OpenSSL + Letsencrypt Cheat Sheet

Local testing tools: – SSLyze – SSLscan – SSLtap (provided by package nss) – tlssled

Generate self signed certificate with 4096 key valid for 1095 days:

# openssl req -new -x509 -nodes -newkey rsa:4096 -keyout server.key -out server.crt -days 1095

Generate diffie-hellman parameters with (at least) 2048-bit: (1/5)

# openssl dhparam -out dhparams.pem 2048

Generate key certificate with (at least) 2048-bit: (2/5)

# openssl genrsa -aes256 -out server.key.pem 2048

Generate certificate signature (3/5)

# openssl req -new -key server.key.pem -out server.csr

Remove key password, so the server won’t require it on each and every restart Resulting files: server.key.pem does not ask the password, server.key.pem.original does

# openssl rsa -in server.key.pem -out
# mv server.key.pem server.key.pem.original
# mv server.key.pem
# chmod 400 server.key.pem*

criacao do certificado (5/5)

# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt


# openssl ca -config /etc/ssl/CA/intermediate/openssl.cnf \
-extensions server_cert -days 375 -notext -md sha256 \
-in server.csr -out server.crt.pem

Check if public and private keys match => (stdin output for both command should match):

# openssl rsa -noout -modulus -in server.key | openssl sha256
# openssl x509 -noout -modulus -in server.crt | openssl sha256

To view the certificate:

# openssl x509 -noout -text -in certfile

To view the key:

# openssl rsa -noout -text -in keyfile

To view the CSR:

# openssl req -text -noout -verify -in csrfile

To convert P7B to PEM:

# openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

Convert P7B to PFX

# openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
# openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.cer

Convert PFX to a single PEM with decrypted key:

# openssl pkcs12 -in certificate.pfx -out certificate-fullbundle.pem -nodes

Convert PFX to a single PEM with encrypted key:

# openssl pkcs12 -in certificate.pfx -out certificate-fullbundle.pem -nodes

Change password of a PFX file:

# ????
# openssl pkcs12 -export -out certificate.pfx -in certificate.crt.pem -inkey certificate.key.pem -certfile ca-chain.pem

Snatch the remote certificate # openssl s_client -connect 2>&1 < /dev/null | sed -n ‘/—–BEGIN/,/—–END/p’ »

List installed certificates info:

# certbot certificates

List installed plugins:

# certbot plugins

To simulate the execution rather than performing it for real:

# certbot {long chain of commands} --dry-run

To renew a wildcard (replace / omit nginx if aplicable):

# certbot -i nginx --server --manual --preferred-challenges dns -d *.{DOMAIN} -d {DOMAIN}

There will be two challenges: deploy one TXT record, wait for replication, deploy the second TXT. It’s ok to press ‘c’ to avoid modifications on nginx config.

Debian/Ubuntu specific: how to verify the Certbot version actually in use

# apt-cache policy certbot
# apt install certbot