The following are commands for dealing with SSL/TLS certificates using openssl I found useful. Categorized in X509 Certificate, Certificate Private Key or PKCS #8, PFX or PKCS #12, and CSR.

X509 Certificate

Inspect Certificate

# List all info about the certificate
openssl x509 -in cert.pem -noout -text

# Start Date (Not Before)
openssl x509 -in cert.pem -noout -startdate

# End Date (Not After)
openssl x509 -in cert.pem -noout -enddate

# Subject
openssl x509 -in cert.pem -noout -subject

# Subject Alternative Name (SAN)
openssl x509 -in cert.pem -noout -text | grep DNS

# OCSP URI
openssl x509 -in cert.pem -noout -ocsp_uri

Check Certificate Revocation

ocsp_uri=$(openssl x509 -in cert.pem -noout -ocsp_uri)
openssl ocsp -issuer chain.pem -cert cert.pem -url $ocsp_uri -text

Certificate Private Key or PKCS #8

Remove Private Key Password (Decrypt)

openssl pkcs8 -in encrypted-privkey.pem -out privkey.pem -passin pass:YourPasswordString
# or
openssl pkcs8 -in encrypted-privkey.pem -out privkey.pem -passin env:YourPasswordEnvVar

Add a Password to Private Key (Encrypt)

openssl pkcs8 -in privkey.pem -topk8 -passout pass:YourPasswordString
# or
openssl pkcs8 -in privkey.pem -topk8 -passout env:YourPasswordEnvVar

Match Certificate and Private Key

Online Tool: https://decoder.link/matcher

Or use openssl command:

openssl x509 -noout -modulus -in cert.pem > cert.modulus
openssl rsa -noout -modulus -in privkey.pem > key.modulus
diff -s cert.modulus key.modulus

If your private key is password protected, add -passin pass:YourPasswordString or -passin env:YourPasswordEnvVar.

PFX or PKCS #12

Combine certificate (chain) and key files into a single pfx file

openssl pkcs12 -in fullchain.pem -inkey privkey.pem -export -out fullchain.pfx -password pass:YourPasswordString
# or
openssl pkcs12 -in fullchain.pem -inkey privkey.pem -export -out fullchain.pfx -password env:YourPasswordEnvVar

Split pfx file into certs and key

# Get Certificates (Full Chain)
openssl pkcs12 -in fullchain.pfx -passin pass:YourPasswordString -nokeys -out fullchain.pem

# Get Client Certificate Only
openssl pkcs12 -in fullchain.pfx -passin pass:YourPasswordString -nokeys -clcerts -out cert.pem

# Get CA/Intermediate Certificate Only
openssl pkcs12 -in fullchain.pfx -passin pass:YourPasswordString -nokeys -cacerts -out chain.pem

# Get Private Key
openssl pkcs12 -in fullchain.pfx -passin pass:YourPasswordString -nocerts -nodes -out privkey.pem

CSR (Certificate Signing Request)

CSR Generation with config file

# example.com.cnf

[ req ]
default_bits = 2048
default_md = sha256
prompt = no
encrypt_key = no
distinguished_name = dn
req_extensions = req_ext

[ dn ]
CN = *.example.com

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = *.example.com
DNS.2 = example.com
openssl req -new -config example.com.cnf -keyout example.com.key -out example.com.csr

CSR Generation without config file

openssl req -subj /CN=*.example.com -newkey rsa:2048 -nodes -keyout example.com.key -out example.com.csr

Note: It's not easy to create CSR with Subject Alternative Name (SAN) without using a config file. Click for more info.

CSR Inspection

openssl req -in example.com.csr -noout -text

Generate a Self-Signed Certificate

openssl x509 -req -days 366 -in example.com.csr -signkey example.com.key -out example.com.crt

Match CSR and Private Key

Online Tool: https://decoder.link/matcher

Or use openssl command:

openssl req -noout -modulus -in example.com.csr > csr.modulus
openssl rsa -noout -modulus -in example.com.key > key.modulus
diff -s csr.modulus key.modulus

If your private key is password protected, add -passin pass:YourPasswordString or -passin env:YourPasswordEnvVar.

References