Useful OpenSSL Tips

March 16, 2024 in memos.

Just writing down some common openssl command I often find myself using. One day this collection might be more complete and better organized. For now, it’s just this.

Some common options when viewing a certificate with openssl x509

Read a file that contains multiple certificates, printing details about each one.

while openssl x509 -noout -serial -dates -subject -nameopt multiline ; do : ; done < /path/to/file-with-multiple-certs.crt

Verify a certificate is valid using a specific root.

openssl verify \
-trusted files/certs/root-ca.pem \
-untrusted files/certs/intermediate-1.pem \
-untrusted files/certs/intermediate-1.pem \
-show_chain \

note: the -untrusted here is to include the certificate in the chain, but does not trust it. this would be the certificates that your server is configured to serve up in it’s chain. so, all authorities that hav signed it up to but *not including the root certificate.

Check that the certificate, and chain, being served is valid

openssl s_client \
-CAfile files/certs/root-ca.pem \
-servername \
-connect 2>&1 < /dev/null

-CAfile here is to specific a specific root certificate to use. if the expected root is in your local truststore, you can omit this.

Tags: crypto tls certs