Debugging and Testing Certificates With OpenSSL
The following are some examples that show how you can use OpenSSL commands to work with existing certificates to debug and test the infrastructure. The examples provided here aren't comprehensive and are intended to supplement the existing OpenSSL manual pages.
Examining Certificates
Display the information contained in an X.509 certificate.
sudo openssl x509 -text -noout -in server.crtDisplay the SHA1 fingerprint of a certificate.
sudo openssl x509 -sha1 -noout -fingerprint -in server.crtDisplay the serial number of a signed certificate:
sudo openssl x509 -serial -noout -in server.crtCheck That a Private Key Matches a Certificate
The modulus and public exponent parts of the key and certificate must match. These values are often long and difficult to check. The easiest way to compare the modulus in the key and certificate is to create a SHA256 hash of each and compare those instead, for example:
sudo openssl x509 -noout -modulus -in server.crt | openssl sha256
sudo openssl rsa -noout -modulus -in server.key | openssl sha256You can also check the modulus in a CSR to see if it matches a key or certificate, as follows:
sudo openssl req -noout -modulus -in server.csr | openssl sha256
Changing Key or Certificate Format
Convert a root certificate to a form that can be published on a website for downloading by a browser:
sudo openssl x509 -in cert.pem -out rootcert.crt
Convert a base64 encoded certificate (also referred to as PEM or RFC 1421) to binary DER format:
sudo openssl x509 -in cert.pem -outform der -out certificate.der
Convert the base64 encoded certificates for an entity and its CA to a single PKCS7 format certificate:
sudo openssl crl2pkcs7 -nocrl -certfile entCert.cer -certfile CACert.cer -out certificate.p7b
Check Certificate Consistency and Validity
Verify a certificate including the signing authority, signing chain, and period of validity:
sudo openssl verify cert.pem
Decrypting Keys and Adding or Removing Passphrases
If you create an encrypted key file and decide that the file isn't encrypted or doesn't require a passphrase, you can decrypt it by using the following command:
sudo openssl rsa -in private.key -out unencrypted.key Enter pass phrase for private.key: writing RSA key
You're prompted for the passphrase on the encrypted key, which is stored in private.key, and the unencrypted version of the same key is written to the unencrypted.key file.
To encrypt an unencrypted key and add a passphrase to protect it, run the following command:
sudo openssl rsa -aes256 -in unencrypted.key -out private.key
In the previous example, the AES cipher is used with a 256 bit key. The command prompts you to enter a passphrase and to verify it. The new encrypted key file is written to private.key.
You can add or remove a passphrase from the private key at any time without affecting its public key counterpart. Adding a passphrase protects the private key from use by an unauthorized or malicious user, but comes with an added inconvenience, in that services that use the private key always require manual intervention to start or restart. If you remove the passphrase from a key, ensure that it's stored with strict permissions and that it's not copied to systems that don't require it.
Using OpenSSL to Test SSL/TLS Configured Services
Test a self-signed certificate by configuring a server that listens on port 443:
sudo openssl s_server -accept 443 -cert cert.pem -key prikey.pem -www
Test the client side of a connection. This command returns information about the connection including the certificate by which you can directly input HTTP commands:
sudo openssl s_client -connect server:443 -CAfile cert.pemExtract a certificate from a server as follows:
sudo echo | openssl s_client -connect server:443 2>/dev/null | \
sed -ne '/BEGIN CERT/,/END CERT/p' |sudo tee svrcert.pem