https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs

https://www.openssl.org/docs/manmaster/man5/x509v3_config.html

openssl s_client -connect ldaps.example.com:636 -showcerts </dev/null 2>/dev/null | openssl x509 -noout -ext subjectAltName

echo -n | openssl s_client -connect google.com:443 2>/dev/null | openssl x509 -noout -text | grep -E 'Subject:|X509v3 Subject Alternative Name:'
openssl s_client -connect www.uvoo.me:443
echo | openssl s_client -showcerts -servername www.uvoo.me -connect www.uvoo.me:443 2>/dev/null | openssl x509 -inform pem -noout -text

Quicks like get subject alt names

openssl x509 -text -in my.crt.pem
openssl x509 -noout -ext subjectAltName
openssl x509 -noout -dates

self signed cert pem

fqdn=${FQDN:-autogenerated-selfsigned-cert}; openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout selfsigned.key -out selfsigned.crt -subj "/CN=$fqdn" -addext "subjectAltName = DNS:$fqdn"

cat selfsigned.crt selfsigned.key >> aaa.pem

Extract Certs from .pfx PKCS#12

  openssl pkcs12 -passin env:PASSIN -in ${cn}.pfx -nocerts -nodes > ${cn}.key.pem
  openssl pkcs12 -passin env:PASSIN -in ${cn}.pfx -clcerts -nokeys > ${cn}.crt.pem
  openssl pkcs12 -passin env:PASSIN -in ${cn}.pfx -cacerts -nokeys -chain > ${cn}.ca.crt.pem

validate

https://link.medium.com/9Cif8SlO9ub

Pem

Donwload pem
openssl rsa -in ~/myhost.example.com.pem -out ~/myhost.example.com.pem.key
and replace encrypted private key at bottom in ~/myhost.example.com.pem with ~/myhost.example.com.pem.key

pkcs12

echo -n | openssl s_client -showcerts -connect $HOST:$PORTNUMBER -servername $SERVERNAME \
    | openssl x509 > /tmp/$SERVERNAME.cert

openssl pkcs12 -in <filename.pfx> -nocerts -nodes | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > <clientcert.key>
openssl pkcs12 -in <filename.pfx> -clcerts -nokeys | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > <clientcert.cer>
openssl pkcs12 -in <filename.pfx> -cacerts -nokeys -chain | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > <cacerts.cer>

Expiration dates

host=example.com; port=443; echo "Q" | openssl s_client -servername $host -connect $host:$port | openssl x509 -noout -dates

Show Certs

host=example.com; port=443; echo "Q" | openssl s_client -showcerts -connect $host:$port

Get CA cert PEM from URL and use with curl

host=example.com; port=443; echo quit | openssl s_client -showcerts -servername server -connect $host:$port > cacert.pem
host=example.com; port=443; curl -vv --cacert cacert.pem https://$host:$port/notifications/health

openssl pkcs12 -in example.io.pfx -out example.io.pem -nodes

PKS

# kb.dev.example.com.pks
host=kb.dev.example.com; openssl pkcs12 -in $host.pfx -out $host.key -nocerts -nodes
host=kb.dev.example.com; openssl pkcs12 -in $host.pfx -out $host.crt -clcerts -nokeys

openssl pkcs12 -in <filename.pfx> -nocerts -nodes | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > <clientcert.key>
openssl pkcs12 -in <filename.pfx> -clcerts -nokeys | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > <clientcert.cer>
openssl pkcs12 -in <filename.pfx> -cacerts -nokeys -chain | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > <cacerts.cer>

cipher scans

echo quit | openssl s_client -connect www.uvoo.io:443 -msg -debug 2>/dev/null | grep "Cipher    :"

Self signed https certs

View & Download in Firefox
PEM (cert)PEM (chain)
export API_HOST=example.com
echo quit | openssl s_client -showcerts -servername "${API_HOST}" -connect "${API_HOST}":443 > cacert.pem
curl --cacert cacert.pem --location --silent https://${API_HOST}

https://www.redhat.com/sysadmin/6-openssl-commands

Extract cert and key

openssl pkcs12 -in domain.pfx -clcerts -nokeys -out domain.crt
openssl pkcs12 -in domain.pfx -nocerts -nodes  -out domain.key   

Update your Apache configuration file with:

