this is one of the most annoying programs I know of. Why? Because its command line interface sucks! This is one of those programs where you find people claiming “This is fairly easy to do with openssl” to then present you a long command line script with pipes and parameters and even useless stuff nobody needs.

generate self signed certificates

openssl req -newkey rsa:4096 -x509 -nodes -keyout lighttpd.pem -out lighttpd.pem

you can also choose two different file names and cat them together. This may be needed for some web servers and the keyout file is the private key so take care.

fingerprint look up

openssl s_client -connect  2>/dev/null  | openssl x509 -sha256 -noout -fingerprint

use as password generator

openssl rand -base64 20

For .htaccess

openssl passwd

check expiration date

# e.g. for a mailserver under with starttls
openssl s_client -connect -starttls smtp 2>/dev/null | openssl x509 -noout -dates