SSL Stuff

Read cert

$ echo | openssl s_client -host <hostname> -port 443 | openssl x509 -noout -text

Read cert and check

$ echo | openssl s_client -servername <hostname> -connect <hostname>:443 -CAfile /etc/ssl/cert.pem | openssl x509 -noout -text

Dump cert chain

$ echo | openssl s_client -showcerts -servername <hostname> -connect <hostname>:443

Dump cert chain to individual files

$ echo | openssl s_client -showcerts -servername <hostname> -connect <hostname>:443 | \ sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' | \ awk 'BEGIN {i=0} /BEGIN CERT/{i++} { print > "cert" i ".pem"}'

Read CRL

$ openssl crl -inform {DER|PEM} -noout -text -in <crl file>

Test connection

$ echo | openssl s_client -servername <hostname> -connect <hostname>:443 -CAfile <Root CA cert file>

Convert DER to PEM

$ openssl x509 -inform DER -in cert.der -outform PEM -out cert.pem

Verify cert chain

$ openssl verify -CAfile /etc/ssl/cert.pem -untrusted intermediate.pem cert.pem

Exctract certs from pkcs12 file

$ openssl pkcs12 -in <file.pfx> -nodes

Extract keys from pkcs12 file

$ openssl pkcs12 -in <file.pfx> -nocerts

Remove password from key PEM

$ openssl rsa -in <protected.pem> -out <unprotected.pem>

Check keys match

Compare: openssl x509 -noout -modulus -in <file>.pem openssl rsa -noout -modulus -in <file>.key 0penssl req -noout -modulus -in <file>.csr