SSL

Create a self-signed certificate
Create a CACert signed certificate
Print certificate as text
Get fingerprints
Show certificates of a service

Create a self-signed certificate

# openssl req -newkey rsa:4096 -sha512 -x509 -days 3650 -nodes -out /etc/ssl/certs/server-example-com.pem -keyout /etc/ssl/private/server-example-com.pem
# chown root:ssl-cert /etc/ssl/private/server-example-com.pem
# chmod 640 /etc/ssl/private/server-example-com.pem
# chmod 644 /etc/ssl/certs/server-example-com.pem

Create a CACert signed certificate

Join the CACert community: https://www.cacert.org.

Generate a Certificate Signing Request (CSR):

# openssl req -new -newkey rsa:4096 -sha512 -nodes -keyout /etc/ssl/private/www-example-com.pem -out www-example-com.csr

Store the signed certeificate:

# vi /etc/ssl/certs/www-example-com.pem

Fix ownership and permissions:

# chown root:ssl-cert /etc/ssl/private/www-example-com.pem
# chmod 640 /etc/ssl/private/www-example-com.pem
# chmod 644 /etc/ssl/certs/www-example-com.pem

Print certificate as text

$ openssl x509 -text -in /etc/ssl/certs/server-example-com.pem

Get fingerprints

$ openssl x509 -fingerprint -sha1 -noout -in /etc/ssl/certs/server-example-com.pem
$ openssl x509 -fingerprint -md5 -noout -in /etc/ssl/certs/server-example-com.pem

Show certificates of a service

$ openssl s_client -connect server.example.com:25 -showcerts -starttls smtp
$ openssl s_client -connect server.example.com:443 -showcerts