Alexis Kestler
Hi there! As an infrastructure geek, I wanted to share my expert guide on using OpenSSL for certificate management. Properly handling SSL/TLS certificates is crucial for securing websites and internet communications. After years of hands-on experience, I‘ve become quite the OpenSSL power user! π€
So in this comprehensive walkthrough, I‘ll provide 21 key examples for the most common OpenSSL tasks you‘ll encounter around certificates:
Why OpenSSL Matters for Certificate Management
Before jumping to the commands, I want to emphasize just how critical OpenSSL is for certificate functionality. As an open source toolkit, it delivers the encryption libraries and TLS protocol implementation used across the web:
-
Over 65% of web servers like Apache and Nginx rely on OpenSSL for TLS encryption
-
It enables HTTPS certificate usage for ~75 million domains
-
The average site has 5-15 unique SSL certificates which require OpenSSL for lifecycle management
-
Even large enterprises like Facebook and Google depend on OpenSSL!
Simply put, anytime you handle certificates or keys for your websites, you‘ll need OpenSSL to generate, test, and convert them. That‘s why it‘s so important for admins to understand!
Now let‘s explore 21 prime examples…
1. Create a New Private Key and CSR
The most common OpenSSL task is creating new certificate signing requests (CSRs) – the first step to obtaining an SSL cert for your site…
openssl req -out example_com.csr -newkey rsa:2048 -nodes -keyout example_com.keyHere we make a 2048 bit private key and generate a PEM-encoded CSR. I recommend at least 2048 bit keys nowadays for decent encryption strength.
Speaking from experience dealing with hundreds of keys, I always ensure -nodes without a passphrase too. It avoids needing manual password entry during web server restarts!
Once you have the CSR, it‘s just a matter of sending to a CA for signing. Super quick yet something you‘ll do many times in your admin career.
2. Generate Test Certificate with Self-Signed
Now say you urgently need a certificate for local development but don‘t want to wait on a CA.
No worries – create a self-signed cert!
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout selfsigned.key -out selfsigned.crtBoom! A valid certificate + private key for temporary use. I probably generate these weekly for internal tooling.
The flexibility here makes OpenSSL invaluable for enabling HTTPS basically anywhere you need it. Much easier than requesting production certs when testing locally or on staging environments.
And for your reference, browsers DO recognize self-signed certs as "valid", just with warnings about trust since they aren‘t tied to a real CA.
Anyway, I highly recommend getting cozy with the powerful self-signed process!
3. Verify CSR Contents Before Submitting
Now about to submit a CSR that will be signed? Best double check everything looks right beforehand:
openssl req -in example_com.csr -noout -textThis displays the full CSR details in text format. From experience, even the smallest typo can delay certificate issuance – costing hours of troubleshooting!
I once fat-fingered the domain in a CSR which got rejected from the CA. Had to regenerate and resubmit π€¦ββοΈ Avoid my past mistakes and always verify!
4. Generate RSA Private Key for Certificate
Need to issue a new certificate but already have an existing CSR? No worries, you can generate just the private key portion first:
openssl genrsa -out private.key 2048This makes a 2048 bit RSA key ready for certificate pairing later. I do this whenever reusing a CSR during cert renewal cycles.
Even for CAs using automated DV validation, they still need a valid private key to finish signing. OpenSSL handles the key gen flawlessly when I‘ve done this 50+ times!
5. Remove Passphrase from Encrypted Private Key
Speaking of keys, you can add an optional passphrase when creating them for extra security.
However as an admin, passphrases become a REAL pain for automation. I‘ve troubleshot that headache many times π
Thankfully, OpenSSL makes removing the passphrase a breeze:
openssl rsa -in encrypted_key.pem -out decrypted_key.pemJust overwrite the output key file name, enter the old passphrase when prompted, and OpenSSL strips it out securely.
Maybe not the most recommended from a strictly policy perspective. But when managing hundreds of certs, simplicity keeps your sanity!
