OpenSSL command usage (Windows/Linux)

Install

Download from Win32/Win64 OpenSSL.

Installing OpenSSL on Windows 10 and updating PATH

Command

Set “C:\OpenSSL” as the Work folder.

cd C:\OpenSSL

Certificate loading (PEM file)

openssl x509 -text -in certificate_PEM_filename.cer
Command Result
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            06:64:96:26:af:5c:68:b9:ee:c5:66:e8:43:78:35:b7
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
        Validity
            Not Before: Feb  2 00:00:00 2021 GMT
            Not After : Mar  3 23:59:59 2022 GMT
        Subject: CN = qiita.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:bc:0e:70:9d:85:4b:bb:98:9d:f9:f1:2b:2f:0c:
                    33:5e:0b:79:70:e8:26:df:e6:5a:83:33:ae:a5:39:
                    c6:01:29:6a:9e:c0:7a:4e:26:c7:ef:fc:e6:a7:b9:
                    f8:0d:14:cb:0b:2e:87:e9:b8:a2:5b:f3:0a:ff:7e:
                    7c:1b:34:4f:bb:f5:ca:2c:16:03:e9:22:33:3e:e4:
                    34:fd:57:66:9d:92:16:dd:15:75:27:1d:93:90:fe:
                    00:13:89:3e:d9:26:16:4e:5a:fa:6a:49:df:66:2c:
                    33:76:b5:c2:ac:85:17:f0:9c:84:9b:d9:1b:29:85:
                    4b:0b:eb:78:e8:e9:61:bb:a5:2b:f9:ce:99:c6:96:
                    03:f8:b5:48:97:02:c6:b8:ba:31:f5:40:ec:fe:9a:
                    cb:1e:9d:66:cb:3a:3f:f1:d5:71:bc:bc:a0:28:cc:
                    a1:70:e3:11:31:b0:0a:8b:1f:d2:42:50:0a:c4:69:
                    e5:fc:c5:62:af:dd:4b:95:02:b2:54:19:a4:db:26:
                    a6:8e:aa:32:61:a7:dc:f0:07:12:cd:48:9a:7b:af:
                    df:4d:f1:da:b9:e8:ec:c3:3e:4d:65:2f:f3:0c:46:
                    73:ee:fb:a4:1b:f8:3c:a9:4f:cf:52:e5:f7:c2:2c:
                    87:70:df:2f:fc:51:6d:9e:9f:8b:65:1f:91:98:88:
                    99:59
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier:
                keyid:59:A4:66:06:52:A0:7B:95:92:3C:A3:94:07:27:96:74:5B:F9:3D:D0

            X509v3 Subject Key Identifier:
                CA:78:66:CD:09:C8:36:08:0B:8E:70:55:B1:C5:9A:36:11:45:0D:6B
            X509v3 Subject Alternative Name:
                DNS:qiita.com, DNS:*.qiita.com
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://crl.sca1b.amazontrust.com/sca1b.crl

            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.1

            Authority Information Access:
                OCSP - URI:http://ocsp.sca1b.amazontrust.com
                CA Issuers - URI:http://crt.sca1b.amazontrust.com/sca1b.crt

            X509v3 Basic Constraints: critical
                CA:FALSE
            CT Precertificate SCTs:
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 29:79:BE:F0:9E:39:39:21:F0:56:73:9F:63:A5:77:E5:
                                BE:57:7D:9C:60:0A:F8:F9:4D:5D:26:5C:25:5D:C7:84
                    Timestamp : Feb  2 00:12:53.033 2021 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:44:02:20:63:EE:E9:C7:A1:17:EA:C4:80:67:A3:88:
                                A6:82:B1:80:D4:22:30:39:93:A3:35:63:7B:24:6F:A2:
                                F6:E9:6D:54:02:20:43:87:08:50:4A:3E:3C:35:EC:6F:
                                DA:F4:30:D4:98:C4:82:82:38:D3:CE:9E:A5:10:26:D7:
                                14:80:34:D6:7D:D8
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 22:45:45:07:59:55:24:56:96:3F:A1:2F:F1:F7:6D:86:
                                E0:23:26:63:AD:C0:4B:7F:5D:C6:83:5C:6E:E2:0F:02
                    Timestamp : Feb  2 00:12:53.100 2021 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:20:61:39:B4:58:32:95:15:30:5A:F0:86:B3:
                                9E:1C:16:FA:FC:60:FF:6E:D4:4C:FF:8D:EB:11:57:1D:
                                9C:3C:1F:1E:02:21:00:BD:35:9A:7E:09:BE:20:FB:47:
                                19:CD:B7:7D:AD:89:F7:57:11:7D:BA:CA:E3:0A:7A:61:
                                E7:01:11:26:3D:5E:36
    Signature Algorithm: sha256WithRSAEncryption
         64:1b:7d:6a:d2:42:40:60:9f:50:a3:4a:e1:af:da:5c:7b:a7:
         33:05:a5:21:f8:fd:34:99:b2:14:53:45:0b:6b:4f:1c:8d:8b:
         89:91:ff:36:93:32:5a:a8:05:c5:a0:e9:39:98:ae:a7:d3:89:
         5f:04:51:78:04:ad:ee:aa:6b:5e:85:dc:1a:9c:67:a0:da:df:
         dc:ae:96:f6:bc:34:e7:ed:db:4a:35:ac:fd:1a:cc:38:df:1e:
         cc:1c:57:83:43:23:ea:1c:b9:cf:36:17:e0:66:f0:e2:b3:cc:
         f2:34:fe:92:af:19:a7:ae:65:60:7d:81:a3:6d:37:bf:12:90:
         9b:a4:3b:a2:6c:d1:95:c7:62:c0:90:a5:ac:6e:0b:e1:7e:ed:
         3e:1c:31:94:36:58:29:be:57:fd:b0:aa:b3:22:2f:32:43:05:
         d8:fb:98:8f:b9:41:eb:57:45:63:9f:12:a3:44:43:b1:95:d9:
         53:c1:56:2f:bd:cd:c6:fa:ca:c4:99:a1:3c:01:f1:1a:12:f3:
         e8:77:fa:3d:e4:7e:8e:c4:39:01:73:27:df:b7:5d:ac:c2:65:
         30:bb:7e:74:3b:e9:54:f4:b2:ef:ce:5f:13:5b:75:c0:1a:55:
         35:6c:d9:3a:62:c4:ca:7d:15:86:7d:53:71:7c:68:4f:86:f4:
         e5:87:99:6f
-----BEGIN CERTIFICATE-----
MIIFWjCCBEKgAwIBAgIQBmSWJq9caLnuxWboQ3g1tzANBgkqhkiG9w0BAQsFADBG
MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRUwEwYDVQQLEwxTZXJ2ZXIg
Q0EgMUIxDzANBgNVBAMTBkFtYXpvbjAeFw0yMTAyMDIwMDAwMDBaFw0yMjAzMDMy
MzU5NTlaMBQxEjAQBgNVBAMTCXFpaXRhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBALwOcJ2FS7uYnfnxKy8MM14LeXDoJt/mWoMzrqU5xgEpap7A
ek4mx+/85qe5+A0Uywsuh+m4olvzCv9+fBs0T7v1yiwWA+kiMz7kNP1XZp2SFt0V
dScdk5D+ABOJPtkmFk5a+mpJ32YsM3a1wqyFF/CchJvZGymFSwvreOjpYbulK/nO
mcaWA/i1SJcCxri6MfVA7P6ayx6dZss6P/HVcby8oCjMoXDjETGwCosf0kJQCsRp
5fzFYq/dS5UCslQZpNsmpo6qMmGn3PAHEs1Imnuv303x2rno7MM+TWUv8wxGc+77
pBv4PKlPz1Ll98Ish3DfL/xRbZ6fi2UfkZiImVkCAwEAAaOCAnQwggJwMB8GA1Ud
IwQYMBaAFFmkZgZSoHuVkjyjlAcnlnRb+T3QMB0GA1UdDgQWBBTKeGbNCcg2CAuO
cFWxxZo2EUUNazAhBgNVHREEGjAYgglxaWl0YS5jb22CCyoucWlpdGEuY29tMA4G
A1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwOwYD
VR0fBDQwMjAwoC6gLIYqaHR0cDovL2NybC5zY2ExYi5hbWF6b250cnVzdC5jb20v
c2NhMWIuY3JsMBMGA1UdIAQMMAowCAYGZ4EMAQIBMHUGCCsGAQUFBwEBBGkwZzAt
BggrBgEFBQcwAYYhaHR0cDovL29jc3Auc2NhMWIuYW1hem9udHJ1c3QuY29tMDYG
CCsGAQUFBzAChipodHRwOi8vY3J0LnNjYTFiLmFtYXpvbnRydXN0LmNvbS9zY2Ex
Yi5jcnQwDAYDVR0TAQH/BAIwADCCAQMGCisGAQQB1nkCBAIEgfQEgfEA7wB1ACl5
vvCeOTkh8FZzn2Old+W+V32cYAr4+U1dJlwlXceEAAABd2AVu6kAAAQDAEYwRAIg
Y+7px6EX6sSAZ6OIpoKxgNQiMDmTozVjeyRvovbpbVQCIEOHCFBKPjw17G/a9DDU
mMSCgjjTzp6lECbXFIA01n3YAHYAIkVFB1lVJFaWP6Ev8fdthuAjJmOtwEt/XcaD
XG7iDwIAAAF3YBW77AAABAMARzBFAiBhObRYMpUVMFrwhrOeHBb6/GD/btRM/43r
EVcdnDwfHgIhAL01mn4JviD7RxnNt32tifdXEX26yuMKemHnAREmPV42MA0GCSqG
SIb3DQEBCwUAA4IBAQBkG31q0kJAYJ9Qo0rhr9pce6czBaUh+P00mbIUU0ULa08c
jYuJkf82kzJaqAXFoOk5mK6n04lfBFF4BK3uqmtehdwanGeg2t/crpb2vDTn7dtK
Naz9Gsw43x7MHFeDQyPqHLnPNhfgZvDis8zyNP6SrxmnrmVgfYGjbTe/EpCbpDui
bNGVx2LAkKWsbgvhfu0+HDGUNlgpvlf9sKqzIi8yQwXY+5iPuUHrV0VjnxKjREOx
ldlTwVYvvc3G+srEmaE8AfEaEvPod/o95H6OxDkBcyfft12swmUwu350O+lU9LLv
zl8TW3XAGlU1bNk6YsTKfRWGfVNxfGhPhvTlh5lv
-----END CERTIFICATE-----

