Debugging and Testing Certificates With OpenSSL

The following are some examples show how to use OpenSSL commands to work with existing certificates to debug and test the infrastructure. The examples provided here aren't comprehensive and are intended to supplement the existing OpenSSL manual pages.

Examining Certificates

  • Display the information contained in an X.509 certificate:
    sudo openssl x509 -text -noout -in server.crt
  • Display the SHA1 fingerprint of a certificate: 
    sudo openssl x509 -sha1 -noout -fingerprint -in server.crt
  • Display the serial number of a signed certificate: 
    sudo openssl x509 -serial -noout -in server.crt

Check That a Private Key Matches a Certificate

The modulus and public exponent parts of the key and certificate must match. These values are often long and difficult to check. The easiest way to compare the modulus in the key and certificate is to create a SHA256 hash of each and compare those instead, for example:

sudo openssl x509 -noout -modulus -in server.crt | openssl sha256
sudo openssl rsa -noout -modulus -in server.key | openssl sha256

You can also check the modulus in a CSR to see if it matches a key or certificate, as follows: 

sudo openssl req -noout -modulus -in server.csr | openssl sha256

Changing Key or Certificate Format

  • Convert a root certificate to a form that can be published on a website for downloading by a browser:
    sudo openssl x509 -in cert.pem -out rootcert.crt
  • Convert a base64 encoded certificate (also referred to as PEM or RFC 1421) to binary DER format:
    sudo openssl x509 -in cert.pem -outform der -out certificate.der
  • Convert the base64 encoded certificates for an entity and its CA to a single PKCS7 format certificate:
    sudo openssl crl2pkcs7 -nocrl -certfile entCert.cer -certfile CACert.cer -out certificate.p7b

Check Certificate Consistency and Validity

Verify a certificate including the signing authority, signing chain, and period of validity:

sudo openssl verify cert.pem

Decrypting Keys and Adding or Removing Passphrases

  • If you create an encrypted key file and decide that the file isn't encrypted or doesn't require a passphrase, you can decrypt it by using the following command: 
    sudo openssl rsa -in private.key -out unencrypted.key
        
Enter pass phrase for private.key:
writing RSA key

    You're prompted for the passphrase on the encrypted key, which is stored in private.key, and the unencrypted version of the same key is written to the unencrypted.key file.

  • To encrypt an unencrypted key and add a passphrase to protect it, run the following command:
    sudo openssl rsa -aes256 -in unencrypted.key -out private.key

    In this previous example, the AES cipher is used with a 256 bit key. The command prompts you to enter a passphrase and to verify it. The new encrypted key file is written to private.key.

    Note:

    You can add or remove a passphrase from the private key at any time without affecting its public key counterpart. Adding a passphrase protects the private key from use by an unauthorized or malicious user, but comes with an added inconvenience, in that services that use the private key always require manual intervention to start or restart. If you remove the passphrase from a key, ensure that it's stored with strict permissions and that it's not copied to systems that don't require it.

Using OpenSSL to Test SSL/TLS Configured Services

  • Test a self-signed certificate by configuring a server that listens on port 443:
    sudo openssl s_server -accept 443 -cert cert.pem -key prikey.pem -www
  • Test the client side of a connection. This command returns information about the connection including the certificate. After the connection is established, you can manually input HTTP requests or commands directly at the prompt.
    sudo openssl s_client -connect server:443 -CAfile cert.pem
  • Extract a certificate from a server:
    sudo echo | openssl s_client -connect server:443 2>/dev/null | \
sed -ne '/BEGIN CERT/,/END CERT/p' |sudo tee svrcert.pem