<VirtualHost 192.168.0.1:443>
 ...
 SSLEngine on
 SSLCertificateFile /path/to/domain.crt
 SSLCertificateKeyFile /path/to/domain.key
 ...
</VirtualHost>

echo quit | openssl s_client -connect log.example.com:6514
echo "Q" | openssl s_client -servername google.com -connect google.com:443 | openssl x509 -noout -dates
host=example.com; port=443; echo "Q" | openssl s_client -servername $host -connect $host:$port | openssl x509 -noout -dates

echo quit | openssl s_client -showcerts -servername server -connect google.com:443 > cacert.pem
true | openssl s_client -connect google.com:443 2>/dev/null | openssl x509
rm -f cert.pem && echo -n | openssl s_client -connect google.com:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ./cert.pem

curl --cacert google.pem https://google.com

Get cipher

echo quit | openssl s_client -connect lb.examle.com:443 2>/dev/null | grep -i cipher

openssl s_client -connect 10.x.x.x:6514

PKI

#!/usr/bin/env bash
set -eu
# ref: https://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/

bits=4096
# cert_cn=insights.example.com
ca_dir=ca
keys_dir=ca/keys
mkdir -p $ca_dir
mkdir -p $keys_dir
# cd $ca_dir
ca_subject="-subj \"/C=US/ST=Utah/L=Lehi/O=Example/OU=IT/CN=ca.example.com\""


create_CA(){
  echo "Configuring rootca certs for issueing certs to nodes via CN/fqdn."
  openssl genrsa -out $ca_dir/ca.key $bits
  openssl genrsa -des3 -out $ca_dir/ca.key $bits
  # openssl genrsa -nodes -out $ca_dir/ca.key $bits
  # openssl req -x509 -new -nodes -key $ca_dir/ca.key -sha256 -days 10240 -out $ca_dir/ca.pem $ca_subject
  openssl req -x509 -new -nodes -key $ca_dir/ca.key -sha256 -days 10240 -out $ca_dir/ca.crt -subj "/C=US/ST=Utah/L=Lehi/O=Example/OU=IT/CN=ca.example.com"
}


create_client(){
  cert_cn=$1
  echo "Configuring certs for nodes with CN/fqdn."
  openssl genrsa -out $keys_dir/${cert_cn}.key $bits
  openssl req -new -key $keys_dir/${cert_cn}.key -out $keys_dir/${cert_cn}.csr -subj "/C=US/ST=Utah/L=Lehi/O=Example/OU=IT/CN=$cert_cn"
  openssl x509 -req -in $keys_dir/${cert_cn}.csr -CA $ca_dir/ca.crt -CAkey $ca_dir/ca.key -CAcreateserial -out $keys_dir/${cert_cn}.crt -days 730 -sha256
}

copy_keys_to_rsyslog(){
  cert_cn=$1
  cp $keys_dir/${cert_cn}.key ../files/etc/rsyslog.d/keys/
  cp $keys_dir/${cert_cn}.crt ../files/etc/rsyslog.d/keys/
  cp $ca_dir/ca.crt ../files/etc/rsyslog.d/keys/
}

create_CA
create_client insights.example.com
copy_keys_to_rsyslog insights.example.com


# Notes

# sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt

Shadow

openssl passwd -6 -salt ly7/kMnF  yourpass

LDAP

openssl s_client -showcerts -connect ldap.yourdomain.com:636

Refs

• https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/#becoming-certificate-authority
• https://github.com/OpenVPN/easy-rsa/blob/master/README.quickstart.md
• https://www.feistyduck.com/library/openssl-cookbook/online/ch-testing-with-openssl.html

More

openssl s_client -connect 127.0.0.1:8443 -tls1_3

openssl s_client -showcerts -servername www.example.com -connect www.example.com:443 </dev/null

openssl s_client -showcerts -connect www.example.com:443 </dev/nul

$ echo | \
    openssl s_client -servername www.example.com -connect www.example.com:443 2>/dev/null | \
    openssl x509 -text

openssl verify -verbose -CAfile _.example.com.crt _.example.com.crt

get cert

openssl x509 -in a.crt -text -certopt no_header,no_pubkey,no_subject,no_issuer,no_signame,no_version,no_serial,no_validity,no
_extensions,no_sigdump,no_aux,no_extensions

pkcs12 from key and crt

openssl pkcs12 -export -out keyStore.p12 -inkey my.key -in my.crt