This post describes the most used commands from OpenSSL tool.
General OpenSSL Commands
These commands allow you to generate CSRs, Certificates, Private Keys and do other miscellaneous tasks.
- Generate a new private key and Certificate Signing Request:
- openssl req -out CSR.csr -pubkey -new -keyout privateKey.key
- openssl req -nodes -newkey rsa:2048 -keyout privateKey.key -out CSR.csr (this generates a 2048 bits certificate request)
- Generate a certificate signing request (CSR) for an existing private key: openssl req -out CSR.csr -key privateKey.key -new
- Generate a certificate signing request based on an existing certificate: openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key
- Generate a self-signed certificate: openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout privateKey.key -out certificate.crt
- Remove a passphrase from a private key: openssl rsa -in privateKey.pem -out newPrivateKey.pem
Checking Using OpenSSL
If you need to check the information within a Certificate, CSR or Private Key, use these commands.
- Check a Certificate Signing Request (CSR): openssl req -text -noout -verify -in CSR.csr
- Check a private key: openssl rsa -in privateKey.key -check
- Check a certificate: openssl x509 -in certificate.crt -text -noout
- Check a PKCS#12 file (.pfx or .p12): openssl pkcs12 -info -in keyStore.p12
Converting Using OpenSSL
These commands allow you to convert certificates and keys to different formats to make them compatible with specific types of servers or software. For example, you can convert a normal PEM file that would work with Apache to a PFX (PKCS#12) file and use it with Tomcat or IIS.
- Convert a DER file (.crt .cer .der) to PEM: openssl x509 -inform der -in certificate.cer -out certificate.pem
- Convert a PEM file to DER: openssl x509 -outform der -in certificate.pem -out certificate.der
- Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM: openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodesYou can add -nocerts to only output the private key or add -nokeys to only output the certificates.
- Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12): openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
Check whether a private key / CSR matches a certificate
These commands allow you to compare the modulus of the private key, the modulus of a certificate and the modulus of a CSR. If the results are the same, you have a match:
- Modulus of a Certificate: openssl x509 -noout -modulus -in certificate.crt | openssl md5
- Modulus of a private key (may require password): openssl rsa -noout -modulus -in privateKey.key | openssl md5
- Modulus of a CSR: openssl req -noout -modulus -in CSR.csr | openssl md5
The site that describes OpenSSL tool and much more, can be found here.