Show Menu

PKI / openSSL Cheat Sheet by

Create and manage PKI Certs with openSSL

Certif­icate Signing Request (CSR)

Generate a new private key and Certif­icate Signing Request

openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -sha256 -keyout privat­eKe­y.key

Generate a self-s­igned certif­icate

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privat­eKe­y.key -out certif­ica­te.crt

Generate a certif­icate signing request (CSR) for an existing private key

openssl req -out CSR.csr -key privat­eKe­y.key -new

Generate a certif­icate signing request based on an existing certif­icate

openssl x509 -x509toreq -in certif­ica­te.crt -out CSR.csr -signkey privat­eKe­y.key

Remove a passphrase from a private key

openssl rsa -in privat­eKe­y.pem -out newPri­vat­eKe­y.pem

Check Files

Check a Certif­icate Signing Request (CSR)

openssl req -text -noout -verify -in CSR.csr

Check a private key

openssl rsa -in privat­eKe­y.key -check

Check a certif­icate

openssl x509 -in certif­ica­te.crt -text -noout

Check a PKCS#12 file (.pfx or .p12)

openssl pkcs12 -info -in keySto­re.p12


Print certif­icate

openssl x509 -noout -text -in certif­ica­te.crt

Check an SSL connec­tion. All the certif­icates (including Interm­edi­ates) should be displa­yed

openssl s_client -connect­ypa­l.c­om:443

Remove Passphrase

Convert a PKCS#12 file (.pfx .p12) containing a private key and certif­icates to PEM

openssl pkcs12 -in keySto­re.p12 -out keySto­re.pem -nodes

Remove Passphrase from key-file

openssl rsa -in exampl­e.key -out exampl­e.n­ocr­ypt.key


Check the SSL perfor­mance

openssl speed sha1

openssl speed aes-25­6-cbc

openssl speed -evp aes-25­6-cbc

How to get a A+ at SSL-Labs

Check versions

# openssl version
OpenSSL 1.0.1e 11 Feb 2013

# apache2 -v
Server version: Apache­/2.2.22 (Debian)
Server built: Aug 18 2015 09:50:52

Enable mods

a2enmod ssl
a2enmod headers
a2enmod setenvif

Conf­igure virtual host

SSLEngine on

SSLHon­orC­iph­erOrder On
SSLCip­her­Suite ECDHE-­RSA­-AE­S12­8-G­CM-­SHA­256­:EC­DHE­-EC­DSA­-AE­S12­8-G­CM-­SHA­256­:EC­DHE­-RS­A-A­ES2­56-­GCM­-SH­A38­4:E­CDH­E-E­CDS­A-A­ES2­56-­GCM­-SH­A38­4:D­HE-­DSS­-AE­S12­8-G­CM-­SHA­256­:kE­DH+­AES­GCM­:EC­DHE­-RS­A-A­ES1­28-­SHA­256­:EC­DHE-E
SSLPro­tocol -ALL +TLSv1 +TLSv1.1 +TLSv1.2
SSLCer­tif­ica­teFile /etc/s­sl/­www.ex­amp­le.c­om.pem
SSLCer­tif­ica­teK­eyFile /etc/s­sl/­www.ex­amp­le.c­om.key
SSLCer­tif­ica­teC­hai­nFile /etc/s­sl/­cha­in.pem

SSLStr­ict­SNI­VHo­stCheck On

Header always set Strict­-Tr­ans­por­t-S­ecurity "­max­-ag­e=6­307­2000; includ­eSu­bdo­mains; preloa­d"

<Fi­les­Match "­\.(­cgi­|sh­tml­|ph­tml­|ph­p)$­"­>
SSLOptions +StdEn­vVars
<Di­rectory /usr/l­ib/­cgi­-bi­n>
SSLOptions +StdEn­vVars

Browse­rMatch "MSIE [2-6]" \
nokeep­alive ssl-un­cle­an-­shu­tdown \
downgr­ade-1.0 force-­res­pon­se-1.0
# MSIE 7 and newer should be able to use keepalive
Browse­rMatch "MSIE [17-9]­" ssl-un­cle­an-­shu­tdown

Help Us Go Positive!

We offset our carbon usage with Ecologi. Click the link below to help us!

We offset our carbon footprint via Ecologi


No comments yet. Add yours below!

Add a Comment

Your Comment

Please enter your name.

    Please enter your email address

      Please enter your Comment.

          Related Cheat Sheets