This is an old revision of the document!
= OpenSSL Command-Line Cheat Sheet :author: Swift Griggs :date: October 9, 2025 :icons: font :toc: left :toclevels: 3 :sectnums: :sectnumlevels: 3
This cheat sheet provides OpenSSL commands for inspecting, verifying, and managing SSL/TLS certificates and CA stores, with a focus on troubleshooting certificate verification issues (e.g., `unable to get local issuer certificate`) and configuring custom CA certificates on Oracle Linux systems.
== 1. Inspecting Certificates
Commands to view certificate details, useful for checking subjects, issuers, validity, and extensions.
=== 1.1 View Subject and Issuer Display the subject and issuer of a certificate file.
[source,bash]
openssl x509 -in cert.pem -noout -subject -issuer
* Example output: `subject=C=US, O=TestCo, OU=PKI, CN=TestCo Issuing CA`
=== 1.2 View Full Certificate Details Show all certificate details, including extensions (e.g., Basic Constraints, Key Usage).
[source,bash]
openssl x509 -in cert.pem -noout -text
* Use to check if a certificate is a CA (`CA:TRUE`) or self-signed (`subject = issuer`).
=== 1.3 Check Certificate Validity Dates Display the certificate's validity period.
[source,bash]
openssl x509 -in cert.pem -noout -dates
* Example output: `notBefore=Jun 5 19:02:35 2018 GMT`
=== 1.4 Get Certificate Fingerprint Show the certificate's fingerprint for comparison.
[source,bash]
openssl x509 -in cert.pem -noout -fingerprint
* Useful for verifying if two certificates are identical.
=== 1.5 Convert Certificate Format (DER to PEM) Convert a DER certificate to PEM format.
[source,bash]
openssl x509 -inform der -in cert.der -out cert.pem
== 2. Verifying Certificates
Commands to verify certificates against a CA store or specific CA file, including chain validation.
=== 2.1 Verify Certificate Against System CA Store Verify a certificate using the system\u2019s CA store directory.
[source,bash]
openssl verify -CApath /etc/pki/tls/certs/ -verbose -show_chain cert.pem
* `-CApath`: Directory with hashed CA certificates. * `-show_chain`: Displays the certificate chain. * Success: `cert.pem: OK` * Failure: `error 20 at 0 depth lookup: unable to get local issuer certificate`
=== 2.2 Verify Certificate with Specific CA File Verify a certificate using a specific CA bundle file.
[source,bash]
openssl verify -CAfile /etc/pki/tls/certs/ca-bundle.crt -verbose -show_chain cert.pem
* Use when the CA store is a single file.
=== 2.3 Verify with Intermediate CA Verify a certificate with an untrusted intermediate CA.
[source,bash]
openssl verify -CApath /etc/pki/tls/certs/ -untrusted intermediate.pem -verbose -show_chain cert.pem
* `-untrusted`: Specifies intermediate CA(s) not in the trusted store.
=== 2.4 Verify with CRL Checking Verify a certificate with Certificate Revocation List (CRL) checking.
[source,bash]
openssl verify -CApath /etc/pki/tls/certs/ -crl_check -CRLfile crl.pem cert.pem
* Download CRL: `curl -o crl.pem <CRL_URL>`
== 3. Managing CA Stores
Commands to locate and manage the system\u2019s CA trust store, especially for adding custom CAs.
=== 3.1 Find OpenSSL Configuration and CA Store Show OpenSSL\u2019s configuration directory and CA store location.
[source,bash]
openssl version -a
* Look for `OPENSSLDIR` (e.g., `/etc/pki/tls`) and `SYSTEM_CIPHERS_FILE`.
=== 3.2 List CA Store Contents List certificates in the CA store directory.
[source,bash]
ls -l /etc/pki/tls/certs/ | grep -i <name> ls -l /etc/ssl/certs/ | grep -i <name>
* Example: `ls -l /etc/pki/tls/certs/ | grep -i testguys`
=== 3.3 Search for CA Certificate Files Find certificate files containing a specific string (e.g., \u201cTestCo\u201d).