Certificate loading (DER file)

openssl x509 -text -inform der -in certificate_DER_filename.cer

Certificate conversion (PEM to DER file)

openssl x509 -in certificate_PEM_filename.cer -outform der -out converted_certificate_DER_filename.cer

Certificate conversion (DER to PEM file)

openssl x509 -inform der -in certificate_DER_filename.cer -outform pem -out converted_certificate_PEM_filename.cer

Connect to the web server and obtain a certificate

When a root certificate is specified with “-CAfile”, the result does not show
Verify return code: 20 (unable to get local issuer certificate)” is not displayed.

openssl s_client -connect www1.example.com:443 -showcerts
openssl s_client -connect www1.example.com:443 -showcerts -CAfile C:\OpenSSL\RCA-PEM.cer

depth=1 is the intermediate CA certificate.
depth=0 is the TLS server certificate.

openssl s_client -connect www1.example.com:443 -showcerts
CONNECTED(000001B0)
depth=1 C = JP, ST = Tokyo, O = CA, CN = SCA01
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = JP, ST = Tokyo, O = CA, CN = *.example.com
verify return:1
---
Certificate chain
 0 s:C = JP, ST = Tokyo, O = CA, CN = *.example.com
   i:C = JP, ST = Tokyo, O = CA, CN = SCA01
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: May 27 02:00:39 2022 GMT; NotAfter: Aug 29 02:00:39 2024 GMT
-----BEGIN CERTIFICATE-----
MIIFQzCCAyugAwIBAgIUc/97bpnhRvhnS9tyxlMZ5fQ6QIUwDQYJKoZIhvcNAQEL
BQAwOjELMAkGA1UEBhMCSlAxDjAMBgNVBAgMBVRva3lvMQswCQYDVQQKDAJDQTEO
MAwGA1UEAwwFU0NBMDEwHhcNMjIwNTI3MDIwMDM5WhcNMjQwODI5MDIwMDM5WjBC
MQswCQYDVQQGEwJKUDEOMAwGA1UECAwFVG9reW8xCzAJBgNVBAoMAkNBMRYwFAYD
VQQDDA0qLmV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEA38Z7SSPukxTrYK53WKqO+JHJn7qPAnJ9l7F41/duJ8VxuytaiBrtAiC3hhFc
fD2L2WlL1m4ltWpY7h3Ai1gB9sxwTIXq5kAghvkvVeI5kF5qhvcoUyu2uQRDNheL
/dX+mxl7QWatA62IOQ3zwVDD7mCIFINZTa9EGm23B8mf5IvzsoAKzjsdT4iFh6WE
iHJrb5YnhKd4SN/xIAS2kds8aFtV0j0QujVo+5bC5SwKMzrbsZYajq7k6juT3fzb
cK/SkaWbXOpkhi2DI/WrR3z85N2PfIbyIGPNHImPavdNKPoL/FP8zsutIz4Xv5um
6Wymjj4/jTzLz6G+KlTy2UYrIQIDAQABo4IBNzCCATMwDgYDVR0PAQH/BAQDAgWg
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjA1BgNVHR8ELjAsMCqgKKAm
hiRodHRwOi8vd3d3MS5leGFtcGxlLmNvbS9TQ0EwMWNybC5jcmwwPQYIKwYBBQUH
AQEEMTAvMC0GCCsGAQUFBzAChiFodHRwOi8vd3d3MS5leGFtcGxlLmNvbS9TQ0Ew
MS5jcnQwHgYDVR0RBBcwFYINKi5leGFtcGxlLmNvbYcEwKgAoDAsBglghkgBhvhC
AQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFHD/
ZeIvoFI74mBHhB3MWKVg0z/wMB8GA1UdIwQYMBaAFJlFGFWi3lod1aR2JbTDPVZx
/Z0+MA0GCSqGSIb3DQEBCwUAA4ICAQCk+2OY4ApJcsuSC7HXcn6sXvmQiPMVdZM1
O3wqo6lZ9zQl8kk0J887OBJrekS6ss0uZs2a7H6Cf+EioYU9a83GxV2JLawjG3Py
IoLdjMyAHabiESp68JCy/RxJ6n6cEiKEI1pSVgkqPmkEJHrTm7PCPP7Nb1cjFRPG
Rocu13TyBXyuMTqrqSDOauMTF/sZgtQmTOr7LY6TOJl90t4Hx5Y43HUaUQjG+0KN
jWfFOjwDP9KW6dDN0jK42pEH16zLTUvyBmg38Wl/G+WPHmTd1+ywejRKjFrVGgMV
pIPGuCzXr0kAk9CWQE5LHR/H+W0uDaGLOrbISuYJ1qqQvneUCLZmBqKBAEXzhdPQ
9uAvdagVxMfsJno5DGWfxR3eJVPp3PA3v82IC139Qy5gdl/MsBjJHzKbgc+5nIZk
fH780KJLqUR6fbHW34lsVS81ksosY6l1HMHtkdTqQAo9OKf+BWcxi5JVEpfiOoPP
iB0OsfzvtPsgGprqI9lyJV6a60SH2q02OVvPn2UVaffzwc86c6MzDn2oRHryF4Rd
O67O7mJfWx+4KGXIx/QEHrJAG0WQZ428wxqY1OwYh/bPnJBFtoj/KcfDkL20ZLSs
u97ZbBP5SMTV7LUekHZnTb/U/A+ZP04VAjRBQ+H/6hGfbG9frptjHAragMUuFgU2
/tfAWUKbpA==
-----END CERTIFICATE-----
 1 s:C = JP, ST = Tokyo, O = CA, CN = SCA01
   i:C = JP, ST = Tokyo, O = CA, CN = RCA
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: May 27 01:57:18 2022 GMT; NotAfter: May 23 01:57:18 2037 GMT
-----BEGIN CERTIFICATE-----
MIIF1zCCA7+gAwIBAgIUQ1pa3A8Dpdw6VDAfFDnF3ukYwy0wDQYJKoZIhvcNAQEL
BQAwODELMAkGA1UEBhMCSlAxDjAMBgNVBAgMBVRva3lvMQswCQYDVQQKDAJDQTEM
