Configuring ssl requests with SubjectAltName with openssl

Commands are used/tested on OpenBSD.

Create new CSR and private key:

openssl req -keyout key.pem -new -newkey rsa:2048 -out server.pem 

Create new CSR with existing key:

openssl req -new -key key.pem -out server.pem 

Self-sign your certficate:

openssl req -in server.pem -key key.pem -x509 -out server.crt -days 1095

Combine the private key and the signed certificate into a pfx file for deployment on Microsoft computers:

openssl pkcs12 -export -in server.crt -inkey key.pem -out cert.pfx

Extract only public certificate chain from pfx:

openssl pkcs12 -in cert.pfx -out cert.pem -nokeys

Extract only public client/server certificate from pfx:

openssl pkcs12 -in cert.pfx -out cert.pem -nokeys -clcerts

Extract only private key from pfx:

openssl pkcs12 -in cert.pfx -out priv.key -nocerts

Extract only private key from pfx without setting a password on private key:

openssl pkcs12 -in cert.pfx -out priv.key -nocerts -nodes

Remove password from private key:

openssl pkey -in key.pem -out server.key

Set password on private key:

openssl rsa -aes256 -in server.key -out key.pem

Show some certificate details:

openssl x509 -in server.crt -fingerprint -issuer -dates -noout -subject -sha256

Replace -sha256 with the fingerprint to show, e.g.: -md5, -sha1, -sha384, -sha512.

Verify certificate details on SSL connection:

openssl s_client -connect server.domain.com:443 -CAfile /etc/ssl/cert.pem

Show certificate signing request details:

openssl req -noout -text -in server.pem

Source: Tech-Recipes - View the Details of a Certificate Signing Request with OpenSSL

Create a DER certificate from a PEM certificate:

openssl x509 -in server.pem -out server.der -outform DER