Creating/Modifying

Generate a new private key

openssl genrsa -out example.key 2048

Remove a passphrase from a private key

openssl rsa -in example.key -out new_example.key

Generate a new private key and CSR (certificate signing request)

openssl req -out example.csr -new -newkey rsa:2048 -nodes -keyout example.key

Generate a self-signed SSL certificate

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout example.key -out example.crt

Generate a CSR using an existing private key

openssl req -out example.csr -key example.key -new

Generate a CSR based on an existing certificate

openssl x509 -x509toreq -in example.crt -out example.csr -signkey example.key

Generate a CSR with multiple Subject Alternative Names (SANs)

Create a config file:

[req]
default_bits = 2048
prompt = no
encrypt_key = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C = US
ST = New York
L = New York
O = Secure Corp, LLC
OU = IT
CN = host.securecorp.com

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = other-host.securecorp.com
DNS.2 = best-host.securecorp.com
DNS.3 = worst-host.securecorp.com

Generate the key and CSR simultaneously:

openssl req -new -newkey rsa:2048 -nodes -sha256 -config csr_details.conf -keyout example.key -out example.csr

Checking Existing Keys/CSRs/Certificates

Display CSR contents

openssl req -text -noout -verify -in example.csr

Check a private key

openssl rsa -in example.key -check

Display a certificate's contents

openssl x509 -in example.crt -text -noout

Extract a PEM certificate from a PKCS7 file

openssl pkcs7 -print_certs -in source.p7b -out certificate.crt

Confirm that a key and certificate match

(openssl x509 -noout -modulus -in example.crt |openssl md5;openssl rsa -noout -modulus -in example.key |openssl md5) | uniq | wc -l

(A result of 1 means they match, 2 means they don't)

You can also check a CSR with:

openssl req -noout -modulus -in example.csr |openssl md5

Debugging site SSL certificate installation

Check an SSL connection. All the certificates (including intermediates) should be displayed

echo | openssl s_client -servername www.example.com -connect www.example.com:443

Show certificate details from a web server

echo | openssl s_client -servername www.example.com -connect www.example.com:443 | openssl x509 -noout -text