update-ca-certificates --fresh                                                # CA-Zertifikate aktualisieren

openssl x509 -in mail.example.com.pem -noout -text                            # Check contents of cert file

openssl s_client -connect mail.example.com:587 -starttls smtp                 # SMTP START-TLS Zertifikat überprüfen
openssl s_client -connect mail.example.com:465                                # SMTP SSL-Zertifikat überprüfen
openssl s_client -connect mail.example.com:443 | openssl x509 -noout -dates   # SMTP SSL-Zertifikat Ablaufdatum überprüfen 

CSR mit OpenSSL erstellen:

openssl req -utf8 -nodes -new -newkey rsa:2048 -sha256 -keyout example.com.key -out example.com.csr      # new private key
openssl req -utf8 -new -key example.com.key -out example.com.csr                                         # existing private key

csr.conf File erstellen

vi /etc/ssl/csr.conf

Inhalt:

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = DE
ST = BW
L = Karlsruhe
O = XYZ IT GmbH
OU = IT
CN = www.xyz-it.de
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = abc.xyz-it.de
DNS.2 = www.xyz-it.de
DNS.3 = xyz.de
DNS.4 = mail.xyz.de

Private Key erstellen

openssl genrsa -out xyz-it.de.key 2048

CSR erstellen

openssl req -new -out xyz-it.de.csr -key xyz-it.key.2015 -config /etc/ssl/csr.conf 

Private Key erstellen

openssl genrsa -out mail-smime.key 4096

CSR Erstellen

openssl req -utf8 -new -key mail-smime.key -out mail-smime.csr

Optimal:

-----BEGIN CERTIFICATE-----
[Server Certificate]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[Intermediate certificate L1]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[Intermediate certificate L2]
-----END CERTIFICATE-----

Unnötig da Root in Browser/OS Cert store bereits enthalten:

-----BEGIN CERTIFICATE-----
[Server Certificate]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[Intermediate certificate L1]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[Intermediate certificate L2]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[Root Certificate]
-----END CERTIFICATE-----

https://success.qualys.com/support/s/article/000005824
https://success.qualys.com/support/s/article/000003197

P12 == PFX

PEM vs CRT

openssl pkcs12 -export -in cert_bundle.pem -inkey privkey.key -out cert_bundle.p12 #pem in p12
cat cert.pem intermediate.pem > chain.pem                                          #cert+intermediate als bundle
cat root.pem intermediate.pem > ocsp-chain.pem                                     #ocsp chain (cert+intermediate) als bundle
openssl pkcs12 -in cert_bundle.p12 -chain -nokeys -out cert_bundle.pem             #p12 in pem with complete chain
openssl pkcs12 -in cert_bundle.p12 -cacerts -nokeys -out cert_cacerts.pem          #p12 in pem only ca certs
openssl pkcs12 -in cert_bundle.p12 -clcerts -nokeys -out cert.pem                  #p12 in pem without ca certs
openssl pkcs12 -in cert_bundle.p12 -nocerts -out privkey_encr.key                  #private key extrahieren 
openssl rsa -in privkey_encr.key -out privkey.key                                  #private key entschlüsseln
openssl x509 -inform der -in certificate.cer -out certificate.pem                  #der in pem
openssl pkcs7 -inform der -in cacert.p7b -out cacert.pem                           #p7p in pem

Zusammenfassung eines Zertifikats anzeigen / bundle erzeugen

openssl crl2pkcs7 -nocrl -certfile cert_bundle.crt | openssl pkcs7 -print_certs -out bundle-certs.crt
openssl crl2pkcs7 -nocrl -certfile cert_bundle.crt | openssl pkcs7 -print_certs -noout                

openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes -out default.crt -keyout default.key   #self signed ssl
openssl dhparam -out /etc/nginx/certs/dhparam.pem 2048                                              #diffie-hellmann key