Table of Contents

OpenSSL Command-Line Cheat Sheet

Author: Swift Griggs Date: October 9, 2025

This cheat sheet provides OpenSSL commands for inspecting, verifying, and managing SSL/TLS certificates and CA stores, with a focus on troubleshooting certificate verification issues (e.g., `unable to get local issuer certificate`) and configuring custom CA certificates on Oracle Linux (OEL) systems.

1. Inspecting Certificates

Commands to view certificate details, useful for checking subjects, issuers, validity, and extensions.

1.1 View Subject and Issuer

Display the subject and issuer of a certificate file.

openssl x509 -in cert.pem -noout -subject -issuer

1.2 View Full Certificate Details

Show all certificate details, including extensions (e.g., Basic Constraints, Key Usage).

openssl x509 -in cert.pem -noout -text

1.3 Check Certificate Validity Dates

Display the certificate's validity period.

openssl x509 -in cert.pem -noout -dates

1.4 Get Certificate Fingerprint

Show the certificate's fingerprint for comparison.

openssl x509 -in cert.pem -noout -fingerprint

1.5 Convert Certificate Format (DER to PEM)

Convert a DER certificate to PEM format.

openssl x509 -inform der -in cert.der -out cert.pem

2. Verifying Certificates

Commands to verify certificates against a CA store or specific CA file, including chain validation.

2.1 Verify Certificate Against System CA Store

Verify a certificate using the system’s CA store directory.

openssl verify -CApath /etc/pki/tls/certs/ -verbose -show_chain cert.pem

2.2 Verify Certificate with Specific CA File

Verify a certificate using a specific CA bundle file.

openssl verify -CAfile /etc/pki/tls/certs/ca-bundle.crt -verbose -show_chain cert.pem

2.3 Verify with Intermediate CA

Verify a certificate with an untrusted intermediate CA.

openssl verify -CApath /etc/pki/tls/certs/ -untrusted intermediate.pem -verbose -show_chain cert.pem

2.4 Verify with CRL Checking

Verify a certificate with Certificate Revocation List (CRL) checking.

openssl verify -CApath /etc/pki/tls/certs/ -crl_check -CRLfile crl.pem cert.pem

3. Managing CA Stores

Commands to locate and manage the system’s CA trust store, especially for adding custom CAs.

3.1 Find OpenSSL Configuration and CA Store

Show OpenSSL’s configuration directory and CA store location.

openssl version -a

3.2 List CA Store Contents

List certificates in the CA store directory.

ls -l /etc/pki/tls/certs/ | grep -i testco
ls -l /etc/ssl/certs/ | grep -i testco

3.3 Search for CA Certificate Files

Find certificate files containing a specific string (e.g., “TestCo”).

sudo find /etc -type f -name "*.crt" -exec grep -l "TestCo" {} \;
sudo find /etc -type f -name "*.pem" -exec grep -l "TestCo" {} \;

3.4 Check CA Bundle Contents

Inspect a CA bundle file for a specific CA.

openssl crl2pkcs7 -nocrl -certfile /etc/pki/tls/certs/ca-bundle.crt | openssl pkcs7 -print_certs | grep -i testco

3.5 Add Custom CA to Trust Store

Add a custom CA certificate to the system’s trust store (OEL10).

sudo cp custom_ca.crt /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust

3.6 Manually Hash CA Store

Hash certificates in the CA store directory for OpenSSL.

sudo cp custom_ca.crt /etc/pki/tls/certs/
sudo c_rehash /etc/pki/tls/certs/

4. Troubleshooting Verification Issues

Commands to diagnose why certificate verification fails (e.g., `SSLCertVerificationError`).

4.1 Trace OpenSSL File Access

Identify which CA files OpenSSL reads during verification.

strace -e open,openat openssl verify -CApath /etc/pki/tls/certs/ -verbose cert.pem 2>&1 | grep -i cert

4.2 Check Environment Variables

Verify if custom CA paths are set.

echo $SSL_CERT_FILE
echo $SSL_CERT_DIR

4.3 Test Server Certificate Chain

Extract and inspect a server’s certificate chain (e.g., for proxy issues).

openssl s_client -connect <server>:443 -showcerts </dev/null > server_certs.pem
openssl x509 -in server_certs.pem -noout -text | grep -i testco

4.4 Check OpenSSL Configuration

View the OpenSSL configuration file.

sudo cat /etc/pki/tls/openssl.cnf

4.5 Check Crypto Policies

Verify FIPS or crypto policy settings (OEL10).

cat /etc/crypto-policies/back-ends/opensslcnf.config

5. Application-Specific Fixes

Commands to address application issues (e.g., `pip` SSL errors).

5.1 Fix `pip` SSL Verification

Use a custom CA file or proxy for `pip`.

pip install --cert /etc/pki/tls/certs/ca-bundle.crt some_package
export HTTPS_PROXY="http://proxy.example.com:port"
pip install --proxy http://proxy.example.com:port some_package

5.2 Temporary Trust for Testing

Temporarily trust a CA file without modifying the system.

export SSL_CERT_FILE=custom_ca.crt
openssl verify -CAfile custom_ca.crt cert.pem

Notes