Extract SAN list openssl
Show only SAN entries; modern browsers ignore CN, so SAN is what matters
openssl x509 -in cert.pem -noout -ext subjectAltName
more openssl
all 27 commands →
Verify cert against CA chain
openssl verify -CAfile ca-chain.pem cert.pem
Match cert and private key
diff <(openssl x509 -in cert.pem -noout -modulus | md5sum) <(openssl rsa -in key.pem -noout -modulus | md5sum)
CSR + key in one shot
openssl req -new -newkey rsa:2048 -nodes -keyout key.pem -out req.csr -subj "/CN=<host>" -addext "subjectAltName=DNS:<host>"
Self-signed cert with SAN
openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 365 -subj "/CN=<host>" -addext "subjectAltName=DNS:<host>"
PEM to PKCS12 bundle
openssl pkcs12 -export -in cert.pem -inkey key.pem -certfile ca-chain.pem -out bundle.p12 -name <name>