MAoGA1UEAwwDUkNBMB4XDTIyMDUyNzAxNTcxOFoXDTM3MDUyMzAxNTcxOFowOjEL
MAkGA1UEBhMCSlAxDjAMBgNVBAgMBVRva3lvMQswCQYDVQQKDAJDQTEOMAwGA1UE
AwwFU0NBMDEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDOwOoVhC/x
kNtSLSsZVp7vvbvpVBgXnvneV9UtSCFkT80PYsJFgVL7InGEOeZiR9IFc06HobxM
3oOwf5cL7EtDFebQurW3korlylzxUrE9S7T0keSoR+ObFw/KUXJAEBwdb/7Zog0M
xo0ffGuY1E0tNki8HGKz+k/PLK9svR0nCARJdhwG5stO3yF9X+0s3pH2ekw7BlU8
kBrRP0ROIzGbWkFGr4eifLu/32Tx6DK4gpk+YYUXh5tMMP0WR/BJ7VDZccJdBU1K
+Cf0c+hJI5+eptBJfL9IkYJ9zBtJ2zFl5ypxw/iXCjp8zcEGDxolohpEJqxu43HU
Q78Kb4dVQNwVwbXgDGcKIdvErwRStF+AQef8etnprFf8WUdiaA7KU4lVi4CsMK/I
TZ5s4U9/7c7QUcj30QbKzL7Aohf7nK73klOjgOP+Km9SFviDUFM+8k6G9npvPglN
VnOkr8mnspchNITwcuRB3UrLYZ0oq7xYG3d+22jho8aojsAUjyoNBvYejFt5p8mG
pTtgjup9FRzpomhStygqFnLbeHXL161Qf44Rqdn0mvuVB/G6No/+FzTrswCv1cbw
h6U5mnqsnLo0noPHMNXX0fHvtNAYtVQZlcOV5aJmOd8vxPOu/gKEucKboBgncVlu
VlSPm//Xy9F417ytCFeGiWUr/uJiv5WQOQIDAQABo4HWMIHTMB0GA1UdDgQWBBSZ
RRhVot5aHdWkdiW0wz1Wcf2dPjAfBgNVHSMEGDAWgBQ3PhtJPK5xciE+D1epcrk2
fQDuvjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAzBgNVHR8ELDAq
MCigJqAkhiJodHRwOi8vd3d3MS5leGFtcGxlLmNvbS9SQ0FjcmwuY3JsMDsGCCsG
AQUFBwEBBC8wLTArBggrBgEFBQcwAoYfaHR0cDovL3d3dzEuZXhhbXBsZS5jb20v
UkNBLmNydDANBgkqhkiG9w0BAQsFAAOCAgEAWdwhU71A+t+mtp12Ud0JUhNqNDRV
MeUNdiss6+PD3KOGHTht/MZDjhiyEbLt6nJl4Oh9QZ31vnHR6MzV9Ydr5cLXV7Aj
6GGUP2PbfIYIrodalcZaYL1Brj6ZOl6q0ax8hmcLpCujSQrQLy83ojB/SciW9JKW
uA/rb+Nl3oLzJ4dz0B+5qkdln6AJ/puR1krcdm4lP1JM1msICoQmbm9lge8LcTRP
CmKGZplZCv2H6EKnrC3c7EqyJmt9dNqV+uraE7eu9cYIyoY9w+gx68iv8NgaMYgy
iiJ6JwREbK9si7vL8BX+oVlRyQxsRroqJtMKydhjFJetZwP3ChOPKG4Sq2RWVX5S
RDzMSo5FYVbOC/4WcKQ4bcRbFFwkPWZX4GcURGSpTNato++oqgoCwUELCWoPLqle
jMwmHg1YGi6OioM8VzJeX/TUTspXMtw2UlIP1QGqi++l+kHQ7ZZVwObCTIulMb5X
StqJYmaaAgDBdMhasGtOA4EMNHao3ifvAw5Rc68M3R4KX+IUGno2ug5h3JBIqTjp
9FpLx4cbn+UzhN+9LZ0VUUoR+J87vqRbz1+PAi8F62PWFy7GSe564F4ml3UOXFl9
oidawqJMPQw9zh00lVE5R79TLQvMjUlPaOtfzmzxFUYXMvU8/9rXBm/Grs4Xngli
BzpVwsQgvtHowig=
-----END CERTIFICATE-----
---
Server certificate
subject=C = JP, ST = Tokyo, O = CA, CN = *.example.com
issuer=C = JP, ST = Tokyo, O = CA, CN = SCA01
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3411 bytes and written 402 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 20 (unable to get local issuer certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 7CCC1AE5343957964C9CF9E007A8755D488C8C9BF26F0E53B54B8E455DD07B34
    Session-ID-ctx:
    Resumption PSK: C61050CA4853E39F88DB182E706D814326C4C178A65563079B18E327E924A9F48CBA5F55E641B795338478B47E148D1D
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - d5 b1 53 57 f5 a1 93 f3-2f 91 bb f2 d7 ac 70 9b   ..SW..../.....p.
    0010 - 13 fa e5 f6 b7 59 72 e1-c0 a0 47 2d c4 3f 05 d2   .....Yr...G-.?..
    0020 - 70 1f 71 74 04 58 22 95-dd 4a d0 72 fb 5e 87 fd   p.qt.X"..J.r.^..
    0030 - e6 3a 45 80 08 45 ba 85-cd e7 a0 94 ca 68 85 f6   .:E..E.......h..
    0040 - 19 04 30 c7 25 81 49 0a-f5 02 09 08 65 00 46 ea   ..0.%.I.....e.F.
    0050 - 82 5c 2b 79 b8 a0 3f 09-97 31 db d0 e8 bf bd 6d   .\+y..?..1.....m
    0060 - c3 76 cb 11 69 0a 53 81-7c 09 08 8f 35 27 4a 12   .v..i.S.|...5'J.
    0070 - 37 c1 78 4b c5 63 db 4b-03 ed d8 6a 0d 41 47 e6   7.xK.c.K...j.AG.
    0080 - 44 0c df 0f 58 7d 12 7e-b5 5a 68 bc 16 bb 36 71   D...X}.~.Zh...6q
    0090 - fe f3 80 9a d3 f7 89 37-26 d5 5d 47 23 24 a0 7a   .......7&.]G#$.z
    00a0 - 2b c8 17 49 ba 87 87 19-38 a8 46 73 3e 5b 25 32   +..I....8.Fs>[%2
    00b0 - d7 6c 2c 25 26 4f b4 60-37 af 96 3b 24 e6 49 bf   .l,%&O.`7..;$.I.
    00c0 - 1b fa 99 b9 78 19 0e 9c-63 b9 57 16 c5 c5 91 93   ....x...c.W.....
    00d0 - d2 a8 e0 ab bc d3 27 af-f3 e8 0a b8 6d 23 ba 76   ......'.....m#.v

