OpenSSL is a powerful command-line tool that can be used to handle SSL/TLS certificates,keys,and other encryption tasks.OpenSSL common commands are as follows!
Querying basic certificate information:
openssl x509-in certificate.crt-text-noout
Certificate.crt indicates the certificate file.This command displays the details of the certificate,including the version,serial number,signature algorithm,validity period,issuer,and subject.
Check whether the certificate is within the validity period:
openssl x509-in certificate.crt-check_date YYYYMMDDHHMMSSZ
Replace YYYYMMDDHHMMSSZ with the specific date you want to check(in the format year month day hour minute second followed by the time zone indicator'Z'for UTC time).If the certificate is valid on the specified date,the command outputs nothing;If the certificate has expired or has not yet taken effect,it displays an error message.
Verify the certificate's fingerprint:
openssl x509-in certificate.crt-noout-fingerprint-sha256
This command calculates and displays the SHA-256 fingerprint of the certificate.
Verify the certificate chain:
openssl verify-CAfile ca_bundle.crt certificate.crt
Here ca_bundle.crt is the file that contains the Certificate Authority(CA)certificate.This command verifies that the specified certificate is issued by a CA certificate.
To view the public key of the certificate:
openssl x509-in certificate.crt-noout-pubkey
This command extracts and displays the public key of the certificate.
Check the serial number of the certificate:
openssl x509-in certificate.crt-noout-serial
Displays the serial number of the certificate.
Check the signature algorithm of the certificate:
openssl x509-in certificate.crt-noout-signkey
Displays the public exponent and modulus length of the private key used to sign the certificate.
View the issuer and subject of the certificate:
openssl x509-in certificate.crt-noout-issuer-subject
Displays the issuer and subject information for the certificate.
Check the validity period of the certificate:
openssl x509-in certificate.crt-noout-dates
Displays the validity period of the certificate,including the effective and expiration dates of the certificate.
Check OCSP(Online Certificate Status Protocol):
openssl ocsp-no_nonce-issuer ca_bundle.crt-cert certificate.crt-url http://ocsp.example.com
This command queries the OCSP server for the status of the certificate.Replace http://ocsp.example.com with the actual OCSP service URL.
Ensure that certificate.crt and ca_bundle.crt are replaced with the paths of the actual certificate file and the CA certificate file.The above commands are generally available on Linux,macOS,and other Unix-like systems.On Windows,you may need to use an environment like Cygwin or Windows Subsystem for Linux(WSL)to run these commands.