How to Check Certificate, CSR, and Private Key with OpenSSL?

OpenSSL is a versatile command-line tool that allows you to work with SSL certificates, CSRs (Certificate Signing Requests), and private keys right from your terminal. In this post, we will show you how to check and verify the details of certificates, CSRs and private keys with OpenSSL.

Why Validate SSL Certificates, CSRs and Keys?

There are a few reasons why you may want to validate and inspect SSL certificates, CSRs and private keys using OpenSSL:

• Debugging SSL Issues: If you are facing “certificate not trusted” errors or issues with key mismatches, OpenSSL can help you debug by inspecting certificates and keys.
• Troubleshooting Renewals: When renewing SSL certificates, you can use OpenSSL to verify that the new CSR and private key match the existing certificate.
• Validating Chains: OpenSSL allows you to validate certificate chains to ensure your certificate chain is properly formed.
• Inspecting Certificates: OpenSSL makes it easy to view certificate contents like subject, issuer, validity period, etc. to verify certificate details.
• Checking Keys: Private keys can be checked for consistency to detect corruption or key mismatch issues.

How to Check an SSL Certificate?

To check the contents of an SSL certificate in CRT or PEM format, use the following OpenSSL command:

openssl x509 -in certificate.crt -text -noout

This will display all the certificate contents in a human-readable format including:

• Subject attributes like common name, organization name etc.
• Issuer attributes
• Public key type and parameters
• Signature algorithm
• Serial number
• Validity period (not before and not after dates)
• Key usage extensions
• Subject alternative names
• Authority key identifier
• Thumbprints/Fingerprints

Here’s a sample output:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            13:57:eb:34:74:6d:59:eb:63:23:7b:47:9b:c3:1b:1e:66
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=SomeState, L=SomeCity, O=SomeOrg, OU=SomeOU, CN=SomeCN 
        Validity
            Not Before: Dec  5 00:00:00 2019 GMT
            Not After : Dec  5 23:59:59 2020 GMT
        Subject: C=US, ST=SomeState, O=SomeOrg, CN=example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b9:5d:51:28:e7:6c:61:16:91:65:81:4e:ce:7e:
                    c9:0a:10:95:24:b2:09:b8:5c:21:b9:ef:69:a3:4a:
                    62:73:8a:c4:bc:4d:4d:14:36:d0:67:1c:9e:77:6a:
                    7b:08:e5:d4:22:e2:93:55:13:f3:c5:35:7f:94:b3:
                    34:73:4a:92:58:55:b1:07:6d:67:70:6b:13:f2:f9:
                    d9:b3:1f:2f:c7:0c:b6:ee:e9:f1:14:3f:24:bd:6f:
                    d3:8f:05:ab:bb:7f:62:1a:48:a8:7f:0c:44:93:f7:
                    f9:29:8b:12:2b:61:00:e9:0e:8f:1b:d6:d1:5a:85:
                    0e:dc:c3:7e:b2:f9:b3:35:34:e9:b1:91:bc:e9:58:
                    c2:4f:27:16:98:d4:36:04:ce:c8:d7:2f:92:50:c9:
                    84:5d:62:c4:77:9b:60:04:16:09:04:7d:b8:64:74:
                    55:05:39:42:6c:90:18:b6:66:f0:88:15:40:93:cc:
                    d7:e7:b3:cc:48:55:25:0c:f8:da:7e:f2:cd:4e:70:
                    21:f3:69:2a:9c:8b:77:6d:ee:21:46:2c:46:b5:15:
                    12:65:32:04:a8:6e:5a:04:2f:24:5b:8f:3c:6c:c8:
                    c7:3b:b7:bb:e9:03:5f:50:be:7a:f3:31:1b:13:c1:
                    b6:31:4e:04:6f:c2:df:f6:45:97:94:0f:47:72:df:
                    bb:8b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Subject Key Identifier: 
                B4:B0:5E:C9:45:77:A5:75:27:E1:F7:3D:28:D7:7E:49:4E:E2:99:89
            X509v3 Authority Key Identifier: 
                keyid:86:28:8F:F6:F2:73:20:57:54:CF:95:57:0F:A7:C5:F1:2F:E2:61:D0
                DirName:/C=US/ST=SomeState/L=SomeCity/O=SomeOrg/OU=SomeOU/CN=SomeCN
                serial:AF:92:88:A0:DF:AA:59:5D
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment
            X509v3 Subject Alternative Name: 
                DNS:example.com, DNS:www.example.com
    Signature Algorithm: sha256WithRSAEncryption

How to Check a CSR?

To verify and view the contents of a certificate signing request (CSR), you can use the following openssl command:

openssl req -text -noout -verify -in example.csr

This will display details like subject, public key, attributes etc. included in the CSR.

Here’s some sample output:

Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C=US, ST=SomeState, L=SomeCity, O=Example LLC, CN=example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:cb:0c:0a:26:4d:8a:2a:35:ad:19:cd:7f:b2:fe:
                    54:ff:75:27:e7:62:66:12:8f:2b:6b:b3:0c:4f:05:
                    08:15:8a:5a:7b:54:17:ef:49:5f:5c:7a:65:4f:18:
                    e0:31:7a:7a:71:df:f5:96:a3:7c:b0:6c:a2:c0:78:
                    cc:5e:d3:4a:06:a3:40:29:0e:f5:09:dd:a6:a2:ee:
                    24:cc:4d:16:4c:e9:73:df:fe:41:81:7b:23:a9:32:
                    b7:94:9a:a9:88:7d:00:3a:1d:00:d6:ab:7f:1f:72:
                    8b:f8:5e:c8:f1:f9:21:29:e1:2b:4d:47:59:11:7b:
                    0d:8c:8e:3a:07:20:5c:12:bd:fe:15:54:d1:76:b7:
                    b5:01:54:99:22:72:32:cf:b0:19:f3:03:b6:1a:f2:
                    56:2e:94:2d:ad:63:3d:e6:66:3c:07:6c:46:44:36:
                    91:7d:7c:83:8c:9b:2d:8f:57:2d:dc:f0:31:05:2f:
                    99:64:3b:87:55:76:80:ea:7e:33:0c:85:68:95:69:
                    81:7f:81:c4:ac:b2:b0:27:8c:6b:70:81:5d:da:4d:
                    7d:f3:20:b3:1a:a4:a5:cd:7a:a0:21:45:43:59:42:
                    3a:86:0f:68:b2:ee:35:6c:00:e9:04:01:5f:31:ab:
                    a7:16:d8:65:70:02:9e:e8:b4:4d:b8:75:8b:bf:35:
                    1c:ce
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Subject Alternative Name: 
                DNS:example.com, DNS:www.example.com
    Signature Algorithm: sha256WithRSAEncryption

How to Check a Private Key?

Private keys can be checked using OpenSSL to detect any inconsistencies or corruption issues. To check a private key in PEM/KEY format, use the following openssl command:

openssl rsa -in private.key -check

This will do an integrity verification of the private key and confirm whether the key is valid or not. If the key is encrypted/password protected, you need to decrypt it first before checking using:

openssl rsa -in private.key -out decrypted.key
openssl rsa -in decrypted.key -check

This will decrypt the key into a plaintext file, and then the check can be done. On success, you will see ‘RSA key ok’ message. Any errors indicate issues with the private key.

Conclusion

OpenSSL provides a powerful command-line interface to validate and troubleshoot SSL certificates, CSRs and private keys right from your terminal. Knowing these basic OpenSSL commands can help debug SSL issues, renewals, validate chains and inspect keys/certs easily. For more OpenSSL examples and tutorials, check out the Most Common OpenSSL Commands guide.