OpenSSL usage tips and examples

From ConShell
Revision as of 17:00, 9 April 2008 by Fostermarkd (talk | contribs)
Jump to navigation Jump to search


OpenSSL can be a complicated application to be sure. This page intends to shed some light on how to accomplish some typical operations, such as viewing a certificates details or creating a SSL (client) connection to an email server that supports STARTTLS.

Create self-signed certificate (and key)

openssl req -new -newkey rsa:1024 -days 730 -nodes -x509 -keyout www.example.com.key -out www.example.com.crt


View certificates details

openssl x509 -in filename.crt -noout -text

Where filename corresponds to the X.509 certificate file, which typically would end in .crt, .cert or .pem.

See also: man x509

View the details of a certificate revocation list (CRL)

openssl crl -in filename  -noout -text

Where filename corresponds to the CRL file, which typically would end in .crl or .pem

See also: man crl

Convert DER (binary) to PEM (base-64) format

Converts a DER format certificate to PEM - which is more widely used in applications such as apache.

openssl x509 -out exported-pem.crt -outform pem -text -in derfile.crt -inform der See also: man x509

Generate the hash value from a certificate

Sometimes useful when you want to store multiple CA certificates as separate files in a directory configured into your application. 

openssl x509 -hash -noout -in certfile.pem

See also: man x509

Testing STARTTLS

Connects to a mail server and starts TLS session, shows all the server certs (certificate chain) with -showcerts. 

openssl s_client -connect test.smtp.org:25 -starttls smtp -showcerts

Note: only support in newer versions of openssl (check man page for -starttls option)

See also: man s_client

Retrieved from "https://conshell.net/wiki/index.php?title=OpenSSL_usage_tips_and_examples&oldid=3956"