openssl utils commands

This post describes the most used commands  from OpenSSL tool.

General OpenSSL Commands

These commands allow you to generate CSRs, Certificates, Private Keys and do other miscellaneous tasks.

  • Generate a new private key and Certificate Signing Request:
    • openssl req -out CSR.csr -pubkey -new -keyout privateKey.key
    • openssl req -nodes -newkey rsa:2048 -keyout privateKey.key -out CSR.csr (this generates a 2048 bits certificate request)
  • Generate a certificate signing request (CSR) for an existing private key: openssl req -out CSR.csr -key privateKey.key -new
  • Generate a certificate signing request based on an existing certificate: openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key
  • Generate a self-signed certificate: openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout privateKey.key -out certificate.crt
  • Remove a passphrase from a private key: openssl rsa -in privateKey.pem -out newPrivateKey.pem

Checking Using OpenSSL

If you need to check the information within a Certificate, CSR or Private Key, use these commands.

  • Check a Certificate Signing Request (CSR): openssl req -text -noout -verify -in CSR.csr
  • Check a private key: openssl rsa -in privateKey.key -check
  • Check a certificate: openssl x509 -in certificate.crt -text -noout
  • Check a PKCS#12 file (.pfx or .p12): openssl pkcs12 -info -in keyStore.p12

Converting Using OpenSSL

These commands allow you to convert certificates and keys to different formats to make them compatible with specific types of servers or software. For example, you can convert a normal PEM file that would work with Apache to a PFX (PKCS#12) file and use it with Tomcat or IIS.

  • Convert a DER file (.crt .cer .der) to PEM: openssl x509 -inform der -in certificate.cer -out certificate.pem
  • Convert a PEM file to DER: openssl x509 -outform der -in certificate.pem -out certificate.der
  • Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM: openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodesYou can add -nocerts to only output the private key or add -nokeys to only output the certificates.
  • Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12): openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

Check whether a private key / CSR matches a certificate

These commands allow you to compare the modulus of the private key, the modulus of a certificate and the modulus of a CSR. If the results are the same, you have a match:

  • Modulus of a Certificate: openssl x509 -noout -modulus -in certificate.crt | openssl md5
  • Modulus of a private key (may require password): openssl rsa -noout -modulus -in privateKey.key | openssl md5
  • Modulus of a CSR: openssl req -noout -modulus -in CSR.csr | openssl md5


The site that describes OpenSSL tool and much more, can be found here.

4 thoughts on “openssl utils commands”

  1. Podes verificar da seguinte forma:

    # verify signature
    openssl req -in myreq.pem -noout -verify -key mykey.pem

    E a informação completa do certificado com o comando:

    # check info
    openssl req -in myreq.pem -noout -text


  2. Olá fapg! Parabéns pelo seu artigo.
    Necessitava de ajuda para o seguinte:
    Criei um certificado Auto-Assinado para usar no meu NAS QNAP TS-110 através do comando: req -x509 -nodes -days 365 -newkey rsa:1024 -keyout apaxe.key -out apaxe.crt .
    Como o meu NAS só permite que se importe certificados no formato X.509PEM usei o comando: x509 -inform der -in apaxe.crt -out certificate.pem , sem sucesso pois após este comando recebo a seguinte mensagem de erro:
    unable to load certificate
    3540:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:.\crypto\as
    3540:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:.\
    error in x509

    Pode ajudar-me a explicar porque não consigo exportar o ficheiro DER em PEM?
    Eu estou a usar o Windows XP.

Leave a Reply

Your email address will not be published. Required fields are marked *