Show Menu

PKI / openSSL Cheat Sheet by

Create and manage PKI Certs with openSSL

Certif­icate Signing Request (CSR)

Generate a new private key and Certif­icate Signing Request

openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -sha256 -keyout privat­eKe­y.key

Generate a self-s­igned certif­icate

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privat­eKe­y.key -out certif­ica­te.crt

Generate a certif­icate signing request (CSR) for an existing private key

openssl req -out CSR.csr -key privat­eKe­y.key -new

Generate a certif­icate signing request based on an existing certif­icate

openssl x509 -x509toreq -in certif­ica­te.crt -out CSR.csr -signkey privat­eKe­y.key

Remove a passphrase from a private key

openssl rsa -in privat­eKe­y.pem -out newPri­vat­eKe­y.pem

Check Files

Check a Certif­icate Signing Request (CSR)

openssl req -text -noout -verify -in CSR.csr

Check a private key

openssl rsa -in privat­eKe­y.key -check

Check a certif­icate

openssl x509 -in certif­ica­te.crt -text -noout

Check a PKCS#12 file (.pfx or .p12)

openssl pkcs12 -info -in keySto­re.p12


Print certif­icate

openssl x509 -noout -text -in certif­ica­te.crt

Check an SSL connec­tion. All the certif­icates (including Interm­edi­ates) should be displayed

openssl s_client -connect­ypa­l.c­om:443

Remove Passphrase

Convert a PKCS#12 file (.pfx .p12) containing a private key and certif­icates to PEM

openssl pkcs12 -in keySto­re.p12 -out keySto­re.pem -nodes

Remove Passphrase from key-file

openssl rsa -in exampl­e.key -out exampl­e.n­ocr­ypt.key


Check the SSL perfor­mance

openssl speed sha1

openssl speed aes-25­6-cbc

openssl speed -evp aes-25­6-cbc

How to get a A+ at SSL-Labs

Check versions

# openssl version

OpenSSL 1.0.1e 11 Feb 2013

# apache2 -v

Server version: Apache­/2.2.22 (Debian)

Server built:   Aug 18 2015 09:50:52

Enable mods

a2enmod ssl

a2enmod headers

a2enmod setenvif

Configure virtual host

   SSLEngine on


    SSLHon­orC­iph­erOrder On

    SSLCip­her­Suite ECDHE-­RSA­-AE­S12­8-G­CM-­SHA­256­:EC­DHE­-EC­DSA­-AE­S12­8-G­CM-­SHA­256­:EC­DHE­-RS­A-A­ES2­56-­GCM­-SH­A38­4:E­CDH­E-E­CDS­A-A­ES2­56-­GCM­-SH­A38­4:D­HE-­DSS­-AE­S12­8-G­CM-­SHA­256­:kE­DH+­AES­GCM­:EC­DHE­-RS­A-A­ES1­28-­SHA­256­:EC­DHE-E

    SSLPro­tocol -ALL +TLSv1 +TLSv1.1 +TLSv1.2

    SSLCer­tif­ica­teFile      /etc/s­sl/­www.ex­amp­le.c­om.pem

    SSLCer­tif­ica­teK­eyFile   /etc/s­sl/­www.ex­amp­le.c­om.key

    SSLCer­tif­ica­teC­hai­nFile /etc/s­sl/­cha­in.pem


    SSLStr­ict­SNI­VHo­stCheck On


    Header always set Strict­-Tr­ans­por­t-S­ecurity "­max­-ag­e=6­307­2000; includ­eSu­bdo­mains; preloa­d"


    <Fi­les­Match "­\.(­cgi­|sh­tml­|ph­tml­|ph­p)$­">

        SSLOptions +StdEn­vVars


    <Di­rectory /usr/l­ib/­cgi­-bi­n>

        SSLOptions +StdEn­vVars



    Browse­rMatch "MSIE [2-6]" \  

        nokeep­alive ssl-un­cle­an-­shu­tdown \  

        downgr­ade-1.0 force-­res­pon­se-1.0

    # MSIE 7 and newer should be able to use keepalive

    Browse­rMatch "MSIE [17-9]­" ssl-un­cle­an-­shu­tdown


No comments yet. Add yours below!

Add a Comment

Your Comment

Please enter your name.

    Please enter your email address

      Please enter your Comment.

          Related Cheat Sheets

          System Design Cheat Sheet