Create a certificate request
How to create a new key and certificate request using OpenSSL in one line (as of OpenSSL 1.1.1). For a RSA key:
$ openssl req -nodes -newkey rsa:2048 -keyout priv.key -out server.csr -subj "/CN=server1.example.com" -addext "subjectAltName = DNS:server1.example.com,DNS:server1.ipa.example.com"
Or if you preffer an ECC key:
$ openssl ecparam -out priv.key -name secp384r1 -genkey
$ openssl req -nodes -new -key priv.key -out server.csr -subj "/CN=server1.example.com" -addext "subjectAltName = DNS:server1.example.com"
Verify certificate request
To verify a CSR using OpenSSL from the command line:
$ openssl req -noout -text -in server.csr
Verify a key
To verify the private key created during CSR generation
$ openssl rsa -noout -text -in server.key
Verify a signed certificate
To verify a signed certificate using OpenSSL
openssl x509 -noout -text -in <path/to/cert.crt>
Verify key and certificates matches
To verify that a private key, a CSR, and a public certificate all match, compare the modulus using OpenSSL commands
$ openssl req -in server.csr -noout -modulus
Modulus=C864B9E25EA17622C7B865947C289100EBC7AEADB829A90575F48CFADADA46929856F20F1BE707B0DD84A6F11F02CD0350A4E126DB4B468A2FC00C78CC4C3D93CC1330F260208C4F3600285261A1D3D419F0433FC2BBB3EA9186643EB28F15ADB29360AD404340C254CCECE1379D4D1322A73C085288470581E2C01FCC18115E0097CA0DC208A44540821BEE563AC4660BEBEC4E2257B58473870596DE60BAA0854DFF543A440518DF9D1B009B715E74360D7EBF97368512A31DD24D2EB4AEBCCEF1B5FF5BD3B0C38D8A9B6424ADA9972F191373D89BD776BD2C39630EE7FA44D2ECBE2C67541977C097A67002CF037A7A75BF7510C4EF29D3EDC32D968D4BD3
$ openssl rsa -in server.key -noout -modulus
Modulus=C864B9E25EA17622C7B865947C289100EBC7AEADB829A90575F48CFADADA46929856F20F1BE707B0DD84A6F11F02CD0350A4E126DB4B468A2FC00C78CC4C3D93CC1330F260208C4F3600285261A1D3D419F0433FC2BBB3EA9186643EB28F15ADB29360AD404340C254CCECE1379D4D1322A73C085288470581E2C01FCC18115E0097CA0DC208A44540821BEE563AC4660BEBEC4E2257B58473870596DE60BAA0854DFF543A440518DF9D1B009B715E74360D7EBF97368512A31DD24D2EB4AEBCCEF1B5FF5BD3B0C38D8A9B6424ADA9972F191373D89BD776BD2C39630EE7FA44D2ECBE2C67541977C097A67002CF037A7A75BF7510C4EF29D3EDC32D968D4BD3
$ openssl x509 -in server.crt -noout -modulus
Modulus=C864B9E25EA17622C7B865947C289100EBC7AEADB829A90575F48CFADADA46929856F20F1BE707B0DD84A6F11F02CD0350A4E126DB4B468A2FC00C78CC4C3D93CC1330F260208C4F3600285261A1D3D419F0433FC2BBB3EA9186643EB28F15ADB29360AD404340C254CCECE1379D4D1322A73C085288470581E2C01FCC18115E0097CA0DC208A44540821BEE563AC4660BEBEC4E2257B58473870596DE60BAA0854DFF543A440518DF9D1B009B715E74360D7EBF97368512A31DD24D2EB4AEBCCEF1B5FF5BD3B0C38D8A9B6424ADA9972F191373D89BD776BD2C39630EE7FA44D2ECBE2C67541977C097A67002CF037A7A75BF7510C4EF29D3EDC32D968D4BD3
Verify a service’s public cert
To connect to a service and verify its public certificate using OpenSSL in the command line
$ openssl s_client -connect <hostname:port>
