OpenSSL
Commands
Commands are used/tested on OpenBSD.
Create new CSR and private key:
openssl req -keyout key.pem -new -newkey rsa:2048 -out server.pem
Create new CSR with existing key:
openssl req -new -key key.pem -out server.pem
Self-sign your certficate:
openssl req -in server.pem -key key.pem -x509 -out server.crt -days 1095
Combine the private key and the signed certificate into a pfx file for deployment on Microsoft computers:
openssl pkcs12 -export -in server.crt -inkey key.pem -out cert.pfx
Extract only public certificate chain from pfx:
openssl pkcs12 -in cert.pfx -out cert.pem -nokeys
Extract only public client/server certificate from pfx:
openssl pkcs12 -in cert.pfx -out cert.pem -nokeys -clcerts
Extract only private key from pfx:
openssl pkcs12 -in cert.pfx -out priv.key -nocerts
Extract only private key from pfx without setting a password on private key:
openssl pkcs12 -in cert.pfx -out priv.key -nocerts -nodes
Remove password from private key:
openssl pkey -in key.pem -out server.key
Set password on private key:
openssl rsa -aes256 -in server.key -out key.pem
Show some certificate details:
openssl x509 -in server.crt -fingerprint -issuer -dates -noout -subject -sha256
Replace -sha256 with the fingerprint to show, e.g.: -md5, -sha1, -sha384, -sha512.
Verify certificate details on SSL connection:
openssl s_client -connect server.domain.com:443 -CAfile /etc/ssl/cert.pem
Show certificate signing request details:
openssl req -noout -text -in server.pem
Source: Tech-Recipes - View the Details of a Certificate Signing Request with OpenSSL
Create a DER certificate from a PEM certificate:
openssl x509 -in server.pem -out server.der -outform DER
Test SMTP with STARTTLS:
openssl s_client -starttls smtp -connect MAILSERVER.DOMAIN.TLD:25
Source: stackoverflow - openssl to negotiate SSL encryption for STARTTLS