======OpenSSL======

[[http://apetec.com/support/GenerateSAN-CSR.htm|Configuring ssl requests with SubjectAltName with openssl]] \\

=====Commands=====
//Commands are used/tested on OpenBSD.//

Create new CSR and private key:
<code>
openssl req -keyout key.pem -new -newkey rsa:2048 -out server.pem 
</code>

Create new CSR with existing key:
<code>
openssl req -new -key key.pem -out server.pem 
</code>

Self-sign your certficate:
<code>
openssl req -in server.pem -key key.pem -x509 -out server.crt -days 1095
</code>

Combine the private key and the signed certificate into a pfx file for deployment on Microsoft computers:
<code>
openssl pkcs12 -export -in server.crt -inkey key.pem -out cert.pfx
</code>

Extract only public certificate chain from pfx:
<code>
openssl pkcs12 -in cert.pfx -out cert.pem -nokeys
</code>

Extract only public client/server certificate from pfx:
<code>
openssl pkcs12 -in cert.pfx -out cert.pem -nokeys -clcerts
</code>

Extract only private key from pfx:
<code>
openssl pkcs12 -in cert.pfx -out priv.key -nocerts
</code>

Extract only private key from pfx without setting a password on private key:
<code>
openssl pkcs12 -in cert.pfx -out priv.key -nocerts -nodes
</code>

Remove password from private key:
<code>
openssl pkey -in key.pem -out server.key
</code>

Set password on private key:
<code>
openssl rsa -aes256 -in server.key -out key.pem
</code>

Show some certificate details:
<code>
openssl x509 -in server.crt -fingerprint -issuer -dates -noout -subject -sha256
</code>
// Replace -sha256 with the fingerprint to show, e.g.: -md5, -sha1, -sha384, -sha512. // 

Verify certificate details on SSL connection:
<code>
openssl s_client -connect server.domain.com:443 -CAfile /etc/ssl/cert.pem
</code>

Show certificate signing request details:
<code>
openssl req -noout -text -in server.pem
</code>
Source: [[http://www.tech-recipes.com/rx/447/view-the-details-of-a-certificate-signing-request-with-openssl/|Tech-Recipes - View the Details of a Certificate Signing Request with OpenSSL]] \\

Create a DER certificate from a PEM certificate:
<code>
openssl x509 -in server.pem -out server.der -outform DER
</code>

Test SMTP with STARTTLS:
<code>
openssl s_client -starttls smtp -connect MAILSERVER.DOMAIN.TLD:25
</code>
Source: [[https://stackoverflow.com/questions/14640560/openssl-to-negotiate-ssl-encryption-for-starttls|stackoverflow - openssl to negotiate SSL encryption for STARTTLS]]