General Information
Openssl is a tool to perform many certificate related tasks such as creating a CSR, verifying certs+keys, and converting formats.
Checklist
-----BEGIN CERTIFICATE----- -----END CERTIFICATE----- Or -----BEGIN PRIVATE KEY----- -----END PRIVATE KEY-----
Generating certificate signing requests to send to a certificate authority.
openssl req -new -newkey rsa:2048 -nodes -out MYSITE.csr -keyout MYSITE.key
openssl req -sha256 -new -key MYSITE.key -out MYSITE.csr
openssl x509 -x509toreq -in MYSITE.crt -signkey MYSITE.key -out MYSITE.csr
Self-signed certificates are for development/home use. They encrypt traffic just fine, but end users will see a warning message since the cert is not signed by a valid certificate authority.
Generate a self-signed cert and private key from scratch
openssl req -newkey rsa:2048 -nodes -keyout MYSITE.key -x509 -days 365 -out MYSITE.crt
Generate a self-signed cert from an existing private key
openssl req -key MYSITE.key -new -x509 -days 365 -out MYSITE.crt
Generate a self-signed cert from an existing private key and existing CSR
openssl x509 -signkey MYSITE.key -in MYSITE.csr -req -days 365 -out MYSITE.crt
Converting certificates from one type to another.
openssl pkcs12 -in mycertpack.pfx -nocerts -nodes | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > mykey.key
openssl pkcs12 -in mycertpack.pfx -clcerts -nokeys | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > mycert.crt
openssl pkcs12 -in mycertpack.pfx -cacerts -nokeys -chain | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > myCA.crt
openssl x509 -inform der -in MYSITE.cer -out MYSITE.pem
openssl x509 -outform der -in MYSITE.pem -out MYSITE.der
openssl pkcs12 -in MYSITE-KEYSTORE.pfx -out MYSITE.pem -nodes
openssl pkcs12 -in mysite.pfx -nocerts -out mysite.key.pem openssl rsa -in mysite.key.pem -out mysite.key openssl pkcs12 -in mysite.pfx -clcerts -nokeys -out mysite.crt
Convert p7b to PEM combined, then convert to bundle of certs
openssl pkcs7 -inform DER -outform PEM -in mysite.p7b -out mysite.p7b.pem openssl pkcs7 -print_certs -in mysite.p7b.pem -out mysite.p7b.bundle
View the “mysite.p7b.bundle” file:
Openssl can be used to very that a certificate and key match.
Compare to ensure they match
openssl x509 -noout -text -in mysite.crt openssl rsa -noout -text -in mysite.key
Similar method, but running output through md5 hash for a shorter comparison
openssl x509 -noout -text -in mysite.crt | openssl md5 openssl rsa -noout -text -in mysite.key | openssl md5
Display Certificate Contents
openssl x509 -in mysite.crt -text
Display CSR Contents
openssl req -in mysite.csr -text
To verify that an intermediate cert and client certificate pass a chain of authority test:
openssl verify -CAfile mysites_intermediate.crt mysite.crt
Remotely check a site's certificate and fingerprint it
openssl s_client -connect <domain>:443 -showcerts | openssl x509 -text -fingerprint