I have been using openssl command line for past few weeks to rotate some of the yearly expiring certs on our internal platforms. If you are one of my co-worked reading this, then you know what I am talking about ๐.
So I thought this can make a good blog post as well as it can also serve as a cheatsheet/reference for future myself.
This list of most common OpenSSL commands from SSLShopper covers more of the what I have below.
Command to generate a new .txt file for creating a Certificate Signing Request config.
export SITE_NAME="mydomain.com"
echo "
[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = req_distinguished_name
[req_distinguished_name]
C=CA
ST=Ontario
L=Toronto
O=Personal
OU=Stuff
emailAddress=example@gmail.com
CN=${SITE_NAME}
[req_ext]
subjectAltName = @alt_names
[alt_names]
DNS.1 = www.${SITE_NAME}" > ${SITE_NAME}.csr.txt
The above would generate a new config file which can be passed onto openssl to create a new CSR request
Create a new private key ๐ and Certificate Signing Request from config ${SITE_NAME}.csr.txt
openssl req -new -sha256 -nodes -out ${SITE_NAME}.csr \
-newkey rsa:2048 -keyout ${SITE_NAME}.key \
-config ${SITE_NAME}.csr.txt
Check for expiry date of cert on a domain
openssl s_client -connect google.com:443 -servername google.com 2> /dev/null | openssl x509 -dates -noout
Check for expiry date of cert that you have somewhere local on disk
openssl x509 -dates -noout -in myDomain.crt
Check SAN/DNS listed on a cert present locally
openssl x509 -text -noout -in myDomain.crt | grep DNS
Check SAN/DNS listed on a remote domain
openssl s_client -connect google.com:443 -servername google.com 2> /dev/null | openssl x509 -text -noout | grep DNS