    Start Time: 1656361261
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 21E0B3BF719EE05469583A317F4FC290229033678C53B7CA6EFDE67B6964C2E7
    Session-ID-ctx:
    Resumption PSK: B0CB7D04EBA1FCD379B9362AC23D6442067CA36C63ACDC12EAB71DC2AC359DDBF95F3BAC77006D58F1E7A0130B815378
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - d5 b1 53 57 f5 a1 93 f3-2f 91 bb f2 d7 ac 70 9b   ..SW..../.....p.
    0010 - fb 16 39 98 c0 6b 7e 9f-fc 0a 17 70 36 ae 1a cb   ..9..k~....p6...
    0020 - 9c ac 5f 44 ce 15 0c d0-06 65 a1 58 b3 d3 20 e5   .._D.....e.X.. .
    0030 - 13 d7 c5 7f 02 54 5e 22-74 ae 81 19 78 11 9c 6b   .....T^"t...x..k
    0040 - dc a4 0a 19 d8 28 c1 cc-0a 86 83 54 03 e2 fb 87   .....(.....T....
    0050 - 3a 69 f7 65 10 ae 72 0d-77 84 c6 d6 86 55 67 84   :i.e..r.w....Ug.
    0060 - 8d 2e 01 89 0e 64 62 4a-c3 25 9c b4 41 32 75 0e   .....dbJ.%..A2u.
    0070 - fa 0b 69 66 b1 ee c1 0a-8d ec ac 41 c4 e9 30 a6   ..if.......A..0.
    0080 - de 02 ea 2f c7 88 f9 5e-a5 54 89 cd 20 c2 35 53   .../...^.T.. .5S
    0090 - 34 83 39 53 27 e6 b0 a2-51 75 6a f3 df ae 07 79   4.9S'...Quj....y
    00a0 - fa 16 d2 1f 90 eb 03 59-dc c8 5e fe 01 73 ba 84   .......Y..^..s..
    00b0 - 9c 27 c0 28 ff b3 8a 53-96 95 a5 fe 44 d1 61 d1   .'.(...S....D.a.
    00c0 - eb fb a8 fa 45 98 ac f2-81 ce 72 a5 5e ba 8c ce   ....E.....r.^...
    00d0 - c4 b4 e7 71 1f 14 ae 8a-d1 31 bf 52 5b a5 15 25   ...q.....1.R[..%

    Start Time: 1656361261
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
closed

OpenSSL:/docs/man1.1.1/man1/openssl-s_client.htmlhttps://www.openssl.org

Key pair generation

RSA-2048、RSA-3072、RSA-4096、prime256v1、secp256k1、secp384r1

openssl genrsa 2048 > cert2048.key
openssl genrsa 3072 > cert3072.key
openssl genrsa 4096 > cert4096.key
openssl ecparam -name prime256v1 -genkey -out certprime256v1.key
openssl ecparam -name secp256k1 -genkey -out certecc256.key
openssl ecparam -name secp384r1 -genkey -out certecc384.key

OpenSSL:https://www.openssl.org/docs/man1.1.1/man1/openssl-genrsa.html
OpenSSL:https://www.openssl.org/docs/man1.1.1/man1/ecparam.html

Key pair indication

openssl rsa -noout -text -in cert2048.key
openssl rsa -noout -text -in cert3072.key
openssl rsa -noout -text -in cert4096.key
openssl ec -text -in certprime256v1.key
openssl ec -text -in certecc256.key
openssl ec -text -in certecc384.key

OpenSSL:https://www.openssl.org/docs/man1.1.1/man1/rsa.html
OpenSSL:https://www.openssl.org/docs/man1.1.1/man1/ec.html

