tls

openssl x509 -text -noout -in certificate.crt

step-cli certificate inspect certificate.crt --short --bundle

openssl x509 -subject -noout -in certificate.crt

openssl x509 -enddate -noout -in certificate.crt

openssl s_client -showcerts -connect google.com:443 </dev/null 2>/dev/null

step-cli certificate inspect --bundle https://google.com

ncat -vvv --ssl-verify google.com 443

openssl s_client -showcerts -connect google.com:443 </dev/null 2>/dev/null | openssl x509 -outform PEM > certificate.crt

step-cli certificate inspect --bundle --format pem https://google.com > certificate.crt

openssl pkcs12 -in bundle.p12 [-nokeys] -info

openssl pkcs12 -in bundle.pfx -nodes

openssl pkcs12 -in bundle.pfx -clcerts -nokeys -out server.crt

openssl pkcs12 -in bundle.pfx -nocerts -nodes -out server.key

openssl pkcs12 -in bundle.pfx -cacerts -nokeys -out ca-chain.crt

cat request.http | ncat --ssl example.com 443

Definitions

• Certificate types:
  • X.509: Most common for TLS
  • OpenPGP
• File formats / Encodings:
  • PEM: Most common, text-based (-----BEGIN CERTIFICATE-----)
  • DER: Binary ASN.1 format
• Containers
  • PKCS#12: .p12 / .pfx, can contain certificates, private keys, and the CA chain
  • PKCS#7: .p7b / .p7c, does not contain private keys
  • JKS: Java Keystore

step-cli

--bundle is used to store the whole certificate chain. If you are only interested in the server certificate itself, you can omit the parameter.

HTTPS server

A HTTPS web server should send it’s server.crt and most likely a intermediate.crt in it’s responses. The Root CA should be installed on the client’s OS or browser and not be sent by the server.

cat server.crt intermediate.crt > server-and-intermediate.crt

Then for example your nginx config might look like this:

server {

listen 443 ssl;
ssl_certificate /etc/ssl/server-and-intermediate.crt;
ssl_certificate_key /etc/ssl/server.key;

[...]

Note: For nginx the order is important: The server.crt must come first.