If you need to check the SMTP certificate from commandline:
openssl s_client -connect mail.example.com:25 -starttls smtp
Just random Linux dumps I don't want to remember ;-)
If you need to check the SMTP certificate from commandline:
openssl s_client -connect mail.example.com:25 -starttls smtp
Create a new SSL key with 4096 bit size (highly recommended):
openssl genrsa -out website.key 4096
Create the CSR so you can send it to your SSL certificate provider to create a certificate your you (don’t forget –sha256, also highly recommended for security):
openssl req -new -key website.key -out website.csr -sha256 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:NL State or Province Name (full name) [Some-State]:Noord-Holland Locality Name (eg, city) []:Amsterdam Organization Name (eg, company) [Internet Widgits Pty Ltd]:website Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:website.tld Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
As you can see, not all parts are required to fill in when creating a CSR file.
To examine a generated key file for example the key size enter the following:
openssl rsa -in website.key -check -text
You will get result like this:
Private-Key: (2048 bit) modulus: <cut> publicExponent: 65537 (0x10001) privateExponent: <cut> prime1: <cut> prime2: <cut> exponent1: <cut> exponent2: <cut> coefficient: <cut> RSA key ok writing RSA key -----BEGIN RSA PRIVATE KEY----- <cut> -----END RSA PRIVATE KEY-----
To examine the content of a generated .csr file enter the following:
openssl req -text -noout -in website.csr
You will get information like this for example:
Certificate Request: Data: Version: 0 (0x0) Subject: C=country, ST=province, L=city, O=business name, CN=common name Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): <cut> Exponent: 65537 (0x10001) Attributes: Requested Extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment X509v3 Subject Alternative Name: DNS:www.example.com, DNS:example.com Signature Algorithm: sha256WithRSAEncryption <cut>
To examine a signed certificate file in p7b format enter the following:
openssl pkcs7 -in certificate.p7b -text -print_certs
To examine a signed certificate file in .cer or .crt format enter the following:
openssl x509 -noout -text -in certificate.cer
To convert a .pfx certificate to a .pem file enter the following:
openssl pkcs12 -in certificate.pfx -out certificate.pem -nodes
To convert a .p7b certificate to a .pem certificate enter the following:
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.pem
After this you can view the certificates with vi/less.
If you receive an error like below, you probably have a wrong format:
140536229615264:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: PKCS7
If the certificate in in DER format enter the following:
openssl pkcs7 -inform der -print_certs -in certificate.p7b -out certificate.pem
Sometimes you need a .pfx style certificate for whatever purpose, this is how you create it:
openssl pkcs12 -export -in website.cer -inkey website.key -out website.pfx
You will be asked for a password, this is recommended because otherwise the key can be abused without any effort if someone has found your .pfx file.
website.cer is an example, change it with your own file.