RSA key pair display command result

NameDescriptionType
modulusmodulus n(n=pq)Public Key
publicExponentpublicExponent e=65537Public Key
privateExponentprivateExponent d=e^(-1) mod (p-1)(q-1)Private Key
prime1The prime factors of n, pPrivate Key
prime2The prime factor of n, qPrivate Key
exponent1d mod (p-1)
exponent2d mod (q-1)
coefficientCoefficients of the Chinese remainder
theorem q^(-1) mod p
RSA Private-Key: (2048 bit, 2 primes)
modulus:
    00:e5:0f:0f:87:93:b3:65:7e:9f:83:4a:72:8a:62:
    38:a8:7f:72:1b:e4:04:77:d3:e9:b1:42:91:47:7f:
    7b:1c:0d:5a:e4:4c:1e:55:c3:8e:7b:87:63:92:6e:
    54:14:a8:25:81:c0:9c:4d:9b:8b:cb:cb:85:c6:e4:
    71:0d:7a:72:c5:2a:ee:7a:c9:a9:2e:d0:27:71:5e:
    8e:5d:1b:52:89:7b:ab:3c:b6:4d:71:f1:55:50:5c:
    5f:77:a0:a7:9c:80:44:58:de:74:ac:0a:fe:f7:55:
    11:d9:77:29:6c:78:d5:06:a3:55:8e:f1:26:10:93:
    ea:76:05:28:8b:91:75:fc:3c:1c:23:1a:7c:af:9a:
    94:fa:c9:aa:c8:39:53:0c:8d:af:76:8e:56:b7:67:
    34:1d:cf:d3:ec:1a:b1:39:47:37:4c:2f:27:67:a7:
    84:b7:89:0b:25:c2:54:39:e6:bd:1b:25:87:8a:1a:
    ac:ea:2a:92:6e:cf:0a:9e:0b:dc:3e:ee:1b:73:bd:
    aa:9b:78:ec:b3:c6:18:d2:b3:0e:a7:6f:d0:a4:6a:
    15:b0:a3:1c:0a:b3:0c:be:f0:74:fc:cc:22:98:44:
    a0:e7:33:0d:14:f6:03:af:b7:68:76:6a:81:cc:51:
    28:1a:89:5e:e9:a5:0b:64:ab:85:e7:32:30:64:8b:
    85:d1
publicExponent: 65537 (0x10001)
privateExponent:
    4b:0b:1f:1c:5c:e0:76:4d:00:b7:83:c9:78:da:eb:
    13:11:05:f2:6b:46:a7:77:6e:e5:9b:18:7b:a3:21:
    53:34:70:e5:c0:a6:63:94:b8:f6:71:89:c6:ac:8c:
    b1:63:d1:3d:ec:3b:89:15:7f:bc:59:c6:4f:3e:02:
    67:d7:09:08:dd:a2:d9:e9:7d:9b:0f:a9:0c:74:5d:
    11:d5:e4:b9:94:21:aa:b7:53:32:14:4d:ce:11:25:
    59:cc:f1:7c:cd:6d:16:ec:72:ae:f6:bf:47:8a:c0:
    59:4d:b7:ed:88:bc:c9:fa:f3:09:ec:a9:7a:de:ea:
    fe:95:7c:0e:15:ae:e0:de:b5:ee:6b:17:07:d8:87:
    cf:ce:49:6a:ee:02:6a:7f:e0:78:53:3d:b3:5b:20:
    b7:18:58:7b:45:2e:a1:b7:dc:cc:bf:81:92:c9:90:
    1c:44:ae:13:b0:03:21:ae:5a:64:d3:28:39:60:aa:
    92:01:e7:ac:64:6c:83:49:92:0c:03:c5:b7:f9:bf:
    d3:ec:6a:74:05:52:f6:de:8c:f5:f0:55:ea:79:69:
    1b:ea:14:8a:63:42:ec:ee:f6:5f:0a:ec:5f:7d:ff:
    82:f0:88:01:a6:96:4e:0c:73:fe:ae:8a:5c:9b:16:
    a7:52:18:4f:9f:75:98:60:52:f9:95:ab:43:cf:d5:
    91
prime1:
    00:f5:30:2f:64:80:d1:5d:a0:9d:36:51:ea:b6:36:
    09:33:d4:29:d6:33:55:f1:88:1e:c3:58:34:26:8a:
    90:c1:ac:d9:05:35:18:39:9f:b4:17:0d:85:f3:dd:
    75:1d:02:27:14:2a:76:8f:99:07:48:f6:a5:46:28:
    32:c4:2d:5c:0a:b0:17:8d:d2:4e:cc:7c:6f:4f:44:
    37:b1:92:4b:ac:1e:11:1d:a7:3a:0a:30:d6:8d:9b:
    6e:f5:60:ad:80:59:ee:27:6e:43:a7:16:74:77:ea:
    6f:78:48:f8:b9:97:a3:6a:21:63:d3:b6:07:ec:c3:
    90:a7:68:79:c1:d5:31:a3:3d
prime2:
    00:ef:28:cc:63:21:c2:63:6d:82:fd:65:58:ef:13:
    c0:37:c4:11:16:86:52:ab:4d:63:b6:87:07:14:b7:
    87:a7:c0:68:49:df:ba:87:0e:61:1d:ea:97:e3:56:
    ed:fb:63:ef:8b:d8:63:1f:5f:21:3d:72:88:c8:8d:
    ab:57:5c:76:22:08:27:37:b9:50:df:0d:2b:78:95:
    b3:7c:ca:c6:06:16:65:e6:01:56:15:32:21:4d:06:
    14:c1:ac:ea:6d:fd:e0:97:57:25:0a:78:78:cb:84:
    01:51:40:e2:74:56:55:04:fe:77:a3:6e:c1:3e:71:
    26:c0:91:b7:d6:67:71:86:25
exponent1:
    00:c6:a4:cb:40:b9:bc:e6:06:02:58:c7:f5:48:ba:
    6e:aa:36:f1:ce:40:b9:18:7e:17:ae:5b:ff:a4:5a:
    0e:fd:5a:74:58:eb:b3:3c:bc:4e:c3:7e:89:50:11:
    d3:98:34:ee:44:40:42:de:04:35:0a:c0:09:16:d5:
    ea:8b:55:d4:84:34:36:61:08:4a:1f:11:91:7c:be:
    e0:00:55:6e:49:7b:f2:91:fb:b1:e2:1f:bf:33:eb:
    01:f2:7a:e9:16:5b:c5:be:dc:6e:a3:28:66:23:e1:
    23:7e:68:60:5a:bc:a8:00:8c:1c:bc:a1:75:ba:34:
    97:35:8a:47:5a:ea:c6:d4:61
exponent2:
    00:c1:e4:f4:d7:c6:0e:00:68:4f:d3:ba:b0:00:9c:
    a5:b1:50:8f:7e:10:86:c3:85:29:bb:58:fb:bf:ab:
    10:1b:4b:de:01:4e:96:be:5a:45:18:69:12:9d:68:
    e3:e6:75:5e:47:a5:b6:af:3f:84:06:7a:6e:35:12:
    ce:80:34:61:3e:34:17:ff:90:89:e5:5c:9b:0a:d7:
    6b:be:57:f3:76:0a:00:b1:1a:12:3d:7a:f8:0e:a7:
    48:7a:c1:03:0b:0b:d2:63:40:6e:b2:6f:7b:97:9c:
    3d:29:30:0e:a8:bd:39:8e:a3:f4:41:17:51:2a:9b:
    b8:0c:55:d7:92:c7:28:fd:d5
coefficient:
    3d:32:54:78:96:48:42:bc:22:10:cb:ae:68:c2:82:
    e9:20:85:b0:0c:a7:f5:5e:f6:69:b7:98:27:81:da:
    41:83:f4:6e:56:06:79:0f:5d:3a:d6:d0:eb:9a:a4:
    95:49:9a:e2:04:a3:6e:09:c7:2b:d7:93:b7:ac:d8:
    0d:d0:51:9b:7a:6a:3a:6a:50:8f:09:36:30:c4:46:
    d4:2c:25:0c:89:37:14:41:3b:06:32:e3:35:de:b4:
    b9:d3:94:10:ac:26:f3:9f:32:79:32:14:a0:2c:53:
    3b:5e:e7:d7:bd:11:4b:72:93:2e:42:dd:6a:a9:45:
    e9:52:95:ae:d8:47:57:9b

