Other Uses

Generate Base64 encoding of a binary file:

openssl base64 -in certificate.p12 -out certificate.p12.base64

Read or verify a certificate in text or binary (PEM or DER) format:

openssl x509 -inform DER | PEM -in <certificate> -text -noout

Convert a certificate from DER to PEM or vice versa:

openssl rsa -inform PEM|DER -outform DER|PEM -in <source_file> -out <dest_file>

Verify a checksum using openssl (an alternative to md5sum/sha1sum/sha256sum)

openssl dgst -md5 | -sha1 -sha256 <file>

You can even set up a generic SSL server to test the certificate using openssl. Change the port number in the following command if 443 is already in use.

openssl s_server -accept 443 -cert <certificate-name.cer> -key keyfile.pem -state -www

Use it as a client to test tls connections to mail servers.

openssl s_client -starttls smtp -crlf -connect mail.hccanet.org:587

Get certificates from a remote server

openssl s_client -showcerts -connect cgp.hccanet.org:443

The server certificate in PEM format is the first one returned, the CA certificate will be the last. Use ^D to exit.
The s_client function does not check the default OpenSSL CA certificate store, so you would see certificate verification errors with the commands above. You can correct this by setting the -CApath argument. Include the something like following in the command:
-CApath /usr/share/certs/
There may be a different location depending on the distro. For example, in Fedora based distributions, the default base directory for openssl is /etc/pki
the global config file is <base_dir>/tls/openssl.cnf
bundled trusted root certs are found in <base_dir>/tls/certs
unless overridden, the default working directory for locally created certs, keys, etc. is  <base_dir>/CA

Leave a Reply