The popular OpenSSL toolkit is the Swiss Army Knife of cryptography tools. Whenever you're dealing with certificates, hashes, keys and that sort of thing, OpenSSL is probably what you need.
This page is just a collection of some commands that I've found useful over time, so will probably grow.
Doing
Create and transform keys, CSRs and certificates:
New 2048 (or 4096) bit RSA private key
openssl genrsa 2048 > mysite.rsa2048.key
openssl genrsa 4096 > mysite.rsa4096.key
New ECDSA private key
openssl ecparam -genkey -name secp256r1 > mysite.ecdsa.key
Remove a passphrase from a private key
openssl rsa -in private.key -out privateNew.key
Generate a new RSA private key and CSR
openssl req -out mycsr.csr -new -newkey rsa:2048 -nodes -keyout private.key
Generate a CSR using an existing private key
openssl req -out mycsr.csr -new -key private.key
Create PKCS#12 (.pfx .p12) from PEM (.pem .cer .crt)
openssl pkcs12 -export -out mypfx.p12 -inkey private.key -in cert.crt
Extract encrypted private key from PKCS#12 file
openssl pkcs12 -in mypfx.p12 -out private.key -nocerts
Extract plaintext private key from PKCS#12 file
openssl pkcs12 -in mypfx.p12 -out private.key -nodes -nocerts
Extract certificate file from PKCS#12 file
openssl pkcs12 -in mypfx.p12 -out mycert.crt -nokeys
Checking
Use these commands to check the contents of CSRs, certificates and keys:
Check Certificate Signing Request (CSR)
openssl req -text -noout -verify -in mycsr.csr
Check a certificate
openssl x509 -text -noout -in mycert.crt
Check a PKCS#12 file
openssl pkcs12 -info -in mypfx.p12
Get expiry date (and start date) for a website's certificate
echo | openssl s_client -servername bytes.fyi -connect bytes.fyi:443 2>/dev/null | openssl x509 -noout -dates
Expiry (and start) date for a local certificate file
openssl x509 -noout -dates -in bytes_fyi.crt
subjectAltName (SAN) certificates
Using SAN entries, a certificate can cover multiple separate domains, or multiple subdomains of the same domain, or a mixture of both.
To create a CSR for a SAN certificate, you need to pass a config file in to openssl.
Create a config file (e.g. mysanconfig.cnf) with the list of domains at the bottom, like this:
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[ req_distinguished_name ]
countryName = GB
stateOrProvinceName = Nottinghamshire
localityName = Nottingham
organizationName = Chicken McChicken Face
organizationalUnitName = IT
commonName = www.mysite.com
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = www.mysite.com
DNS.2 = mysite.com
DNS.3 = email.mysite.com
DNS.4 = otherplace.net
DNS.5 = ftp.otherplace.net
Then create the CSR using the config:
Generate a new RSA private key and SAN CSR
openssl req -out mycsr.csr -new -newkey rsa:2048 -nodes -keyout private.key -config mysanconfig.cnf
Generate a SAN CSR using an existing private key
openssl req -out mycsr.csr -new -key private.key -config mysanconfig.cnf
Please let me know via the comments if you have any other suggestions for this list.