Author: Swift Griggs Date: October 9, 2025

This cheat sheet provides OpenSSL commands for inspecting, verifying, and managing SSL/TLS certificates and CA stores, with a focus on troubleshooting certificate verification issues (e.g., `unable to get local issuer certificate`) and configuring custom CA certificates on Oracle Linux (OEL) systems.

Commands to view certificate details, useful for checking subjects, issuers, validity, and extensions.

Display the subject and issuer of a certificate file.

openssl x509 -in cert.pem -noout -subject -issuer

• Example output: `subject=C=US, O=TestCo, OU=PKI, CN=TestCo Issuing CA`

Show all certificate details, including extensions (e.g., Basic Constraints, Key Usage).

openssl x509 -in cert.pem -noout -text

• Use to check if a certificate is a CA (`CA:TRUE`) or self-signed (`subject = issuer`).

Display the certificate's validity period.

openssl x509 -in cert.pem -noout -dates

• Example output: `notBefore=Jun 5 19:02:35 2018 GMT`

Show the certificate's fingerprint for comparison.

openssl x509 -in cert.pem -noout -fingerprint

• Useful for verifying if two certificates are identical.

Convert a DER certificate to PEM format.

openssl x509 -inform der -in cert.der -out cert.pem

Commands to verify certificates against a CA store or specific CA file, including chain validation.

Verify a certificate using the system’s CA store directory.

openssl verify -CApath /etc/pki/tls/certs/ -verbose -show_chain cert.pem

• `-CApath`: Directory with hashed CA certificates.
• `-show_chain`: Displays the certificate chain.
• Success: `cert.pem: OK`
• Failure: `error 20 at 0 depth lookup: unable to get local issuer certificate`

Verify a certificate using a specific CA bundle file.

openssl verify -CAfile /etc/pki/tls/certs/ca-bundle.crt -verbose -show_chain cert.pem

• Use when the CA store is a single file.

Verify a certificate with an untrusted intermediate CA.

openssl verify -CApath /etc/pki/tls/certs/ -untrusted intermediate.pem -verbose -show_chain cert.pem

• `-untrusted`: Specifies intermediate CA(s) not in the trusted store.

Verify a certificate with Certificate Revocation List (CRL) checking.

openssl verify -CApath /etc/pki/tls/certs/ -crl_check -CRLfile crl.pem cert.pem

• Download CRL: `curl -o crl.pem <CRL_URL>`

Commands to locate and manage the system’s CA trust store, especially for adding custom CAs.

Show OpenSSL’s configuration directory and CA store location.

openssl version -a

• Look for `OPENSSLDIR` (e.g., `/etc/pki/tls`) and `SYSTEM_CIPHERS_FILE`.

List certificates in the CA store directory.

ls -l /etc/pki/tls/certs/ | grep -i testco
ls -l /etc/ssl/certs/ | grep -i testco

• Example: `ls -l /etc/pki/tls/certs/ | grep -i testco`

Find certificate files containing a specific string (e.g., “TestCo”).

sudo find /etc -type f -name "*.crt" -exec grep -l "TestCo" {} \;
sudo find /etc -type f -name "*.pem" -exec grep -l "TestCo" {} \;

Inspect a CA bundle file for a specific CA.

openssl crl2pkcs7 -nocrl -certfile /etc/pki/tls/certs/ca-bundle.crt | openssl pkcs7 -print_certs | grep -i testco

• Example: `grep -i testco`

Add a custom CA certificate to the system’s trust store (OEL10).

sudo cp custom_ca.crt /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust

• Ensure `ca-certificates` package is installed: `sudo dnf install ca-certificates`

Hash certificates in the CA store directory for OpenSSL.

sudo cp custom_ca.crt /etc/pki/tls/certs/
sudo c_rehash /etc/pki/tls/certs/

• Creates hashed symlinks (e.g., `6ed01128.0`).

Commands to diagnose why certificate verification fails (e.g., `SSLCertVerificationError`).

Identify which CA files OpenSSL reads during verification.

strace -e open,openat openssl verify -CApath /etc/pki/tls/certs/ -verbose cert.pem 2>&1 | grep -i cert

• Look for `openat` calls to files like `/etc/pki/tls/certs/ca-bundle.crt`.

Verify if custom CA paths are set.

echo $SSL_CERT_FILE
echo $SSL_CERT_DIR

• If set, these override the default CA store.

Extract and inspect a server’s certificate chain (e.g., for proxy issues).

openssl s_client -connect <server>:443 -showcerts </dev/null > server_certs.pem
openssl x509 -in server_certs.pem -noout -text | grep -i testco

• Example: `openssl s_client -connect pki.testco.com:443 -showcerts`

View the OpenSSL configuration file.

sudo cat /etc/pki/tls/openssl.cnf

• Check for CA paths (e.g., `dir = /etc/pki/CA`).

Verify FIPS or crypto policy settings (OEL10).

cat /etc/crypto-policies/back-ends/opensslcnf.config

• Adjust policy if needed: `sudo update-crypto-policies –set DEFAULT`

Commands to address application issues (e.g., `pip` SSL errors).

Use a custom CA file or proxy for `pip`.

pip install --cert /etc/pki/tls/certs/ca-bundle.crt some_package
export HTTPS_PROXY="http://proxy.example.com:port"
pip install --proxy http://proxy.example.com:port some_package

Temporarily trust a CA file without modifying the system.

export SSL_CERT_FILE=custom_ca.crt
openssl verify -CAfile custom_ca.crt cert.pem

• OEL10 Specifics: Uses `p11-kit` and `ca-certificates` for CA trust management. Always use `sudo update-ca-trust` to update the trust store.
• FIPS Mode: Ensure certificates use FIPS-compliant algorithms (e.g., SHA-256, RSA ≥ 2048 bits).
• CRL Checking: If CRLs are required, download from URLs in certificate extensions (e.g., `http://pki.testco.com/cdp/TestCo%20Root%20CA.crl`).
• Permissions: Run CA store updates as root (`sudo`) to avoid permission errors.