OpenSSL Favorites

Certificate Verification

Verify Chain

# Verify certificate chain
openssl verify -CAfile ~/.secrets/certs/d000/domus-ca-chain.pem /etc/ssl/certs/modestus-razer-eaptls.pem

Full Certificate Details

# Full certificate details
openssl x509 -in /etc/ssl/certs/modestus-razer-eaptls.pem -text -noout

Check All Cert Expiry

# Check expiry dates for all certs in directory
for cert in /etc/ssl/certs/*.pem; do
  expiry=$(openssl x509 -enddate -noout -in "$cert" 2>/dev/null | cut -d= -f2)
  printf "%-50s %s\n" "$(basename "$cert")" "$expiry"
done

Remote Operations

Fetch Remote Certificate

# Fetch and inspect remote certificate
echo | openssl s_client -connect ise-01.inside.domusdigitalis.dev:443 -servername ise-01 2>/dev/null | \
  openssl x509 -noout -subject -issuer -dates -fingerprint

Generation

Generate CSR

# Generate CSR for Vault PKI
openssl req -new -key /etc/ssl/private/host.key \
  -out /tmp/host.csr \
  -subj "/CN=newhost.inside.domusdigitalis.dev"

Export to PKCS12

# Export to PKCS12 for Windows import
openssl pkcs12 -export \
  -in /etc/ssl/certs/host.pem \
  -inkey /etc/ssl/private/host.key \
  -certfile ~/.secrets/certs/d000/domus-ca-chain.pem \
  -out /tmp/host.pfx

Quick Reference

Pattern Purpose

Pattern	Purpose
`openssl x509 -noout -subject -issuer`	Subject/issuer only
`openssl x509 -noout -dates`	Validity dates
`openssl x509 -noout -fingerprint`	Certificate fingerprint
`openssl s_client -connect HOST:443`	Test TLS connection
`openssl verify -CAfile chain.pem cert.pem`	Verify chain

openssl x509 -noout -subject -issuer

Subject/issuer only

openssl x509 -noout -dates

Validity dates

openssl x509 -noout -fingerprint

Certificate fingerprint

openssl s_client -connect HOST:443

Test TLS connection

openssl verify -CAfile chain.pem cert.pem

Verify chain