You can use our SSL Certificate Discovery Tool to find and manage all the certificates on your network.


Generate a Key

To generate an RSA key, use the genrsa option. The command below generates a 2048 bit RSA key and saves it to a file called key.pem

openssl genrsa -out key.pem 2048 

If you require that your private key file is protected with a passphrase, use the command below.

openssl genrsa -des3 -out key.pem 2048 

The file, key.pem, generated in the examples above actually contains both a private and public key. To view the public key you can use the following command:

openssl rsa -in key.pem -pubout

Generate a CSR

If you already have a key, the command below can be used to generates a CSR and save it to a file called req.pem

This is an interactive command that will prompt you for fields that make up the subject distinguished name of the CSR.

openssl req -new -key key.pem -out req.pem

If you do not have a key, the command below will generate a new private key and an associated CSR. If you wish to protect the private key with a passphrase, remove the -nodes option.

openssl req -new -newkey rsa:2048 -keyout key.pem -out req.pem -nodes

View the contents of a CSR

To view a CSR you can use our online CSR Decoder. However, if you prefer to decode your CSR locally use the command below.

openssl req -in req.pem -noout -text

Verify the signature on a CSR

To verify the signature on a CSR you can use our online CSR Decoder, or you can use the command below.

openssl req -in req.pem -noout -verify

Create a self-signed certificate

To create a self-signed certificate, sign the CSR with its associated private key

openssl x509 -req -days 365 -in req.pem -signkey key.pem -out cert.pem

To create a self-signed certificate with just one command use the command below. This generates a 2048 bit key and associated self-signed certificate with a one year validity period.

openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365

If you don't want your private key encrypting with a password, add the -nodes option.

openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes

If you do not wish to be prompted for anything, you can supply all the information on the command line.

openssl req \                                                                   
    -x509 \                                                                     
    -newkey rsa:2048 \                                                          
    -keyout key.pem \                                                           
    -out cert.pem \                                                             
    -days 365 \                                                                 
    -subj "/C=GB/ST=Staffs/L=Stoke/O=RKC/CN=www.domain1.com" \                  
    -nodes
    

View the contents of a certificate

To view a certificate you can use our online Certificate Decoder. However, if you prefer to decode your certificate locally use the command below.

openssl x509 -in cert.pem -noout -text


Convert a certificate from PEM to DER format

openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER 

Convert a certificate from DER to PEM format

openssl x509 -in cert.der -inform DER -out cert.pem -outform PEM 

Convert a CSR from PEM to DER format

openssl req -in csr.pem -out csr.der -outform DER

Convert a CSR from DER to PEM format

openssl req -in csr.der -inform DER -out csr.pem -outform PEM

Get the SHA-1 fingerprint of a certificate or CSR

You can use our CSR and Cert Decoder to get the SHA1 fingerprint of a certificate or CSR. The decoder converts the CSR/certificate to DER format before calculating the fingerprint.

To get the SHA1 fingerprint of a certificate using OpenSSL, use the command shown below.

openssl dgst -sha1 certificate.der

To get the SHA1 fingerprint of a CSR using OpenSSL, use the command shown below.

openssl dgst -sha1 csr.der

Get the MD5 fingerprint of a certificate or CSR

You can use our CSR and Cert Decoder to get the MD5 fingerprint of a certificate or CSR. The decoder converts the CSR/certificate to DER format before calculating the fingerprint.

To get the MD5 fingerprint of a certificate using OpenSSL, use the command shown below.

openssl dgst -md5 certificate.der

To get the MD5 fingerprint of a CSR using OpenSSL, use the command shown below.

openssl dgst -md5 csr.der

Grab a website's SSL certificate

openssl s_client -connect www.somesite.com:443 > cert.pem

Now edit the cert.pem file and delete everything except the PEM certificate.

The command below makes life even easier as it will automatically delete everything except the PEM certificate.

echo -n | openssl s_client -connect mysite.com:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > pem.cert

If the webserver has several certificates on one IP address, then you will need to tell OpenSSL which certificate to request using Server Name Indication (SNI). This can be done by adding the -servername argument, which tells OpenSSL to negotiate SNI. The command below shows the previous command modified to use SNI.

echo -n | openssl s_client -connect mysite.com:443 -servername mysite.com | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > pem.cert

Run an SSL server

The OpenSSL s_server command below implements a generic SSL/TLS server. It should be used for test purposes only. The example below listens for connections on port 8080 and returns an HTML formatted status page that includes lots of information about ciphers.

openssl s_server -key key.pem -cert cert.pem -accept 8080 -www

Run an SSL server that supports SNI

The OpenSSL s_server command below implements an SSL/TLS server that supports SNI. It should be used for test purposes only. The command below will listen for connections on port 443 and requires 2 valid certs and private keys. When a client connects without indicating a hostname, the domain1 cert is returned, otherwise the cert requested (either domain1.com or domain2.com) is returned.

sudo openssl s_server -accept 443 -www -servername www.domain1.com -cert domain1.cert.pem -key domain1.key.pem -servername www.domain2.com -cert2 domain2.cert.pem -key2 domain2.key.pem

Find out what version of OpenSSL you're running

Use the version command

openssl version



---
Feedback and suggestions about this article are appreciated and can
be emailed to the author Phil Ratcliffe at phil at redkestrel.co.uk
Last modified: 8th September 2017