If the certificate is PEM encoded use...
openssl x509 -in cert.pem -text -noout
If the certificte is DER encoded use...
openssl x509 -in cert.der -inform der -text -noout
openssl x509 -enddate -noout -in cert.pem
openssl version
Certificates (and keys) can be Binary (DER) or ASCII Base64 (PEM) encoded. Often certificates have a .der or .pem suffix to indicate the encoding type. Other common suffixes (.crt, .cer, .key) may be either type.
You can convert between formats using...
Certificates...
openssl x509 -in cert.pem -outform der -out cert.der
Keys...
openssl pkcs8 -topk8 -inform PEM -outform DER -in key.pem -out key.der -nocrypt
Certificates...
openssl x509 -in cert.der -inform der -outform pem -out cert.pem
Keys...
openssl pkcs8 -topk8 -inform DER -outform PEM -in key.der -out key.pem -nocrypt
To remove the passphrase from a certificate key...
openssl rsa -in mykeywithpassphrase.pem -out mykeywithoutpassphrase.pem
If your SSL certificate is protecting a publicly accessible website, use:
Check encryption using openssl...
openssl s_client -connect hostname:443 -tls1
openssl s_client -connect hostname:443 -tls1_1
openssl s_client -connect hostname:443 -tls1_2
Check encryption using curl...
curl --tlsv1.0 https://hostname:443/
curl --tlsv1.1 https://hostname:443/
curl --tlsv1.2 https://hostname:443/
sslscan myserver
nmap --script ssl-enum-ciphers -p 443 www.example.com
nmap --script ssl-enum-ciphers -p 993 mail.example.com
Generate a private key...
You can (optionally) use an existing private key if you have one.openssl genrsa -des3 -out private.pem 2048
where server.key is the name of your private key file.Keep a secure record of your passphrase.To create a self-signed certificate in DER (Binary) format...
openssl req -new -x509 -key private.pem -days 30 -out mycert.der -outform der
You will be prompted for...
Your private key passphrase
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
To convert the private key to DER (Binary) format (if required, e.g. for ORDS)...
openssl pkcs8 -topk8 -inform PEM -outform DER -in private.pem -out private.der -nocrypt
TODO
A vulnerability has been discovered in OpenSSL that potentially allows an attacker to retrieve private keys from a website, theoretically allowing the attacker to unencrypt encrypted data.
The vulnerability is fully documented at: http://heartbleed.com/
OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable