SSL Client

Diag an SSL/TLS connection

openssl s_client -connect [MY_HOST]:[MY_PORT]
Make an SSL/TLS client request.

Generate Keys

Generate RSA Key

openssl genrsa -out my-key.key 4096
Generate an RSA key (4096 bits for more robust than default 2048 bits).

-aes256
Gen a AES256 key. Encrypt key with passphrase.

Read Certificates

Read Local Certificates

openssl x509 -in cert.pem -text
Output certificate content as text.

openssl req -in cert.csr -text
Output certificate content as text.

-noout
Do not outpout raw certificate at the end.

Read Remote Certificates

openssl s_client -showcerts -connect [MY_HOST]:[MY_PORT]
Return detail about  SSL/TLS connection and certificate chain.

Generate Certificates

Generate CA Certificate

openssl genrsa -aes256 -out ca.key 4096
Generate an RSA key.

openssl req -new -x509 -sha256 -days 3650 -key ca.key -out ca.pem
Generate CA certificate with the given key (use -x509 to self sign the CSR).

Generate Server Certificate

openssl genrsa -out cert.key 4096
Generate an RSA key.

openssl req -new -sha256 -key cert.key -out cert.csr
Generate a certificate singing request with the given key.

echo "subjectAltName=DNS:my-domain.tld,IP:10.0.0.1" > sans.txt
Create a config file for SANs.

openssl x509 -req -sha256 -days 365 -in cert.csr -CA ca.pem -CAkey ca.key -out cert.pem -extfile sans.txt
Create a certificate signed by CA and with a SAN config.

Flags

-subj "/C=FR/ST=Ile-de-France/L=Paris/O=MyOrg/OU=MyUnit/CN=my.domain"
Specify information for the certificate in the command.

-addext "subjectAltName=DNS:my.alt.domain"
Adding this with req new command does add the SAN to the request, but it does seem to be added to the final cert.
The workaround of adding <(printf "subjectAltName=DNS:my.alt.domain") at the end of the command seem to work.

-CAcreateserial
No longer needed with OpenSSL 3 as it now generates a random serial numbers by default.