SSL / TLS cheatsheet
openssl — test remote server
| Command | Description |
|---|---|
openssl s_client -connect example.com:443 -servername example.com | Full TLS handshake + cert (SNI) |
openssl s_client -connect example.com:443 -showcerts | Show full certificate chain |
echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -dates | Quick expiry check |
openssl s_client -connect example.com:443 -tls1_2 | Force TLS 1.2 |
openssl s_client -connect 127.0.0.1:443 -servername example.com | Test local vhost via SNI |
openssl — inspect certificates
| Command | Description |
|---|---|
openssl x509 -in cert.pem -text -noout | Human-readable cert details |
openssl x509 -in cert.pem -noout -dates | notBefore / notAfter |
openssl x509 -in cert.pem -noout -subject -issuer | Subject and issuer |
openssl x509 -in cert.pem -noout -ext subjectAltName | List SAN hostnames |
openssl x509 -in cert.pem -noout -fingerprint -sha256 | SHA-256 fingerprint |
openssl verify -CAfile chain.pem cert.pem | Verify cert against CA chain |
openssl x509 -noout -modulus -in cert.pem | openssl md5 | Cert modulus hash (match with key) |
openssl — inspect private keys
| Command | Description |
|---|---|
openssl rsa -in privkey.pem -check -noout | Validate RSA private key |
openssl ec -in privkey.pem -check -noout | Validate EC private key |
openssl rsa -noout -modulus -in privkey.pem | openssl md5 | Key modulus hash (must match cert) |
openssl pkey -in privkey.pem -pubout | Derive public key from private key |
openssl — generate and CSR
| Command | Description |
|---|---|
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes | Self-signed cert (dev/test) |
openssl req -new -newkey rsa:2048 -nodes -keyout key.pem -out csr.pem | Generate CSR for a CA |
openssl req -in csr.pem -text -noout | Inspect CSR contents |
Certbot — Let's Encrypt (Linux)
| Command | Description |
|---|---|
certbot certonly --nginx -d example.com -d www.example.com | Obtain cert (nginx plugin) |
certbot certonly --webroot -w /var/www/html -d example.com | HTTP-01 via webroot |
certbot renew --dry-run | Test renewal without applying |
certbot renew | Renew certs near expiry |
certbot certificates | List managed certificates |
ls /etc/letsencrypt/live/example.com/ | fullchain.pem, privkey.pem, cert.pem, chain.pem |
cert-manager — Kubernetes
| Command / resource | Description |
|---|---|
kubectl get certificate -A | List Certificate resources |
kubectl describe certificate my-tls -n myns | Issuance status and events |
kubectl get certificaterequest,order,challenge -A | ACME challenge progress |
ClusterIssuer / Issuer | Configures Let's Encrypt ACME account |
Ingress annotation cert-manager.io/cluster-issuer | Auto-provision TLS for ingress |
Verify cert matches key
cert_md5=$(openssl x509 -noout -modulus -in fullchain.pem | openssl md5)
key_md5=$(openssl rsa -noout -modulus -in privkey.pem | openssl md5)
[ "$cert_md5" = "$key_md5" ] && echo "match" || echo "MISMATCH"
Pro tips
- Always use
-servernamewithopenssl s_clientwhen testing named vhosts - Serve
fullchain.pemto clients — missing intermediates cause trust errors - Run
certbot renew --dry-runafter setup to confirm auto-renewal works - Check SANs, not just CN:
openssl x509 -noout -ext subjectAltName -in cert.pem
Practice scenarios
Hands-on SSL scenarios on live Linux VMs: ssl