Skip to main content
  1. Knowledge Base/
  2. Applications/


Table of Contents

Generate self-signed certificate for https

Simple usecase

openssl req -x509 -newkey rsa:4096 -sha256 -keyout key.pem -out cert.pem -days 365

Advanced usecase Including Subject Alternative Names

openssl req \
-newkey rsa:4096 \
-x509 \
-nodes \
-keyout key.pem \
-out cert.pem \
-subj "/C=DE/ST=Munich/L=Bavaria/O=department/OU=company/" \
-reqexts SAN \
-extensions SAN \
-config <(cat /etc/ssl/openssl.cnf \
    <(printf '[SAN]\nsubjectAltName=IP:,DNS:localhost')) \
-sha256 \
-days 365
Path of /etc/ssl/openssl.cnf might differ

Remove password from protected certificate key

openssl rsa -in original.key -out unencripted.key

Lets encrpyt certificate

Instead of cert.pem use fullchain.pem to prevent “missing local issuer” error

Check a private key

openssl rsa -in priv.key -check

Check a certificate

openssl x509 -in cert.pem -text -noout

Check a pksc12 certificate

openssl pkcs12 -info -in keyStore.p12

Convert a pksc12 certificate to pem

openssl pkcs12 -in keyStore.[pfx|p12] -out keyStore.pem -nodes

-nocerts to only output the private key or -nokeys to only output the certificates.

Create a pksc12|pfx file

openssl pkcs12 -export -out -inkey -in -certfile foo_intermediate.pem -certfile bar_intermediate.pem -certfile super_ca_root.pem

Compare key and certificate

When the key matches the certificate only one has output is returned

(openssl rsa -noout -modulus -in | openssl md5; openssl x509 -noout -modulus -in | openssl md5) | uniq

Get SSL/TLS certificate information

alias get-ssl-cert='echo Q |openssl s_client -connect' # prints certificate
alias get-ssl-fingerprint='openssl x509 -in cert.pem -sha1 -noout -fingerprint'


get-ssl-cert > cert.pem
get-ssl-fingerprint # assumes cert.pem in current directory

Emulate SSL/TLS Handshake

openssl s_client -state -nbio -connect HOST:PORT

Get a certificate from remote

curl --insecure -v 2>&1 | awk 'BEGIN { cert=0 } /^\* Server certificate:/ { cert=1 } /^\*/ { if (cert) print }'

Get end date of a certificate

openssl x509 -enddate -noout -in <CERT>

Mutual SSL connection with nginx

Generating CA, certificates, and keys

# Generate CA and CA key to sign CSRs
# -des3 for password protection of the CA key
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt

# Generate Server key and CSR
# Optionally use -des3 for password protection of the server key
openssl genrsa -out server.key 4096
openssl req -new -key server.key -out server.csr

# Sign the server CSR with the CA key
# Enter the pass provided in the first step
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

# Generate Client key and CSR
# Optionally use -des3 for password protection of the client key
openssl genrsa -out client.key 4096
openssl req -new -key client.key -out client.csr

# Singn the client CSR with the CA key
# Enter the pass provided in the first step
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt

# Optionally create a PKCS 12 archive for importing client certificate data in web browsers
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12

Relevant snippet for nginx.conf

listen *:443;               # Listen for incoming connections from any interface on port 443 (TLS)
ssl on;
ssl_certificate        /etc/nginx/certs/server.crt;
ssl_certificate_key    /etc/nginx/certs/server.key;
ssl_client_certificate /etc/nginx/certs/ca.crt; # used to sign the client certificates
ssl_verify_client      on; # force SSL verification

Testing with curl (assuming nginx is running on localhost listening to standard https port)

curl --insecure https://localhost
# --insecure as we use self signed certificates
<center><h1>400 Bad Request</h1></center>
<center>No required SSL certificate was sent</center>
curl --insecure --key client.key --cert client.crt  https://localhost
<p>This is my home page</p>