This is an old revision of the document!
OpenSSL
General Information
Openssl is a tool to perform many certificate related tasks such as creating a CSR, verifying certs+keys, and converting formats.
Checklist
- Distros: All
Certificate Encoding
- Privacy Enhanced Mail (PEM) - One of the most common certificate encodings. ASCII format.
-----BEGIN CERTIFICATE----- -----END CERTIFICATE----- Or -----BEGIN PRIVATE KEY----- -----END PRIVATE KEY-----
- PKCS #7 B (P7B) - Represents a set of certificates. (IE a certificate chain)
- PKCS #12/PFX/P12 - Lets you put a private key and certificate into a single file.
- Distinguished Encoding Rules (DER) - Binary format most commonly used to represent certificates.
Common Extensions
- .crt - Used for certificates, commonly on *nix systems.
- .cer - Used for certificates, commonly on Windows.
- .key - Public/private pkcs keys, encoded as binary DER or ASCII PEM.
Generate Certificate Signing Requests
New Private Key and CSR
openssl req -out MYSITE.csr -new -newkey rsa:2048 -nodes -keyout MYSITE.key
New CSR for an Existing Private Key
openssl req -out MYSITE.csr -key MYSITE.key -new
CSR Based On Existing Certificate
openssl x509 -x509toreq -in MYSITE.crt -out MYSITE.csr -signkey MYSITE.key
Certificate Conversions
Convert binary DER to PEM
openssl x509 -inform der -in MYSITE.cer -out MYSITE.pem
Convert PEM to DER
openssl x509 -outform der -in MYSITE.pem -out MYSITE.der
Convert PKCS#12(.pfx, .p12) that has a private key and certs to PEM
openssl pkcs12 -in MYSITE-KEYSTORE.pfx -out MYSITE.pem -nodes
Create crt/key from a PFX file
openssl pkcs12 -in mysite.pfx -nocerts -out mysite.key.pem openssl rsa -in mysite.key.pem -out mysite.key openssl pkcs12 -in mysite.pfx -clcerts -nokeys -out mysite.crt
Cert+Key Matching
Openssl can be used to very that a certificate and key match.
Compare to ensure they match
openssl x509 -noout -text -in mysite.crt openssl rsa -noout -text -in mysite.key
Similar method, but running output through md5 hash for a shorter comparison
openssl x509 -noout -text -in mysite.crt | openssl md5 openssl rsa -noout -text -in mysite.key | openssl md5
Displaying Certificate Contents
Display Certificate Contents
openssl x509 -in mysite.crt -text
Display CSR Contents
openssl req -in mysite.csr -text
Verification
To verify that an intermediate cert and client certificate pass a chain of authority test:
openssl verify -CAfile mysites_intermediate.crt mysite.crt