Useful commands when working with certificates

I have been using openssl command line for past few weeks to rotate some of the yearly expiring certs on our internal platforms. If you are one of my co-worked reading this, then you know what I am talking about ๐Ÿ˜.

So I thought this can make a good blog post as well as it can also serve as a cheatsheet/reference for future myself.

This list of most common OpenSSL commands from SSLShopper covers more of the what I have below.


Command to generate a new .txt file for creating a Certificate Signing Request config.

export SITE_NAME="mydomain.com"

echo "
[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = req_distinguished_name

[req_distinguished_name]
C=CA
ST=Ontario
L=Toronto
O=Personal
OU=Stuff
emailAddress=example@gmail.com
CN=${SITE_NAME}

[req_ext]
subjectAltName = @alt_names

[alt_names]
DNS.1 = www.${SITE_NAME}" > ${SITE_NAME}.csr.txt

The above would generate a new config file which can be passed onto openssl to create a new CSR request


Create a new private key ๐Ÿ”‘ and Certificate Signing Request from config ${SITE_NAME}.csr.txt

openssl req -new -sha256 -nodes -out ${SITE_NAME}.csr \
    -newkey rsa:2048 -keyout ${SITE_NAME}.key \
    -config ${SITE_NAME}.csr.txt

Check for expiry date of cert on a domain

openssl s_client -connect google.com:443 -servername google.com 2> /dev/null | openssl x509 -dates -noout

Check for expiry date of cert that you have somewhere local on disk

openssl x509 -dates -noout -in myDomain.crt

Check SAN/DNS listed on a cert present locally

openssl x509 -text -noout -in myDomain.crt | grep DNS

Check SAN/DNS listed on a remote domain

openssl s_client -connect google.com:443 -servername google.com 2> /dev/null | openssl x509 -text -noout  | grep DNS