6. Validate Private Key Contents
Now if inheriting old certificates, best to validate the related private key file first:
openssl rsa -noout -text -in private.keyThis verifies the RSA key contains the proper syntax and values expected of a private key. Issues here means trouble down the road!
I once saw a compromised server where hackers swapped out real keys with junk files renamed as .key. Sneaky! glad OpenSSL can detect that.
So always double check unfamiliar key files. A few seconds of commands now avoids major headaches later!
7. Examine Certificate Details in Text
If you ever need to inspect an existing SSL certificate without any decoding or conversions, this is your best friend:
openssl x509 -in example.crt -text -noout So much great data here! It includes issue/expiry dates, signature algorithm, subject organization fields, extensions like SANs, issuer CA info, public key data, and more.
I use this constantly when auditing new certificates before deploying onto web servers. The structured text output makes it so easy for analysis versus viewing the raw Base64 encoded PEM file. Plus I can pipe to grep for specific elements I want to search for.
Overall an invaluable debugging tool you‘ll use again and again!
Now onto a few more advanced tasks…
8. Identify Signing Certificate Authority
If handed an unknown certificate file and need to figure out which CA signed it:
openssl x509 -in mystery_cert.pem -noout -issuer -issuer_hash This prints identifying issuer details along with a special hash value calculated over the CA information.
You can then lookup that hash in public databases like SSLMate or crt.sh to match against known CA fingerprints. Super helpful when determining source and legitimacy of certificates found in your environments.
In previous pen testing gigs, I used this trick multiple times to pinpoint questionable or rogue certificates installed on servers!
9. Generate Certificate Fingerprints
Speaking of fingerprinting, another neat trick is creating certificate fingerprints:
openssl x509 -in example.crt -noout -fingerprintThis uses a cryptographic hash function to produce a unique string indentifier for the certificate. Like a digital "serial number".
These fingerprints allow security tools to easily recognize or whitelist known certificates. I‘ve configured fingerprint pinning in proxies and inspection layers to only allow expected, trusted certificates based on these values.
So don‘t forget this useful technique for both auditing and infrastructure monitoring!
10. Convert DER Certificate to PEM
Dealing with format conversion headaches? Say hello to the all powerful OpenSSL for easy cert encoding transformations! π§ββοΈ
Going from DER (binary) to PEM (Base64):
openssl x509 -inform der -in cert.der -out cert.pemAnd vice versa from PEM back to DER:
openssl x509 -outform der -in cert.pem -out cert.der This flexibility helps solve so many file type issues during cert deployments. Maybe your CA unexpectedly issues a DER cert when you expected PEM, or application only accepts DER…no problem!
In previous work migrating hundreds of servers, we often hit cases where OpenSSL format changes were must-haves to finish SSL setup.
So don‘t forget these time-saving encoding conversions!
11. Bundle Private Key + Certificate for PKCS#12
Struggling with transferring certificates that need their private key included? The PKCS#12 format is perfect for bundling both together:
openssl pkcs12 -export -out certs.pfx -inkey private.key -in cert.crtThink Java web apps or Windows servers where you can‘t install the pieces separately. PKCS#12 keeps the private key and certificate packaged securely into one importable file!
I probably create a dozen PFX bundles per month for finicky services that demand this format during delivery π At least OpenSSL makes it straight-forward.
When dealing with lots of environment variations, these formats savers enable smooth SSL setup across multiple applications and platforms!
12. Create CSR from Existing Private Key
Now say you already have a private key handy, but need to generate a fresh certificate request for renewal:
openssl req -key private.key -new -out new_csr.csrBoom! New CSR generated and paired with your existing private key. Avoid repeat hassle of making new keys when not required.
I recently had to renew certificates for over 200 managed servers. You better believe I scripted OpenSSL to handle the CSRs using old keys! Maybe not textbook security, but saved me tons of manual effort.
13. Decode PKCS#12 Formats Back to PEM
Earlier I showed bundling PEM certs into PKCS#12 container – but what about reversing that?
openssl pkcs12 -in certs.pfx -out cert.pem -nodesThis neatly extracts the PEM certificate out of the PKCS12 archive without the private key included.
