See details about a certificate:
openssl x509 -in server.crt -text
openssl s_client -connect example.com:443 -showcerts
# To use SNI: openssl s_client -connect example.com:443 -servername example.com -showcerts
openssl s_client -connect example.com:443 | openssl x509 -text
Download a remote certificate:
echo -n | openssl s_client -connect example.com:443 | sed -ne `/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > example.com.crt
Test that a key matches a certificate:
(openssl x509 -noout -modulus -in foo.crt ; openssl rsa -noout -modulus -in foo.key) | uniq
Create a self-signed certificate:
Generate a Private Key: openssl genrsa -des3 -out server.pass.key 2048
Remove passphrase from key: openssl rsa -in server.pass.key -out server.key
Generate a CSR: openssl req -new -key server.key -out server.csr
Generate self-signed cert: openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out server.crt
Or in one line:
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
Upload a cert to AWS:
aws iam upload-server-certificate
-server-certificate-name STAR.example.com
-certificate-body file://STAR.example.com.crt -private-key file://STAR.example.com.key
-certificate-chain file://chain.crt