CSR generation

openssl req -new -key cert2048.key -sha256 -out cert2048.csr
openssl req -new -key cert3072.key -sha256 -out cert3072.csr
openssl req -new -key cert4096.key -sha256 -out cert4096.csr
openssl req -new -key certecc256.key -sha256 -out certecc256.csr
openssl req -new -key certecc384.key -sha256 -out certecc384.csr

OpenSSL:/docs/man1.1.1/man1/req.htmlhttps://www.openssl.org

CSR Display

openssl req -text -noout -in cert2048.csr
openssl req -text -noout -in cert3072.csr
openssl req -text -noout -in cert4096.csr
openssl req -text -noout -in certecc256.csr
openssl req -text -noout -in certecc384.csr

Issuance of self-signed certificates

Validity period: 10 years (365 days x 10 years + 2 days [leap year])

openssl x509 -days 3652 -in cert2048.csr -req -signkey cert2048.key -out cert2048.cer
openssl x509 -days 3652 -in cert3072.csr -req -signkey cert3072.key -out cert3072.cer
openssl x509 -days 3652 -in cert4096.csr -req -signkey cert4096.key -out cert4096.cer
openssl x509 -days 3652 -in certecc256.csr -req -signkey certecc256.key -out certecc256.cer
openssl x509 -days 3652 -in certecc384.csr -req -signkey certecc384.key -out certecc384.cer

CRL Display

openssl crl -inform der -in fullcrl.crl -text -noout

OpenSSL:/docs/man1.1.1/man1/crl.htmlhttps://www.openssl.org

P12 file generation

openssl pkcs12 -export -in cert2048.cer -inkey cert2048.key -out cert2048.p12

OpenSSL:/docs/man1.1.1/man1/pkcs12.htmlhttps://www.openssl.org

P12 file generation (including intermediate CA certificate)

openssl pkcs12 -export -in cert2048.cer -inkey cert2048.key -certfile SubordinateCA.cer -out cert2048.p12

Extract private keys, certificates, and intermediate CA certificates from P12 files

#Extract certificates and intermediate CA certificates (output file can be opened as a text file to display hierarchy)
openssl pkcs12 -in cert2048.p12 -nokeys -out cert2048-allout.cer
#Extract only certificates
openssl pkcs12 -in cert2048.p12 -clcerts -nokeys -out cert2048-out.cer
#Extract only Subordinate CA certificates
openssl pkcs12 -in cert2048.p12 -cacerts -nokeys -out SubordinateCA-out.cer
#Extract private keys only
openssl pkcs12 -in cert2048.p12 -nocerts -nodes -out cert2048-out.key

Certificate validation

RootAndSubordinateCA.cer…PEM file that combines the root and intermediate CA certificates

#Certificate validation
openssl verify -CAfile RootAndSubordinateCA.cer cert2048.cer

OpenSSL:/docs/man1.1.1/man1/openssl-verify.htmlhttps://www.openssl.org

Contact OCSP Responders

Openssl:https://www.openssl.org/docs/man1.1.1/man1/ocsp.html

Reference
OCSP Status Checker
Paste the PEM file and the OCSP results will be displayed.

Query from certificate file

openssl ocsp -sha1 -no_nonce -CAfile [root certificate PEM filename.cer] -issuer [intermediate CA certificate PEM filename.cer] -cert [TLS server certificate PEM filename.cer] -url [OCSP starting with HTTP responder URL]

If “-sha1” is changed to “-sha256”, the Hash Algorithm of Certificate ID becomes SHA256.

Command Result
OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 793C84590DB75B740B4C302271956226A68E3487
          Issuer Key Hash: 99451855A2DE5A1DD5A47625B4C33D5671FD9D3E
          Serial Number: 73FF7B6E99E146F8674BDB72C65319E5F43A4085
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = JP, ST = Tokyo, O = CA, CN = SCA01
    Produced At: Jun  9 22:50:29 2022 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 793C84590DB75B740B4C302271956226A68E3487
      Issuer Key Hash: 99451855A2DE5A1DD5A47625B4C33D5671FD9D3E
      Serial Number: 73FF7B6E99E146F8674BDB72C65319E5F43A4085
    Cert Status: revoked
    Revocation Time: May 27 23:26:27 2022 GMT
    Revocation Reason: superseded (0x4)
    This Update: Jun  9 22:50:29 2022 GMT
    Next Update: Jun 16 22:50:29 2022 GMT

