If you need to check the SMTP certificate from commandline:
openssl s_client -connect mail.example.com:25 -starttls smtp
Tag: Certificates
Create a SSL key and CSR for SSL certificate
Create a new SSL key with 4096 bit size (highly recommended):
openssl genrsa -out website.key 4096
Create the CSR so you can send it to your SSL certificate provider to create a certificate your you (don’t forget –sha256, also highly recommended for security):
openssl req -new -key website.key -out website.csr -sha256 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:NL State or Province Name (full name) [Some-State]:Noord-Holland Locality Name (eg, city) []:Amsterdam Organization Name (eg, company) [Internet Widgits Pty Ltd]:website Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:website.tld Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
As you can see, not all parts are required to fill in when creating a CSR file.
Examine generated key file
To examine a generated key file for example the key size enter the following:
openssl rsa -in website.key -check -text
You will get result like this:
Private-Key: (2048 bit)
modulus:
<cut>
publicExponent: 65537 (0x10001)
privateExponent:
<cut>
prime1:
<cut>
prime2:
<cut>
exponent1:
<cut>
exponent2:
<cut>
coefficient:
<cut>
RSA key ok
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
<cut>
-----END RSA PRIVATE KEY-----
Examine certificate request file (CSR)
To examine the content of a generated .csr file enter the following:
openssl req -text -noout -in website.csr
You will get information like this for example:
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=country, ST=province, L=city, O=business name, CN=common name
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
<cut>
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name:
DNS:www.example.com, DNS:example.com
Signature Algorithm: sha256WithRSAEncryption
<cut>
Examine certificate file (.p7b)
To examine a signed certificate file in p7b format enter the following:
openssl pkcs7 -in certificate.p7b -text -print_certs
Examine certificate file (.cer/.crt)
To examine a signed certificate file in .cer or .crt format enter the following:
openssl x509 -noout -text -in certificate.cer
Convert pfx to pem
To convert a .pfx certificate to a .pem file enter the following:
openssl pkcs12 -in certificate.pfx -out certificate.pem -nodes
Convert p7b/pkcs7 to PEM certificate
To convert a .p7b certificate to a .pem certificate enter the following:
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.pem
After this you can view the certificates with vi/less.
If you receive an error like below, you probably have a wrong format:
140536229615264:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: PKCS7
If the certificate in in DER format enter the following:
openssl pkcs7 -inform der -print_certs -in certificate.p7b -out certificate.pem
Convert certificate file (.cer/.crt) to PFX
Sometimes you need a .pfx style certificate for whatever purpose, this is how you create it:
openssl pkcs12 -export -in website.cer -inkey website.key -out website.pfx
You will be asked for a password, this is recommended because otherwise the key can be abused without any effort if someone has found your .pfx file.
website.cer is an example, change it with your own file.