In progress document on command line usage of OpenSSL


Connecting to SSL/TLS Server
  1. Direct Connect to SSL Port

    For testing HTTPS, POP3S, etc

    openssl s_client [-crlf] -connect address:port
  2. Connect to SSL Port using SNI ServernameS

    HTTPS testing using SNI based virtuals

    openssl s_client [-crlf] -servername hostname -connect address:port
  3. Connect to service using STARTTLS

    For testing SMTP w/ starttls, IMAP w/ starttls...

    openssl s_client [-crlf] -starttls service -connect address:port

    Service is one of: smtp pop3 imap ftp

  4. Connect with a specific version of SSL/TLS

    Useful for verifying that a specific version isn't supported, try connecting with that version and see if it fails.

    openssl s_client -connect server:port [-ssl2|-ssl3|-tls1|-no_ssl2|-no_ssl3|-no_tls1]

Note: -crlf will translate line feed from terminal into CR+LF

WWW-SSL Key (Self Signed)
  1. Create private key and certificate request. The -nodes option prevents the use of a passphrase.
    openssl req -new [-nodes] -keyout certname.key -out certname.csr
  2. Create the certificate from the request and the key. The signingkey can be either the key created above, or a different CA key
    openssl x509 -in certname.csr -out certname.crt -req -signkey signingkey.key -days 365
TLS/SSL Keys for Email (POP, qmail smtp, imap)
openssl req -new -x509 -nodes -days 366 -out servercert.pem -keyout servercert.pem
Removing Pass Phrase from private key
openssl rsa -in signed.key -out unsigned.key
View Certificate information
openssl x509 -noout -text -in pop3s.pem
View Information on Remote Certificate
openssl s_client -connect www.server.domain:443 < /dev/null | openssl x509 -subject -noout -dates