Author: Swift Griggs Date: October 9, 2025
This cheat sheet provides OpenSSL commands for inspecting, verifying, and managing SSL/TLS certificates and CA stores, with a focus on troubleshooting certificate verification issues (e.g., `unable to get local issuer certificate`) and configuring custom CA certificates on Oracle Linux (OEL) systems.
Commands to view certificate details, useful for checking subjects, issuers, validity, and extensions.
Display the subject and issuer of a certificate file.
openssl x509 -in cert.pem -noout -subject -issuer
Show all certificate details, including extensions (e.g., Basic Constraints, Key Usage).
openssl x509 -in cert.pem -noout -text
Display the certificate's validity period.
openssl x509 -in cert.pem -noout -dates
Show the certificate's fingerprint for comparison.
openssl x509 -in cert.pem -noout -fingerprint
Convert a DER certificate to PEM format.
openssl x509 -inform der -in cert.der -out cert.pem
Commands to verify certificates against a CA store or specific CA file, including chain validation.
Verify a certificate using the system’s CA store directory.
openssl verify -CApath /etc/pki/tls/certs/ -verbose -show_chain cert.pem
Verify a certificate using a specific CA bundle file.
openssl verify -CAfile /etc/pki/tls/certs/ca-bundle.crt -verbose -show_chain cert.pem
Verify a certificate with an untrusted intermediate CA.
openssl verify -CApath /etc/pki/tls/certs/ -untrusted intermediate.pem -verbose -show_chain cert.pem
Verify a certificate with Certificate Revocation List (CRL) checking.
openssl verify -CApath /etc/pki/tls/certs/ -crl_check -CRLfile crl.pem cert.pem
Commands to locate and manage the system’s CA trust store, especially for adding custom CAs.
Show OpenSSL’s configuration directory and CA store location.
openssl version -a
List certificates in the CA store directory.
ls -l /etc/pki/tls/certs/ | grep -i testco ls -l /etc/ssl/certs/ | grep -i testco
Find certificate files containing a specific string (e.g., “TestCo”).
sudo find /etc -type f -name "*.crt" -exec grep -l "TestCo" {} \; sudo find /etc -type f -name "*.pem" -exec grep -l "TestCo" {} \;
Inspect a CA bundle file for a specific CA.
openssl crl2pkcs7 -nocrl -certfile /etc/pki/tls/certs/ca-bundle.crt | openssl pkcs7 -print_certs | grep -i testco
Add a custom CA certificate to the system’s trust store (OEL10).
sudo cp custom_ca.crt /etc/pki/ca-trust/source/anchors/ sudo update-ca-trust
Hash certificates in the CA store directory for OpenSSL.
sudo cp custom_ca.crt /etc/pki/tls/certs/ sudo c_rehash /etc/pki/tls/certs/
Commands to diagnose why certificate verification fails (e.g., `SSLCertVerificationError`).
Identify which CA files OpenSSL reads during verification.
strace -e open,openat openssl verify -CApath /etc/pki/tls/certs/ -verbose cert.pem 2>&1 | grep -i cert
Verify if custom CA paths are set.
echo $SSL_CERT_FILE echo $SSL_CERT_DIR
Extract and inspect a server’s certificate chain (e.g., for proxy issues).
openssl s_client -connect <server>:443 -showcerts </dev/null > server_certs.pem openssl x509 -in server_certs.pem -noout -text | grep -i testco
View the OpenSSL configuration file.
sudo cat /etc/pki/tls/openssl.cnf
Verify FIPS or crypto policy settings (OEL10).
cat /etc/crypto-policies/back-ends/opensslcnf.config
Commands to address application issues (e.g., `pip` SSL errors).
Use a custom CA file or proxy for `pip`.
pip install --cert /etc/pki/tls/certs/ca-bundle.crt some_package export HTTPS_PROXY="http://proxy.example.com:port" pip install --proxy http://proxy.example.com:port some_package
Temporarily trust a CA file without modifying the system.
export SSL_CERT_FILE=custom_ca.crt openssl verify -CAfile custom_ca.crt cert.pem