with SNIĀ (( https://major.io/2012/02/07/using-openssls-s_client-command-with-web-servers-using-server-name-indication-sni/ ))
openssl s_client -connect roman.pertl.name:443 -servername roman.pertl.name
Generate a CSR to send to an external CA
openssl req -new -newkey rsa:2048 -sha256 -nodes -out roman.pertl.org.csr -keyout roman.pertl.org.key -subj "/C=US/ST=NY/L=NY/O=Roman Pertl/OU=Hostmaster/CN=roman.pertl.org"
Generate a Self-Signed SSL Certificate
openssl req -x509 -nodes -days 365 -newkey rsa:4096 -sha256 -keyout pertl.org.key -out pertl.org.crt -subj "/C=AT/ST=Korneuburg/L=Korneuburg/O=Pertl/OU=Hostmaster/CN=*.pertl.org"
Newer versions of browsers e.g. Chrome require to set the DNS alt attribute instead/additional of the CN field: ((https://serverfault.com/questions/845766/generating-a-self-signed-cert-with-openssl-that-works-in-chrome-58/845788))
((https://deliciousbrains.com/https-locally-without-browser-privacy-errors/))
openssl req -x509 -nodes -days 365 -newkey rsa:4096 -sha256 -reqexts SAN -extensions SAN -config <(cat /System/Library/OpenSSL/openssl.cnf <(printf '[SAN]\nsubjectAltName=DNS:*.pertl.org')) -keyout pertl.org.key -out pertl.org.crt -subj "/C=AT/ST=Korneuburg/L=Korneuburg/O=Pertl/OU=Hostmaster/CN=*.pertl.org"
Generate a Self-Signed CA Root Certificate
openssl req -nodes -newkey rsa:4096 -x509 -sha256 -days 3650 -keyout rootCA.key -reqexts v3_req -extensions v3_ca -out rootCA.crt -subj "/C=AT/ST=Korneuburg/L=Korneuburg/O=Pertl/OU=Hostmaster/CN=pertl CA"
Generate custom dh param file
openssl dhparam -out domain.at.dhparam 4096