The Blog

Common OpenSSL Commands

These are some common commands that can be used with OpenSSL. Much of this information can be found in the related blog: Katholieke Universiteit Leuven. In addition, some good documentation can be found at

Certificate Generation and Signing

Generate a new private key and matching Certificate Signing Request (eg to send to a commercial CA)

openssl req -out MYCSR.csr -pubkey -new -keyout MYKEY.key -newkey rsa:2048 

This will generate 2048-bit, key file. As soon as you issue the command, you will be prompted to enter some basic information about the entity being certified. The “Private Key” file generated, using the above command, won’t have secret pass-phrase associated with it (good when using with Apache server).

  • the -newkey rsa:2048 allows you to set the size of the key (2^10 or greater)
  • add -nodes to create an unencrypted private key
  • add -config <openssl.cnf> if your config file has not been set in the environment
  • to create a wildcard certificate (applies to multiple sub-domains), enter * when prompted form “Common Name”

Removing the “-nodes” option from the above mentioned openssl command will ask for a pass-phrase and encrypt the private key. This can increase security, but the pass-phrase will be required each time Apache is started. To get a unsecure private key for your Windows-based Apache setup, you can use the following command:

Decrypt private key

openssl rsa -in MYKEY.key >> MYKEY-NOCRYPT.key 

Generate a certificate siging request for an existing private key

openssl req -new -sha1 -days 3650 -key MYKEY.key -out MYCSR.csr 

If you have an existing private key for some certificate, you can use this command to generate the certificate signing request (CSR) to send to the certificate authority (CA). If you are using your own CA, you can use one of the commands below to validate the CSR and convert it into a certificate (CRT).

Generate a certificate signing request based on an existing x509 certificate

openssl x509 -x509toreq -in MYCRT.crt -out MYCSR.csr -signkey MYKEY.key 

Create self-signed certificate (can be used to sign other certificates)

openssl req -x509 -new -out MYCERT.crt -keyout MYKEY.key -days 3650 

Sign a Certificate Signing Request

openssl x509 -req -in MYCSR.csr -CA MY-CA-CERT.crt -CAkey MY-CA-KEY.key -CAcreateserial -out MYCERT.crt -days 365

If you have the private key of the certificate authority (CA), you can sign certificates with it. This is the command to use for that purpose.

  • -days has to be less than the validity of the CA certificate

Conversion Commands

Convert DER (.crt .cer .der) to PEM

openssl x509 -inform der -in MYCERT.cer -out MYCERT.pem

Convert PEM to DER

openssl x509 -outform der -in MYCERT.pem -out MYCERT.der

Convert PKCS#12 (.pfx .p12) to PEM containing both private key and certificates

openssl pkcs12 -in KEYSTORE.pfx -out KEYSTORE.pem -nodes 
  • add -nocerts for private key only
  • add -nokeys for certificates only

Convert (add) a seperate key and certificate to a new keystore of type PKCS#12

openssl pkcs12 -export -in MYCERT.crt -inkey MYKEY.key -out KEYSTORE.p12 -name "tomcat" 

Convert (add) a seperate key and certificate to a new keystore of type PKCS#12 for use with a server that should send the chain too (eg Tomcat)

openssl pkcs12 -export -in MYCERT.crt -inkey MYKEY.key -out KEYSTORE.p12 -name "tomcat" -CAfile MY-CA-CERT.crt -caname myCA -chain
  • you can repeat the combination of “-CAfile” and “-caname” for each intermediate certificate

Verification and Debugging Commands

Check a private key

openssl rsa -in MYKEY.key -check
  • add -noout to not disclose the key

Check a Certificate Signing Request

openssl req -text -noout -verify -in MYCSR.csr 

Check a certificate

openssl x509 -in MYCERT.crt -text -noout 

Check a PKCS#12 keystore

openssl pkcs12 -info -in KEYSTORE.p12

Check a trust chain of a certificate

openssl verify -CAfile MYCHAINFILE.pem -verbose MYCERT.crt
  • trust chain is in directory (hash format): replace -CAfile with -CApath /path/to/CAchainDir/
  • to check for server usage: -purpose sslserver
  • to check for client usage: -purpose sslient

Debug an SSL connection (server doesn’t require certificate authentication)

openssl s_client -connect

Debug an SSL connection with mutual certificate authentication

openssl s_client -connect -CAfile MY-CA-CERT.crt -cert MYCERT.crt -key MYKEY.key
  • trust chain is in directory (hash format): replace -CAfile with -CApath /path/to/CAchainDir/
  • send the starttls command (smtp or pop3 style): -starttls smtp or -starttls pop3

Tags: , , ,

No comments yet.

Leave a Comment

Remember to play nicely folks, nobody likes a troll.

You must be logged in to post a comment.