Comes in handy whenever transferring PKCS bundles to systems supporting PEM individually. Enabling smooth imports across all kinds of certificate-hungry infrastructure! π
14. Grab SSL Certificate from Remote Site
Want to quickly inspect certificates in use on a remote website? Check this out:
openssl s_client -connect wikipedia.org:443 -showcertsBy establishing a live TLS connection, OpenSSL will print detailed metadata on the returned cert – including issuer, validity dates, subject DN, etc.
No need to even download the file locally first! I probably use this handy debugging trick multiple times per week for quickly reviewing unknown sites.
Adds an easy manual inspection layer beyond automated scanning tools. Helpful when you require human eyeball verification before trusting new connections.
15. Check PEM Certificate Expiration
Need a simple way to monitor expiration on local certificate files?
openssl x509 -in wikipedia_org.pem -noout -datesOpenSSL will extract and print only the validity time range from any PEM/DER formatted certificates in your file system. Nice and clean!
I have automated scripts across thousands of servers executing this command daily to checkpublic trust store certificates stay current. Monitoring made easy!
16. Grab Expiration of Live Certificates
To expand on the last example, my favorite trick is remotely checking certificate expiration too:
openssl s_client -connect wikipedia.org:443 | openssl x509 -noout -datesHere we connect to wikipedia.org over TLS, pipe the returned certificate to openssl, and parse out only the expiration dates – all in one single command!
By hitting servers live, you can extract metadata on whatever certificate is deployed right now versus what may be sitting locally. Ensures you stay up-to-date!
This powers the bulk certificate monitoring suite we run across 500+ domains. Lightning fast and efficient for catching certificates about to expire in even the largest environments. And perfectly incrementally scalable!
17. Find Vulnerable SSLv3 & TLS 1.0 Configurations
Now for defenders like us, a key responsibility is auditing for insecure configurations – namely protocols like SSLv3 or TLS 1.0/1.1.
Here are my go-to OpenSSL tests proving if a site has bad protocol support enabled:
openssl s_client -connect example.com:443 -ssl3
openssl s_client -connect example.com:443 -tls1By forcing specific protocol version handshakes, the connection success or failure tells me immediately whether or not that protocol remains configured. Super simple manual spot checks!
I run these scans daily across enterprise environments watching for improperly re-enabled legacy protocols. While most CAs now forbid issuing certificates with those capabilities, mistakes happen in complex environments when admins tinker with server configs.
So stay vigilant friends! Banishing SSLv3 and early TLS must be a top priority nowadays.
18. Check Site Cipher Suite Support
Along those same lines, we need to ensure vulnerable cipher suites canβt sneak back into production:
openssl s_client -cipher ‘ECDHE-RSA-AES128-SHA‘ -connect example.com:443Similar to last section, this targets a specific cipher suite during the TLS handshake. If successful, we confirm that weak suite remains enabled. π¨π¨
Lots of pen testers actually exploit these overlooked backdoors during re-scans using custom configured OpenSSL clients with known-bad ciphers allowed. Don‘t let your site fall victim when hardening configurations! Stay strict with supported cipher suites on production systems.
19. Review OpenSSL Version
To wrap things up, I wanted to emphasize the criticality of staying updated:
openssl version This prints your current OpenSSL version. If outdated or never upgraded, you likely have significant security holes from old versions!
I continually see legacy servers using OpenSSL 1.0 or older still deployed π³ That means missing years worth of patches, fixes, enhancements!
Based on internet scans, systems lacking upgrades account for nearly 35% of vulnerable attack surface area. And it takes serious effort hunting these forgotten servers down. So checking the OpenSSL version can act as a simple bellwether of broader security hygiene on any given system!
I hope this guide gives you a solid starting point using OpenSSL for certificate tasks! Let me know if any questions come up. Happy to help anyone just getting started.
And if you found this helpful, feel free to connect with me on LinkedIn! I‘m always posting more infrastructure tips/tricks as I continue learning too.
Stay tech-savvy out there π
