OpenSSL Usage tips

OpenSSL can be a complicated application to be sure. This page intends to shed some light on how to accomplish some typical operations, such as viewing a certificates details or creating a SSL (client) connection to an email server that supports STARTTLS.

View a certificates' details

openssl x509 -in filename.crt -noout -text

Where filename corresponds to the X.509 certificate file, which typically would end in .crt, .cert or .pem.

See also: man x509

Viewing the details of a certificate revocation list (CRL)

openssl crl -in filename  -noout -text

Where filename corresponds to the CRL file, which typically would end in .crl or .pem

See also: man crl

DER to PEM conversion

Converts a DER format certificate to PEM - which is more widely used in applications such as apache.

openssl x509 -out exported-pem.crt -outform pem -text -in derfile.crt -inform der

See also: man x509

Generate the hash value from a certificate

Sometimes useful when you want to store multiple CA certificates as separate files in a directory configured into your application. 

openssl x509 -hash -noout -in certfile.pem

See also: man x509

Testing STARTTLS

Connects to a mail server and starts TLS session, shows all the server certs (certificate chain) with -showcerts. 

openssl s_client -connect test.smtp.org:25 -starttls smtp -showcerts

Note: only support in newer versions of openssl (check man page for -starttls option) See also: man s_client

For further assistance, visit the Credentia crypto forums and pose your question there.
Or, if you need immediate help with SSL, PKI, x509 , consider custom consulting from Credentia.

If I was helpful, please let me know !

© 2004 Mark Foster

$Id: openssl-usage-tips.html,v 1.2 2005/11/12 16:35:13 mdf Exp $