Table of Contents
OpenSSL Command-Line Cheat Sheet
Author: Swift Griggs Date: October 9, 2025
This cheat sheet provides OpenSSL commands for inspecting, verifying, and managing SSL/TLS certificates and CA stores, with a focus on troubleshooting certificate verification issues (e.g., `unable to get local issuer certificate`) and configuring custom CA certificates on Oracle Linux (OEL) systems.
1. Inspecting Certificates
Commands to view certificate details, useful for checking subjects, issuers, validity, and extensions.
1.1 View Subject and Issuer
Display the subject and issuer of a certificate file.
openssl x509 -in cert.pem -noout -subject -issuer
- Example output: `subject=C=US, O=TestCo, OU=PKI, CN=TestCo Issuing CA`
1.2 View Full Certificate Details
Show all certificate details, including extensions (e.g., Basic Constraints, Key Usage).
openssl x509 -in cert.pem -noout -text
- Use to check if a certificate is a CA (`CA:TRUE`) or self-signed (`subject = issuer`).
1.3 Check Certificate Validity Dates
Display the certificate's validity period.
openssl x509 -in cert.pem -noout -dates
- Example output: `notBefore=Jun 5 19:02:35 2018 GMT`
1.4 Get Certificate Fingerprint
Show the certificate's fingerprint for comparison.
openssl x509 -in cert.pem -noout -fingerprint
- Useful for verifying if two certificates are identical.
1.5 Convert Certificate Format (DER to PEM)
Convert a DER certificate to PEM format.
openssl x509 -inform der -in cert.der -out cert.pem
2. Verifying Certificates
Commands to verify certificates against a CA store or specific CA file, including chain validation.
2.1 Verify Certificate Against System CA Store
Verify a certificate using the system’s CA store directory.
openssl verify -CApath /etc/pki/tls/certs/ -verbose -show_chain cert.pem
- `-CApath`: Directory with hashed CA certificates.
- `-show_chain`: Displays the certificate chain.
- Success: `cert.pem: OK`
- Failure: `error 20 at 0 depth lookup: unable to get local issuer certificate`
2.2 Verify Certificate with Specific CA File
Verify a certificate using a specific CA bundle file.
openssl verify -CAfile /etc/pki/tls/certs/ca-bundle.crt -verbose -show_chain cert.pem
- Use when the CA store is a single file.
2.3 Verify with Intermediate CA
Verify a certificate with an untrusted intermediate CA.
openssl verify -CApath /etc/pki/tls/certs/ -untrusted intermediate.pem -verbose -show_chain cert.pem
- `-untrusted`: Specifies intermediate CA(s) not in the trusted store.
2.4 Verify with CRL Checking
Verify a certificate with Certificate Revocation List (CRL) checking.
openssl verify -CApath /etc/pki/tls/certs/ -crl_check -CRLfile crl.pem cert.pem
- Download CRL: `curl -o crl.pem <CRL_URL>`
3. Managing CA Stores
Commands to locate and manage the system’s CA trust store, especially for adding custom CAs.
3.1 Find OpenSSL Configuration and CA Store
Show OpenSSL’s configuration directory and CA store location.
openssl version -a
- Look for `OPENSSLDIR` (e.g., `/etc/pki/tls`) and `SYSTEM_CIPHERS_FILE`.
3.2 List CA Store Contents
List certificates in the CA store directory.
ls -l /etc/pki/tls/certs/ | grep -i testco ls -l /etc/ssl/certs/ | grep -i testco
- Example: `ls -l /etc/pki/tls/certs/ | grep -i testco`
3.3 Search for CA Certificate Files
Find certificate files containing a specific string (e.g., “TestCo”).
sudo find /etc -type f -name "*.crt" -exec grep -l "TestCo" {} \; sudo find /etc -type f -name "*.pem" -exec grep -l "TestCo" {} \;
3.4 Check CA Bundle Contents
Inspect a CA bundle file for a specific CA.
openssl crl2pkcs7 -nocrl -certfile /etc/pki/tls/certs/ca-bundle.crt | openssl pkcs7 -print_certs | grep -i testco
- Example: `grep -i testco`
3.5 Add Custom CA to Trust Store
Add a custom CA certificate to the system’s trust store (OEL10).
sudo cp custom_ca.crt /etc/pki/ca-trust/source/anchors/ sudo update-ca-trust
- Ensure `ca-certificates` package is installed: `sudo dnf install ca-certificates`
3.6 Manually Hash CA Store
Hash certificates in the CA store directory for OpenSSL.
sudo cp custom_ca.crt /etc/pki/tls/certs/ sudo c_rehash /etc/pki/tls/certs/
- Creates hashed symlinks (e.g., `6ed01128.0`).
4. Troubleshooting Verification Issues
Commands to diagnose why certificate verification fails (e.g., `SSLCertVerificationError`).
4.1 Trace OpenSSL File Access
Identify which CA files OpenSSL reads during verification.
strace -e open,openat openssl verify -CApath /etc/pki/tls/certs/ -verbose cert.pem 2>&1 | grep -i cert
- Look for `openat` calls to files like `/etc/pki/tls/certs/ca-bundle.crt`.
4.2 Check Environment Variables
Verify if custom CA paths are set.
echo $SSL_CERT_FILE echo $SSL_CERT_DIR
- If set, these override the default CA store.
4.3 Test Server Certificate Chain
Extract and inspect a server’s certificate chain (e.g., for proxy issues).
openssl s_client -connect <server>:443 -showcerts </dev/null > server_certs.pem openssl x509 -in server_certs.pem -noout -text | grep -i testco
- Example: `openssl s_client -connect pki.testco.com:443 -showcerts`
4.4 Check OpenSSL Configuration
View the OpenSSL configuration file.
sudo cat /etc/pki/tls/openssl.cnf
- Check for CA paths (e.g., `dir = /etc/pki/CA`).
4.5 Check Crypto Policies
Verify FIPS or crypto policy settings (OEL10).
cat /etc/crypto-policies/back-ends/opensslcnf.config
- Adjust policy if needed: `sudo update-crypto-policies –set DEFAULT`
5. Application-Specific Fixes
Commands to address application issues (e.g., `pip` SSL errors).
5.1 Fix `pip` SSL Verification
Use a custom CA file or proxy for `pip`.
pip install --cert /etc/pki/tls/certs/ca-bundle.crt some_package export HTTPS_PROXY="http://proxy.example.com:port" pip install --proxy http://proxy.example.com:port some_package
5.2 Temporary Trust for Testing
Temporarily trust a CA file without modifying the system.
export SSL_CERT_FILE=custom_ca.crt openssl verify -CAfile custom_ca.crt cert.pem
Notes
- OEL10 Specifics: Uses `p11-kit` and `ca-certificates` for CA trust management. Always use `sudo update-ca-trust` to update the trust store.
- FIPS Mode: Ensure certificates use FIPS-compliant algorithms (e.g., SHA-256, RSA ≥ 2048 bits).
- CRL Checking: If CRLs are required, download from URLs in certificate extensions (e.g., `http://pki.testco.com/cdp/TestCo%20Root%20CA.crl`).
- Permissions: Run CA store updates as root (`sudo`) to avoid permission errors.