    Signature Algorithm: sha256WithRSAEncryption
         83:c4:0a:b7:24:c9:68:d9:21:02:bc:db:b1:25:6b:1d:d3:61:
         17:b0:cd:41:a0:39:b9:47:83:f2:f1:24:44:26:17:2e:24:9e:
         23:82:8b:11:84:65:87:45:3b:da:ce:a5:bf:bf:f0:fc:82:05:
         0e:c8:3d:c9:7a:9a:34:33:f7:86:1e:a2:88:07:72:ec:6f:f9:
         46:6d:43:07:c3:56:4c:6d:e3:ed:a3:20:9d:d5:68:b7:5f:6f:
         15:59:46:95:aa:72:a5:75:9d:40:6c:f8:6a:8d:7c:82:27:72:
         3b:c4:97:81:6a:ce:23:fa:b1:7b:ec:91:ae:5e:4a:77:9f:37:
         e2:35:19:7f:cf:6f:4f:56:ba:0e:2d:3b:c1:21:ff:8d:bb:c5:
         a9:9b:f2:69:61:45:1b:6e:b9:f0:59:33:98:95:cc:e4:cc:97:
         a6:e0:42:02:55:0d:1a:eb:de:ec:ff:f5:fc:c2:4e:e3:b0:ed:
         78:1f:55:1f:3d:92:58:76:ff:79:a9:26:97:d3:de:17:ad:ef:
         c9:bd:1b:e5:3d:80:fe:1a:14:48:07:af:ac:f0:97:ca:20:6c:
         87:21:16:53:cd:57:84:89:cc:67:07:40:dc:dd:b3:7e:56:ce:
         5d:65:f4:d5:ea:7f:17:51:5a:fe:96:34:2c:4e:35:1d:c2:8a:
         6d:e4:ba:a7:b3:a7:d1:d5:84:f3:4e:6d:96:67:0d:5f:ae:a5:
         e7:f5:89:26:a2:8d:cc:fb:58:da:04:60:44:61:9a:12:74:09:
         bd:f7:60:e4:42:fb:96:df:3f:d6:2f:e4:b4:79:97:95:01:44:
         3c:1a:22:a8:d5:dd:54:54:13:cc:a2:b7:07:48:dc:d9:91:12:
         51:ea:6f:83:c4:6b:46:ea:ea:55:20:a4:a4:f4:63:ee:3e:de:
         72:af:d7:d3:55:bd:f4:21:d2:86:ca:1b:cb:79:48:53:33:f1:
         4c:19:c2:1d:5c:5f:bf:4b:5b:f4:5f:2d:fe:d4:20:03:c4:96:
         7d:1d:44:66:63:59:c5:2c:78:35:c0:da:35:fc:06:49:59:8a:
         ba:28:a0:33:6d:a9:eb:c3:c9:c0:10:aa:31:7a:bf:51:d7:c3:
         81:3c:77:a0:25:b5:55:4a:40:44:06:5d:b7:7d:dc:31:58:93:
         02:d6:1c:42:1b:67:8b:31:a2:6f:c6:45:5e:52:b3:35:aa:d7:
         f1:06:23:4a:41:4b:09:17:91:1f:c6:16:c1:ea:5e:a4:00:a9:
         68:98:16:96:d3:cd:03:21:bb:27:83:ea:b2:8e:77:a9:4d:e5:
         16:89:8b:f0:65:2a:96:af:cf:1f:fe:a9:b6:7b:71:38:0f:50:
         6d:f5:a0:46:ce:6e:fa:bf
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            43:5a:5a:dc:0f:03:a5:dc:3a:54:30:1f:14:39:c5:de:e9:18:c3:2d
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=JP, ST=Tokyo, O=CA, CN=RCA
        Validity
            Not Before: May 27 01:57:18 2022 GMT
            Not After : May 23 01:57:18 2037 GMT
        Subject: C=JP, ST=Tokyo, O=CA, CN=SCA01
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                Modulus:
                    00:ce:c0:ea:15:84:2f:f1:90:db:52:2d:2b:19:56:
                    9e:ef:bd:bb:e9:54:18:17:9e:f9:de:57:d5:2d:48:
                    21:64:4f:cd:0f:62:c2:45:81:52:fb:22:71:84:39:
                    e6:62:47:d2:05:73:4e:87:a1:bc:4c:de:83:b0:7f:
                    97:0b:ec:4b:43:15:e6:d0:ba:b5:b7:92:8a:e5:ca:
                    5c:f1:52:b1:3d:4b:b4:f4:91:e4:a8:47:e3:9b:17:
                    0f:ca:51:72:40:10:1c:1d:6f:fe:d9:a2:0d:0c:c6:
                    8d:1f:7c:6b:98:d4:4d:2d:36:48:bc:1c:62:b3:fa:
                    4f:cf:2c:af:6c:bd:1d:27:08:04:49:76:1c:06:e6:
                    cb:4e:df:21:7d:5f:ed:2c:de:91:f6:7a:4c:3b:06:
                    55:3c:90:1a:d1:3f:44:4e:23:31:9b:5a:41:46:af:
                    87:a2:7c:bb:bf:df:64:f1:e8:32:b8:82:99:3e:61:
                    85:17:87:9b:4c:30:fd:16:47:f0:49:ed:50:d9:71:
                    c2:5d:05:4d:4a:f8:27:f4:73:e8:49:23:9f:9e:a6:
                    d0:49:7c:bf:48:91:82:7d:cc:1b:49:db:31:65:e7:
                    2a:71:c3:f8:97:0a:3a:7c:cd:c1:06:0f:1a:25:a2:
                    1a:44:26:ac:6e:e3:71:d4:43:bf:0a:6f:87:55:40:
                    dc:15:c1:b5:e0:0c:67:0a:21:db:c4:af:04:52:b4:
                    5f:80:41:e7:fc:7a:d9:e9:ac:57:fc:59:47:62:68:
                    0e:ca:53:89:55:8b:80:ac:30:af:c8:4d:9e:6c:e1:
                    4f:7f:ed:ce:d0:51:c8:f7:d1:06:ca:cc:be:c0:a2:
                    17:fb:9c:ae:f7:92:53:a3:80:e3:fe:2a:6f:52:16:
                    f8:83:50:53:3e:f2:4e:86:f6:7a:6f:3e:09:4d:56:
                    73:a4:af:c9:a7:b2:97:21:34:84:f0:72:e4:41:dd:
                    4a:cb:61:9d:28:ab:bc:58:1b:77:7e:db:68:e1:a3:
                    c6:a8:8e:c0:14:8f:2a:0d:06:f6:1e:8c:5b:79:a7:
                    c9:86:a5:3b:60:8e:ea:7d:15:1c:e9:a2:68:52:b7:
                    28:2a:16:72:db:78:75:cb:d7:ad:50:7f:8e:11:a9:
                    d9:f4:9a:fb:95:07:f1:ba:36:8f:fe:17:34:eb:b3:
                    00:af:d5:c6:f0:87:a5:39:9a:7a:ac:9c:ba:34:9e:
                    83:c7:30:d5:d7:d1:f1:ef:b4:d0:18:b5:54:19:95:
                    c3:95:e5:a2:66:39:df:2f:c4:f3:ae:fe:02:84:b9:
                    c2:9b:a0:18:27:71:59:6e:56:54:8f:9b:ff:d7:cb:
                    d1:78:d7:bc:ad:08:57:86:89:65:2b:fe:e2:62:bf:
                    95:90:39
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                99:45:18:55:A2:DE:5A:1D:D5:A4:76:25:B4:C3:3D:56:71:FD:9D:3E
            X509v3 Authority Key Identifier: 
                keyid:37:3E:1B:49:3C:AE:71:72:21:3E:0F:57:A9:72:B9:36:7D:00:EE:BE

            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://www1.example.com/RCAcrl.crl

            Authority Information Access: 
                CA Issuers - URI:http://www1.example.com/RCA.crt

