Certificates

Certificate operations for the domus secrets workflow.

Inspect Certificates

Show full certificate details — issuer, subject, validity, SAN, key usage

openssl x509 -in cert.pem -text -noout

Quick validity check — notBefore and notAfter dates

openssl x509 -in cert.pem -noout -dates

Show subject and issuer — who is this cert, who signed it

openssl x509 -in cert.pem -noout -subject -issuer

Show SAN — all DNS names and IPs the cert covers

openssl x509 -in cert.pem -noout -ext subjectAltName

SHA256 fingerprint — for out-of-band verification

openssl x509 -in cert.pem -noout -fingerprint -sha256

Remote Certificate Inspection

Fetch and inspect a remote server’s certificate

openssl s_client -connect host:443 </dev/null 2>/dev/null | openssl x509 -noout -subject -dates

Show the full chain presented by a server

openssl s_client -connect host:443 -showcerts </dev/null 2>/dev/null

Test mutual TLS — present client certificate

openssl s_client -connect host:443 -cert client.pem -key client.key </dev/null

Chain Verification

Verify a certificate against a CA chain

openssl verify -CAfile ca-chain.pem server.pem

Build a chain file — leaf first, root last

cat server.pem intermediate.pem root.pem > fullchain.pem

Verify with explicit intermediate

openssl verify -CAfile root-ca.pem -untrusted intermediate-ca.pem server.pem

Vault-Issued Certificates

Issue a server certificate from Vault PKI

vault write pki_int/issue/domus-server \
    common_name="web.inside.domusdigitalis.dev" \
    alt_names="web" \
    ttl=720h

Issue a client certificate for EAP-TLS

vault write pki_int/issue/domus-client \
    common_name="modestus-razer.inside.domusdigitalis.dev" \
    ttl=2160h

Extract cert and key from Vault JSON output

vault write -format=json pki_int/issue/domus-server \
    common_name="web.inside.domusdigitalis.dev" ttl=720h | tee vault-cert.json | \
    jq -r '.data.certificate' > server.pem
jq -r '.data.private_key' < vault-cert.json > server.key
chmod 600 server.key

Expiration Monitoring

Check if a certificate expires within 30 days

openssl x509 -checkend 2592000 -in cert.pem && echo "valid" || echo "expires within 30 days"

Check all certificates in a directory

for cert in /etc/ssl/certs/*.pem; do
    expiry=$(openssl x509 -in "$cert" -noout -enddate 2>/dev/null | cut -d= -f2)
    [[ -n "$expiry" ]] && printf "%-50s %s\n" "$(basename "$cert")" "$expiry"
done | sort -k2

Find certificates expiring in the next 30 days

for cert in /etc/ssl/certs/*.pem; do
    openssl x509 -in "$cert" -checkend 2592000 -noout 2>/dev/null || \
        echo "EXPIRING: $(basename "$cert")"
done

Format Conversion

PEM to DER

openssl x509 -in cert.pem -outform DER -out cert.der

DER to PEM

openssl x509 -in cert.der -inform DER -out cert.pem -outform PEM

Create PKCS12 bundle — for ISE/Windows import

openssl pkcs12 -export -out bundle.p12 -inkey server.key -in server.pem -certfile ca.pem

Extract from PKCS12 back to PEM

openssl pkcs12 -in bundle.p12 -out extracted.pem -nodes