[source,bash]
sudo find /etc -type f -name “*.crt” -exec grep -l “TestCo” {} \; sudo find /etc -type f -name “*.pem” -exec grep -l “TestCo” {} \;
=== 3.4 Check CA Bundle Contents Inspect a CA bundle file for a specific CA.
[source,bash]
openssl crl2pkcs7 -nocrl -certfile /etc/pki/tls/certs/ca-bundle.crt | openssl pkcs7 -print_certs | grep -i <name>
* Example: `grep -i testco`
=== 3.5 Add Custom CA to Trust Store Add a custom CA certificate to the system\u2019s trust store (OEL10/RHEL10).
[source,bash]
sudo cp custom_ca.crt /etc/pki/ca-trust/source/anchors/ sudo update-ca-trust
* Ensure `ca-certificates` package is installed: `sudo dnf install ca-certificates`
=== 3.6 Manually Hash CA Store Hash certificates in the CA store directory for OpenSSL.
[source,bash]
sudo cp custom_ca.crt /etc/pki/tls/certs/ sudo c_rehash /etc/pki/tls/certs/
* Creates hashed symlinks (e.g., `6ed01128.0`).
== 4. Troubleshooting Verification Issues
Commands to diagnose why certificate verification fails (e.g., `SSLCertVerificationError`).
=== 4.1 Trace OpenSSL File Access Identify which CA files OpenSSL reads during verification.
[source,bash]
strace -e open,openat openssl verify -CApath /etc/pki/tls/certs/ -verbose cert.pem 2>&1 | grep -i cert
* Look for `openat` calls to files like `/etc/pki/tls/certs/ca-bundle.crt`.
=== 4.2 Check Environment Variables Verify if custom CA paths are set.
[source,bash]
echo $SSL_CERT_FILE echo $SSL_CERT_DIR
* If set, these override the default CA store.
=== 4.3 Test Server Certificate Chain Extract and inspect a server\u2019s certificate chain (e.g., for proxy issues).
[source,bash]
openssl s_client -connect <server>:443 -showcerts </dev/null > server_certs.pem openssl x509 -in server_certs.pem -noout -text | grep -i <name>
* Example: `openssl s_client -connect pki.testco.com:443 -showcerts`
=== 4.4 Check OpenSSL Configuration View the OpenSSL configuration file.
[source,bash]
sudo cat /etc/pki/tls/openssl.cnf
* Check for CA paths (e.g., `dir = /etc/pki/CA`).
=== 4.5 Check Crypto Policies Verify FIPS or crypto policy settings (OEL10/RHEL10).
[source,bash]
cat /etc/crypto-policies/back-ends/opensslcnf.config
* Adjust policy if needed: `sudo update-crypto-policies –set DEFAULT`
== 5. Application-Specific Fixes
Commands to address application issues (e.g., `pip` SSL errors).
=== 5.1 Fix `pip` SSL Verification Use a custom CA file or proxy for `pip`.
[source,bash]
pip install –cert /etc/pki/tls/certs/ca-bundle.crt some_package export HTTPS_PROXY=“http://proxy.example.com:port” pip install –proxy http://proxy.example.com:port some_package
=== 5.2 Temporary Trust for Testing Temporarily trust a CA file without modifying the system.
[source,bash]
export SSL_CERT_FILE=custom_ca.crt openssl verify -CAfile custom_ca.crt cert.pem
== Notes * 10 Specifics: Uses `p11-kit` and `ca-certificates` for CA trust management. Always use `sudo update-ca-trust` to update the trust store. * FIPS Mode: Ensure certificates use FIPS-compliant algorithms (e.g., SHA-256, RSA \u2265 2048 bits). * CRL Checking: If CRLs are required, download from URLs in certificate extensions (e.g., `http://pki.testco.com/cdp/TestCo%20Root%20CA.crl`). * Permissions: Run CA store updates as root (`sudo`) to avoid permission errors.