OpenSSL is an open-source command-line tool that is commonly used to generate private keys, create CSRs, install our SSL/TLS certificate, and identify certificate information. This quick reference can help us understand the most common OpenSSL commands and how to use them.
Table of Contents
How to get an SSL Certificate
- generate a key pair
- use this key pair to generate a certificate signing request (CSR) that contains the public key and domain name of our website
- upload the request to a certificate authority or generate a self-signed certificate
- download the certificate and install it on our web server along with the key pair
Generate Private Key and CSR
We can use the following two commands to generate private key and CSR.
- openssl genrsa -out privateKey.key 2048
- openssl req -new -key privateKey.key -out CSR.csr
Then we need to input the following info to generate CSR.
Get Your Free Linux training!
Join our free Linux training and discover the power of open-source technology. Enhance your skills and boost your career! Learn Linux for Free!- Country Name: 2-digit country code where our organization is legally located.
- State/Province: Write the full name of the state where the organization is legally located.
- City: Write the full name of the city where our organization is legally located.
- Organization Name: Write the legal name of our organization.
- Organization Unit: Name of the department
- Common Name: Fully Qualified Domain Name
Generate Private key and CSR with one command
We can also use the following command to generate CSR and private key in a single shot.
openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key -subj “/C=US/ST=Florida/L=Saint Petersburg/O=Your Company, Inc./OU=IT/CN=yourdomain.com”
Generate a self-signed certificate
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
Purpose of CSR file Key file and certificate file
We should use the CSR file to request our SSL certificate from a Certificate Authority. Make sure we copy the entire text.
Certificate.crt and intermediate.crt should be concatenated into a certificate file bundle and stored on the server. privateKey.key should also be stored on the server.
root.crt should be stored on the client so the client can verify that the server’s leaf certificate was signed by a chain of certificates linked to its trusted root certificate.
Check SSL certificate with OpenSSL Command
- Check Private key info: openssl rsa -text -in privateKey.key -noout
- Check CSR info: openssl req -text -in CSR.csr -noout
- View SSL certificate info: openssl x509 -text -in certificate.crt -noout
Example:
openssl x509 -in hydssl.cer -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
40:01:6e:fb:0a:20:5c:fa:eb:e1:8f:71:d7:3a:bb:78
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=IdenTrust, CN=IdenTrust Commercial Root CA
Validity
Not Before: Dec 12 16:56:15 2019 GMT
Not After : Dec 12 16:56:15 2029 GMT
Subject: C=US, O=IdenTrust, OU=HydrantID Trusted Certificate Service, CN=HydrantID Server CA O1
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ea:1b:99:6c:35:56:30:68:fb:5d:b1:59:41:69:
Check who has issued the SSL certificate:
$ echo | openssl s_client -servername www.howtouselinux.com -connect www.howtouselinux.com:443 2>/dev/null | openssl x509 -noout -issuer
issuer= /C=US/O=Let’s Encrypt/CN=R3
Check whom the SSL certificate is issued to:
$ echo | openssl s_client -servername www.howtouselinux.com -connect www.howtouselinux.com:443 2>/dev/null | openssl x509 -noout -subject
subject= /CN=www.howtouselinux.com
Check for what dates the SSL certificate is valid:
$ echo | openssl s_client -servername www.howtouselinux.com -connect www.howtouselinux.com:443 2>/dev/null | openssl x509 -noout -dates
notBefore=Aug 8 04:49:59 2021 GMT
notAfter=Nov 6 04:49:57 2021 GMT
Show the all above information about the SSL certificate
$ echo | openssl s_client -servername www.howtouselinux.com -connect www.howtouselinux.com:443 2>/dev/null | openssl x509 -noout -issuer -subject -dates
echo | openssl s_client -servername www.howtouselinux.com -connect www.howtouselinux.com:443 2>/dev/null | openssl x509 -noout -issuer -subject -dates
issuer= /C=US/O=Let’s Encrypt/CN=R3
subject= /CN=www.howtouselinux.com
notBefore=Aug 8 04:49:59 2021 GMT
notAfter=Nov 6 04:49:57 2021 GMT
Show the SHA1 fingerprint of the SSL certificate:
$ echo | openssl s_client -servername www.howtouselinux.com -connect www.howtouselinux.com:443 2>/dev/null | openssl x509 -noout -fingerprint
SHA1 Fingerprint=52:DA:6A:D5:81:A8:6C:20:6A:16:EE:2E:A2:19:7A:C6:E7:A2:3E:87
Extract all information from the SSL certificate (decoded)
$ echo | openssl s_client -servername www.howtouselinux.com -connect www.howtouselinux.com:443 2>/dev/null | openssl x509 -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:86:f4:63:3d:34:50:a8:47:cc:f7:99:10:1f:79:1c:21:c8
Signature Algorithm: sha256WithRSAEncryption
[…]
Show the SSL certificate itself (encoded):
$ echo | openssl s_client -servername www.howtouselinux.com -connect www.howtouselinux.com:443 2>/dev/null | openssl x509
—–BEGIN CERTIFICATE—–
MIIFGDCCBACgAwIBAgISA4b0Yz00UKhHzPeZEB95HCHIMA0GC
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbm
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzAzM
[…]
Check SSL Certificate expiration date
- openssl s_client -servername SERVER_NAME -connect SERVER_NAME:PORT| openssl x509 -noout -dates
- echo | openssl s_client -servername SERVER_NAME -connect SERVER_NAME:PORT | openssl x509 -noout -dates
- openssl x509 -enddate -noout -in /path/to/my/my.pem
Example:
openssl x509 -dates -noout -in hydssl.cer
notBefore=Dec 12 16:56:15 2019 GMT
notAfter=Dec 12 16:56:15 2029 GMT
Verify the Keys Match
To verify the public and private keys match, extract the public key from each file and generate a hash output for it. All three files should share the same public key and the same hash value.
Use the following commands to generate a hash of each file’s public key:
- openssl pkey -pubout -in privateKey.key | openssl sha256
- openssl req -pubkey -in CSR.csr -noout | openssl sha256
- openssl x509 -pubkey -in certificate.crt -noout | openssl sha256
Related:
- Exploring SSL Certificate Chain with Examples
- Understanding X509 Certificate with Openssl Command
- OpenSSL Command to Generate View Check Certificate
- Converting CER CRT DER PEM PFX Certificate with Openssl
- SSL vs TLS and how to check TLS version in Linux
- Understanding SSH Key RSA DSA ECDSA ED25519
- Understanding server certificates with Examples