    Signature Algorithm: sha256WithRSAEncryption
         59:dc:21:53:bd:40:fa:df:a6:b6:9d:76:51:dd:09:52:13:6a:
         34:34:55:31:e5:0d:76:2b:2c:eb:e3:c3:dc:a3:86:1d:38:6d:
         fc:c6:43:8e:18:b2:11:b2:ed:ea:72:65:e0:e8:7d:41:9d:f5:
         be:71:d1:e8:cc:d5:f5:87:6b:e5:c2:d7:57:b0:23:e8:61:94:
         3f:63:db:7c:86:08:ae:87:5a:95:c6:5a:60:bd:41:ae:3e:99:
         3a:5e:aa:d1:ac:7c:86:67:0b:a4:2b:a3:49:0a:d0:2f:2f:37:
         a2:30:7f:49:c8:96:f4:92:96:b8:0f:eb:6f:e3:65:de:82:f3:
         27:87:73:d0:1f:b9:aa:47:65:9f:a0:09:fe:9b:91:d6:4a:dc:
         76:6e:25:3f:52:4c:d6:6b:08:0a:84:26:6e:6f:65:81:ef:0b:
         71:34:4f:0a:62:86:66:99:59:0a:fd:87:e8:42:a7:ac:2d:dc:
         ec:4a:b2:26:6b:7d:74:da:95:fa:ea:da:13:b7:ae:f5:c6:08:
         ca:86:3d:c3:e8:31:eb:c8:af:f0:d8:1a:31:88:32:8a:22:7a:
         27:04:44:6c:af:6c:8b:bb:cb:f0:15:fe:a1:59:51:c9:0c:6c:
         46:ba:2a:26:d3:0a:c9:d8:63:14:97:ad:67:03:f7:0a:13:8f:
         28:6e:12:ab:64:56:55:7e:52:44:3c:cc:4a:8e:45:61:56:ce:
         0b:fe:16:70:a4:38:6d:c4:5b:14:5c:24:3d:66:57:e0:67:14:
         44:64:a9:4c:d6:ad:a3:ef:a8:aa:0a:02:c1:41:0b:09:6a:0f:
         2e:a9:5e:8c:cc:26:1e:0d:58:1a:2e:8e:8a:83:3c:57:32:5e:
         5f:f4:d4:4e:ca:57:32:dc:36:52:52:0f:d5:01:aa:8b:ef:a5:
         fa:41:d0:ed:96:55:c0:e6:c2:4c:8b:a5:31:be:57:4a:da:89:
         62:66:9a:02:00:c1:74:c8:5a:b0:6b:4e:03:81:0c:34:76:a8:
         de:27:ef:03:0e:51:73:af:0c:dd:1e:0a:5f:e2:14:1a:7a:36:
         ba:0e:61:dc:90:48:a9:38:e9:f4:5a:4b:c7:87:1b:9f:e5:33:
         84:df:bd:2d:9d:15:51:4a:11:f8:9f:3b:be:a4:5b:cf:5f:8f:
         02:2f:05:eb:63:d6:17:2e:c6:49:ee:7a:e0:5e:26:97:75:0e:
         5c:59:7d:a2:27:5a:c2:a2:4c:3d:0c:3d:ce:1d:34:95:51:39:
         47:bf:53:2d:0b:cc:8d:49:4f:68:eb:5f:ce:6c:f1:15:46:17:
         32:f5:3c:ff:da:d7:06:6f:c6:ae:ce:17:9e:09:62:07:3a:55:
         c2:c4:20:be:d1:e8:c2:28
-----BEGIN CERTIFICATE-----
MIIF1zCCA7+gAwIBAgIUQ1pa3A8Dpdw6VDAfFDnF3ukYwy0wDQYJKoZIhvcNAQEL
BQAwODELMAkGA1UEBhMCSlAxDjAMBgNVBAgMBVRva3lvMQswCQYDVQQKDAJDQTEM
MAoGA1UEAwwDUkNBMB4XDTIyMDUyNzAxNTcxOFoXDTM3MDUyMzAxNTcxOFowOjEL
MAkGA1UEBhMCSlAxDjAMBgNVBAgMBVRva3lvMQswCQYDVQQKDAJDQTEOMAwGA1UE
AwwFU0NBMDEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDOwOoVhC/x
kNtSLSsZVp7vvbvpVBgXnvneV9UtSCFkT80PYsJFgVL7InGEOeZiR9IFc06HobxM
3oOwf5cL7EtDFebQurW3korlylzxUrE9S7T0keSoR+ObFw/KUXJAEBwdb/7Zog0M
xo0ffGuY1E0tNki8HGKz+k/PLK9svR0nCARJdhwG5stO3yF9X+0s3pH2ekw7BlU8
kBrRP0ROIzGbWkFGr4eifLu/32Tx6DK4gpk+YYUXh5tMMP0WR/BJ7VDZccJdBU1K
+Cf0c+hJI5+eptBJfL9IkYJ9zBtJ2zFl5ypxw/iXCjp8zcEGDxolohpEJqxu43HU
Q78Kb4dVQNwVwbXgDGcKIdvErwRStF+AQef8etnprFf8WUdiaA7KU4lVi4CsMK/I
TZ5s4U9/7c7QUcj30QbKzL7Aohf7nK73klOjgOP+Km9SFviDUFM+8k6G9npvPglN
VnOkr8mnspchNITwcuRB3UrLYZ0oq7xYG3d+22jho8aojsAUjyoNBvYejFt5p8mG
pTtgjup9FRzpomhStygqFnLbeHXL161Qf44Rqdn0mvuVB/G6No/+FzTrswCv1cbw
h6U5mnqsnLo0noPHMNXX0fHvtNAYtVQZlcOV5aJmOd8vxPOu/gKEucKboBgncVlu
VlSPm//Xy9F417ytCFeGiWUr/uJiv5WQOQIDAQABo4HWMIHTMB0GA1UdDgQWBBSZ
RRhVot5aHdWkdiW0wz1Wcf2dPjAfBgNVHSMEGDAWgBQ3PhtJPK5xciE+D1epcrk2
fQDuvjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAzBgNVHR8ELDAq
MCigJqAkhiJodHRwOi8vd3d3MS5leGFtcGxlLmNvbS9SQ0FjcmwuY3JsMDsGCCsG
AQUFBwEBBC8wLTArBggrBgEFBQcwAoYfaHR0cDovL3d3dzEuZXhhbXBsZS5jb20v
UkNBLmNydDANBgkqhkiG9w0BAQsFAAOCAgEAWdwhU71A+t+mtp12Ud0JUhNqNDRV
MeUNdiss6+PD3KOGHTht/MZDjhiyEbLt6nJl4Oh9QZ31vnHR6MzV9Ydr5cLXV7Aj
6GGUP2PbfIYIrodalcZaYL1Brj6ZOl6q0ax8hmcLpCujSQrQLy83ojB/SciW9JKW
uA/rb+Nl3oLzJ4dz0B+5qkdln6AJ/puR1krcdm4lP1JM1msICoQmbm9lge8LcTRP
CmKGZplZCv2H6EKnrC3c7EqyJmt9dNqV+uraE7eu9cYIyoY9w+gx68iv8NgaMYgy
iiJ6JwREbK9si7vL8BX+oVlRyQxsRroqJtMKydhjFJetZwP3ChOPKG4Sq2RWVX5S
RDzMSo5FYVbOC/4WcKQ4bcRbFFwkPWZX4GcURGSpTNato++oqgoCwUELCWoPLqle
jMwmHg1YGi6OioM8VzJeX/TUTspXMtw2UlIP1QGqi++l+kHQ7ZZVwObCTIulMb5X
StqJYmaaAgDBdMhasGtOA4EMNHao3ifvAw5Rc68M3R4KX+IUGno2ug5h3JBIqTjp
9FpLx4cbn+UzhN+9LZ0VUUoR+J87vqRbz1+PAi8F62PWFy7GSe564F4ml3UOXFl9
oidawqJMPQw9zh00lVE5R79TLQvMjUlPaOtfzmzxFUYXMvU8/9rXBm/Grs4Xngli
BzpVwsQgvtHowig=
-----END CERTIFICATE-----
Response verify OK
0x73ff7b6e99e146f8674bdb72c65319e5f43a4085: revoked
	This Update: Jun  9 22:50:29 2022 GMT
	Next Update: Jun 16 22:50:29 2022 GMT
	Reason: superseded
	Revocation Time: May 27 23:26:27 2022 GMT

Inquire by serial number

openssl ocsp -sha1 -no_nonce -CAfile [root certificate PEM filename.cer] -issuer [intermediate CA certificate PEM filename.cer] -serial [serial number] -url [OCSP responder URL starting with HTTP]

The [serial number], in hexadecimal notation, is as follows

0x73ff7b6e99e146f8674bdb72c65319e5f43a4085

タイトルとURLをコピーしました