openssl req -new -newkey rsa:4096 -x509 -sha256 -days 365 -nodes -out MyCertificate.crt -keyout MyKey.key
Create TLS certificate using openssl
01:56:07, 14 May 2023
Download ssl certificate from http server. List all system trust anchors and certificates.
openssl s_client -showcerts -connect mail.yandex.ru:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/cert.pem
dummy show issuer
openssl x509 -in /tmp/cert.pem -text -noout -subject -issuer
verify google
openssl s_client -connect google.com:443 -servername google.com < /dev/null
Certificate chain
0-N s:
i: CN = <common name>
must match with output below
show system ca certs
awk -v cmd='openssl x509 -noout -subject' '/BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-bundle.crt
show system ca certs on Fedora
trust list
Install certificate:
cp /tmp/cert.pem /etc/pki/ca-trust/source/anchors/
update-ca-trust
trust list | grep -i yourcert
Convert crt to pem
openssl x509 -in mycert.crt -out mycert.pem -outform PEM
Extract cert from pfx
openssl pkcs12 -in archive.pfx -nokeys -out cert.crt -nodes
It'll asks password
[Determine certificate type](https://community.arubanetworks.com/t5/Controller-Based-WLANs/How-do-I-find-out-if-my-X-509-certificate-is-in-PEM-DER-or/ta-p/177996)
If the certificate is in text format, then it is in PEM format.
You can read the contents of a PEM certificate (cert.crt) using the 'openssl' command on Linux or Windows as follows:
openssl x509 -in cert.crt -text
If the file content is binary, the certificate could be either DER or pkcs12/pfx. To find out which format, run the following 'openssl' commands to open the certificate:
To open a DER certificate:
openssl x509 -in cert.crt -inform DER -text
To display pkcs12 certificate information:
openssl pkcs12 -in cert.crt -info