I needed a place to keep openssl commands for reference. See http://www.reppep.com/~pepper/writing/tidbits/ssl-article/ for much more depth.

Read a cert (I use this to build all my .crt files, so I can easily tell what I'm working with later):

openssl x509 -text -fingerprint -sha1 -in certificate.crt

Read a CSR (most fields should match the account with your CA, or your private CA cert):

openssl req -text -in request.csr


The classic, for testing availability of an SSL server, is:

openssl s_client -connect server:port -- e.g., openssl s_client -connect www:443

For web sites, I generally use a browser to review the certificate, but for other protocols openssl is invaluable. Apple's /System/Library/CoreServices/Certificate\ Assistant.app/ (available from Keychain Access' Keychain menu) is also good for verifying SSL status of arbitrary SSL servers.


For traffic analysis, ssldump can (with the server's private key) decrypt tcpdump captures or live traffic.


From a Windows admin, requesting a cert for IIS (I have not tested):

I need for you to combine the crt with the key to make a pfx file.

openssl pkcs12 -export -out canonicalName.pfx -inkey canonicalName.key -in canonicalName.crt