These are some common commands that can be used with OpenSSL. Much of this information can be found in the related blog: Katholieke Universiteit Leuven. In addition, some good documentation can be found at madboa.com/geek/openssl/.
Certificate Generation and Signing
Generate a new private key and matching Certificate Signing Request (eg to send to a commercial CA)
openssl req -out MYCSR.csr -pubkey -new -keyout MYKEY.key -newkey rsa:2048
This will generate 2048-bit, key file. As soon as you issue the command, you will be prompted to enter some basic information about the entity being certified. The “Private Key” file generated, using the above command, won’t have secret pass-phrase associated with it (good when using with Apache server).
- the -newkey rsa:2048 allows you to set the size of the key (2^10 or greater)
- add -nodes to create an unencrypted private key
- add -config <openssl.cnf> if your config file has not been set in the environment
- to create a wildcard certificate (applies to multiple sub-domains), enter *.mydomain.com when prompted form “Common Name”
Removing the “-nodes” option from the above mentioned openssl command will ask for a pass-phrase and encrypt the private key. This can increase security, but the pass-phrase will be required each time Apache is started. To get a unsecure private key for your Windows-based Apache setup, you can use the following command:
Decrypt private key
openssl rsa -in MYKEY.key >> MYKEY-NOCRYPT.key
Generate a certificate siging request for an existing private key
openssl req -new -sha1 -days 3650 -key MYKEY.key -out MYCSR.csr
If you have an existing private key for some certificate, you can use this command to generate the certificate signing request (CSR) to send to the certificate authority (CA). If you are using your own CA, you can use one of the commands below to validate the CSR and convert it into a certificate (CRT).
Generate a certificate signing request based on an existing x509 certificate
openssl x509 -x509toreq -in MYCRT.crt -out MYCSR.csr -signkey MYKEY.key
Create self-signed certificate (can be used to sign other certificates)
openssl req -x509 -new -out MYCERT.crt -keyout MYKEY.key -days 3650
Sign a Certificate Signing Request
openssl x509 -req -in MYCSR.csr -CA MY-CA-CERT.crt -CAkey MY-CA-KEY.key -CAcreateserial -out MYCERT.crt -days 365
If you have the private key of the certificate authority (CA), you can sign certificates with it. This is the command to use for that purpose.
- -days has to be less than the validity of the CA certificate
Conversion Commands
Convert DER (.crt .cer .der) to PEM
openssl x509 -inform der -in MYCERT.cer -out MYCERT.pem
Convert PEM to DER
openssl x509 -outform der -in MYCERT.pem -out MYCERT.der
Convert PKCS#12 (.pfx .p12) to PEM containing both private key and certificates
openssl pkcs12 -in KEYSTORE.pfx -out KEYSTORE.pem -nodes
- add -nocerts for private key only
- add -nokeys for certificates only
Convert (add) a seperate key and certificate to a new keystore of type PKCS#12
openssl pkcs12 -export -in MYCERT.crt -inkey MYKEY.key -out KEYSTORE.p12 -name "tomcat"
Convert (add) a seperate key and certificate to a new keystore of type PKCS#12 for use with a server that should send the chain too (eg Tomcat)
openssl pkcs12 -export -in MYCERT.crt -inkey MYKEY.key -out KEYSTORE.p12 -name "tomcat" -CAfile MY-CA-CERT.crt -caname myCA -chain
- you can repeat the combination of “-CAfile” and “-caname” for each intermediate certificate
Verification and Debugging Commands
Check a private key
openssl rsa -in MYKEY.key -check
- add -noout to not disclose the key
Check a Certificate Signing Request
openssl req -text -noout -verify -in MYCSR.csr
Check a certificate
openssl x509 -in MYCERT.crt -text -noout
Check a PKCS#12 keystore
openssl pkcs12 -info -in KEYSTORE.p12
Check a trust chain of a certificate
openssl verify -CAfile MYCHAINFILE.pem -verbose MYCERT.crt
- trust chain is in directory (hash format): replace -CAfile with -CApath /path/to/CAchainDir/
- to check for server usage: -purpose sslserver
- to check for client usage: -purpose sslient
Debug an SSL connection (server doesn’t require certificate authentication)
openssl s_client -connect www.mytestserver.com:443
Debug an SSL connection with mutual certificate authentication
openssl s_client -connect idp.example.be:8443 -CAfile MY-CA-CERT.crt -cert MYCERT.crt -key MYKEY.key
- trust chain is in directory (hash format): replace -CAfile with -CApath /path/to/CAchainDir/
- send the starttls command (smtp or pop3 style): -starttls smtp or -starttls pop3