Read cert
$ echo | openssl s_client -host \<hostname> -port 443 | openssl x509 -noout -text
Read cert and check
$ echo | openssl s_client -servername \<hostname> -connect \<hostname>:443 -CAfile /etc/ssl/cert.pem | openssl x509 -noout -text
Dump cert chain
$ echo | openssl s_client -showcerts -servername \<hostname> -connect \<hostname>:443
Dump cert chain to individual files
$ echo | openssl s_client -showcerts -servername \<hostname> -connect \<hostname>:443 | \
sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' | \
awk 'BEGIN {i=0} /BEGIN CERT/{i++} { print > "cert" i ".pem"}'
Read CRL
$ openssl crl -inform {DER|PEM} -noout -text -in \<crl file>
Test connection
$ echo | openssl s_client -servername \<hostname> -connect \<hostname>:443 -CAfile \<Root CA cert file>
Convert DER to PEM
$ openssl x509 -inform DER -in cert.der -outform PEM -out cert.pem
Verify cert chain
$ openssl verify -CAfile /etc/ssl/cert.pem -untrusted intermediate.pem cert.pem
Exctract certs from pkcs12 file
$ openssl pkcs12 -in \<file.pfx> -nodes
Extract keys from pkcs12 file
$ openssl pkcs12 -in \<file.pfx> -nocerts
Remove password from key PEM
$ openssl rsa -in \<protected.pem> -out \<unprotected.pem>