X509
TLS/SSL certificate
Certificate display and signing
Self signed certificate with new key
Self signed certificate using existing key
openssl x509
# By default input is CRT (certificate)
# Use CSR as input
-req
-in <request.csr>
-days <days>
# Private key use for signing
-signkey <key.pem>
-out <cert.{crt|pem}>
CA (Certificate Authority) sign certificate
openssl x509
-req
-in <request.csr>
-days <days>
# CA certificate
-CA <ca.crt>
# CA private key
-CAkey <ca.key>
# Recommended practice
# Create serial number file
# If the serial number file does not exist, random number is generated
[-CAcreateserial]
# Specify serial number, Decimal 01 02..., Hex 0x1 0x2...
[-set_serial <serial>]
# Specify serial number file, `$(basename <ca.crt> .crt).srl` by default
[-CAserial <filename>]
-out <cert.{crt|pem}>
Display the contents of certificate
| Option | Description |
|---|---|
-dates | Print the start and expiry dates |
openssl x509 -in <cert.{crt|pem}> [-dates] -text -noout
Verify if a private key matches a certificate
openssl x509 -noout -modulus -in <cert.crt> | openssl md5
openssl rsa -noout -modulus -in <private-key.pem> | openssl md5
openssl req -noout -modulus -in <csr.pem> | openssl md5
Full chain certificate
CA = Chain
cat <cert.crt> <chain.crt> > <fullchain.crt>
Ref: RFC 5246
-----BEGIN CERTIFICATE-----
domain.crt (Sender Certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
ca.crt (Intermediate Certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
root.crt (Trusted Certificate)
-----END CERTIFICATE-----
Verify certificate
openssl verify -CAfile <chain.crt> <cert.crt>
openssl verify -CAfile <root.crt> -untrusted <intermediate.crt> <cert.crt>