· personal pages
· software
· ssl and certs
· images
· statistics
· mailserver
· services/tools
barcode freestone.net
Modified: 2012-03-20 12:50:23 Copyright © 1996 - 2017 by
Matthias Cramer

openssl howto

This is a very simple openssl howto. I made this maynly because I'm mostly to lazy to remember how to make a key and a csr (certificate signing request). Here are the steps you have to enter at your commandline to get a key and csr file:

Create a password protected key:

openssl genrsa -des3 -out domainname.key 2048

Or a non password protected one

openssl genrsa -out domainname.key 2048

Create the signing request. Enter the url or email address in the CN (Common Name) field

openssl req -new -key domainname.key -out domainname.csr

Verify your input:

openssl req -noout -text -in domainname.csr

Paste your CSR here:

Here is another example on how to make a self signed cert with one command:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout mycert.pem -out mycert.pem

When you get a certicate, you probably like to check what's in it:

openssl x509 -text -in cert.pem

And for some applications you need the fingerprint of the certificate, here are two variants for md5 and sha1 fingerprints:

openssl x509 -md5 -fingerprint -in cert.pem
openssl x509 -sha1 -fingerprint -in cert.pem

When you get a password protected cert and don't like to enter the passphrase each time a deamon gets started, you can unlock it with the following command:

openssl rsa -in certin.pem -out certout.pem

If you have to check if a key and cert belogs together, you can start a openssl internal web server in the following way:

openssl s_server -key www.key -cert www.crt -www

You can even connect to port 4433 with https to that server.

To test a remote cerificate, you can use the openssl internal client.

openssl s_client -connect www.example.com:443 -showcerts -CApath /etc/ssl/certs/  # HTTPS
openssl s_client -connect www.example.com:465 -showcerts -CApath /etc/ssl/certs/  # SMTPS
openssl s_client -connect www.example.com:995 -showcerts -CApath /etc/ssl/certs/  # POP3S

openssl s_client -connect www.example.com:25 -starttls smtp -showcerts -CApath /etc/ssl/certs/  # STARTTLS over SMTP

Sometimes you have to deal with PKCS#12 certificate files, they can be converted from and to PEM format. First line converts pem to PKCS#12, second line does the opposite (PKCS#12 file have sometome the extension .pfx and sometimes .p12):

openssl pkcs12 -export -out mycert.p12 -in mycert.pem -name "Certificate"
openssl pkcs12 -in mycert.p12 -out mycert.pem -nodes