Most Popular

Login:

Your Login Details


Forget Your Password?

Create an account

The Most Common OpenSSL Commands

One of the most versatile SSL tools is OpenSSL which is an open source implementation of the SSL protocol. There are versions of OpenSSL for nearly every platform, including Windows, Linux, and Mac OS X. OpenSSL is commonly used to create the CSR and private key for many different platforms, including Apache. However, it also has hundreds of different functions that allow you to view the details of a CSR or certificate, compare an MD5 hash of the certificate and private key (to make sure they match), verify that a certificate is installed properly on any website, and convert the certificate to a different format. A compiled version of OpenSSL for Windows can be found here.

If you don't want to bother with OpenSSL, you can do many of the same things with our SSL Certificate Tools. Below, we have listed the most common OpenSSL commands and their usage:

Compare SSL Certificates

General OpenSSL Commands

These commands allow you to generate CSRs, Certificates, Private Keys and do other miscellaneous tasks.

  • Generate a new private key and Certificate Signing Request 
    openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
  • Generate a self-signed certificate (see How to Create and Install an Apache Self Signed Certificate for more info) 
    openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
  • Generate a certificate signing request (CSR) for an existing private key 
    openssl req -out CSR.csr -key privateKey.key -new
  • Generate a certificate signing request based on an existing certificate 
    openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key
  • Remove a passphrase from a private key 
    openssl rsa -in privateKey.pem -out newPrivateKey.pem

Checking Using OpenSSL

If you need to check the information within a Certificate, CSR or Private Key, use these commands. You can also check CSRs and check certificates using our online tools.

  • Check a Certificate Signing Request (CSR) 
    openssl req -text -noout -verify -in CSR.csr
  • Check a private key 
    openssl rsa -in privateKey.key -check
  • Check a certificate 
    openssl x509 -in certificate.crt -text -noout
  • Check a PKCS#12 file (.pfx or .p12) 
    openssl pkcs12 -info -in keyStore.p12

Debugging Using OpenSSL

If you are receiving an error that the private doesn't match the certificate or that a certificate that you installed to a site is not trusted, try one of these commands. If you are trying to verify that an SSL certificate is installed correctly, be sure to check out the SSL Checker.

  • Check an MD5 hash of the public key to ensure that it matches with what is in a CSR or private key 
    openssl x509 -noout -modulus -in certificate.crt | openssl md5
    openssl rsa -noout -modulus -in privateKey.key | openssl md5
    openssl req -noout -modulus -in CSR.csr | openssl md5
  • Check an SSL connection. All the certificates (including Intermediates) should be displayed 
    openssl s_client -connect www.paypal.com:443

Converting Using OpenSSL

These commands allow you to convert certificates and keys to different formats to make them compatible with specific types of servers or software. For example, you can convert a normal PEM file that would work with Apache to a PFX (PKCS#12) file and use it with Tomcat or IIS. Use our SSL Converter to convert certificates without messing with OpenSSL.

  • Convert a DER file (.crt .cer .der) to PEM 
    openssl x509 -inform der -in certificate.cer -out certificate.pem
  • Convert a PEM file to DER 
    openssl x509 -outform der -in certificate.pem -out certificate.der
  • Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM 
    openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes

    You can add -nocerts to only output the private key or add -nokeys to only output the certificates.

  • Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12) 
    openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

Digg del.icio.us Reddit

Posted on January 11, 2008
Showing comments 1 to 20 of 40 | Next | Last
bryant
Posts: 26
Comment
in reply to #39
Reply #40 on : Thu January 26, 2012, 12:36:36
use the -batch option to suppress the command line interaction
Adam
Posts: 26
Comment
Convert from crt to pfx
Reply #39 on : Fri December 02, 2011, 22:46:16
i'm using openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
and it works perfectly
but when i want to run it from php like this

system("openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt");

my output file is always 0 bytes.
i tried

system('echo "Password" | openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt');

with password, with no password ... when i run it from php it doenst work
i think its because i can't seem to be able to send parameters when it asks me to input export password

Any Suggestions ?
El-Shazli
Posts: 26
Comment
convert to apk
Reply #38 on : Sun October 16, 2011, 05:26:00
How could I convert SSL certificate from CER and P7B to apk to be able to set up on mobile Samsung Galaxy Tap p1000.
JayOdom
Posts: 26
Comment
convert pfx to pem
Reply #37 on : Fri September 16, 2011, 14:08:06
Solution to Reply to #22:

Move the '-nodes' option from this:
C:\OpenSSL\bin>openssl pkcs12 -in cert.pfx -out cag.pem -nodes

To This:
C:\OpenSSL\bin>openssl pkcs12 -in cert.pfx -nodes -out cag.pem
JayOdom
Posts: 26
Comment
convert pfx to pem
Reply #36 on : Fri September 16, 2011, 13:43:24
I am having the same issue Heinz is having in the post below mine.

Anyone know what could be wrong?
Heinz
Posts: 26
Comment
convert pfx to pem
Reply #35 on : Tue September 06, 2011, 08:29:18
Hello,

running on a win2008 r2 as an administrator:

What could be the reason that the following error occurs:

C:\>cd C:\OpenSSL\bin

C:\OpenSSL\bin>dir C:\OpenSSL\bin\cert.pfx
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 7CD4-6EAD

Verzeichnis von C:\OpenSSL\bin

06.09.2011 14:53 2.709 cert.pfx
1 Datei(en), 2.709 Bytes
0 Verzeichnis(se), 92.737.318.912 Bytes frei

C:\OpenSSL\bin>openssl pkcs12 -in cert.pfx -out cag.pem -nodes
Usage: pkcs12 [options]
where options are
-export output PKCS12 file
-chain add certificate chain
-inkey file private key if not infile
-certfile f add all certs in f
-CApath arg - PEM format directory of CA's
-CAfile arg - PEM format file of CA's
-name "name" use name as friendly name
-caname "nm" use nm as CA friendly name (can be used more than once).
-in infile input filename
-out outfile output filename
-noout don't output anything, just verify.
-nomacver don't verify MAC.
-nocerts don't output certificates.
-clcerts only output client certificates.
-cacerts only output CA certificates.
-nokeys don't output private keys.
-info give info about PKCS#12 structure.
-des encrypt private keys with DES
-des3 encrypt private keys with triple DES (default)
-idea encrypt private keys with idea
-aes128, -aes192, -aes256
encrypt PEM output with cbc aes
-nodes don't encrypt private keys
-noiter don't use encryption iteration
-maciter use MAC iteration
-twopass separate MAC, encryption passwords
-descert encrypt PKCS#12 certificates with triple DES (default RC2-40)
-certpbe alg specify certificate PBE algorithm (default RC2-40)
-keypbe alg specify private key PBE algorithm (default 3DES)
-keyex set MS key exchange type
-keysig set MS key signature type
-password p set import/export password source
-passin p input file pass phrase source
-passout p output file pass phrase source
-engine e use engine e, possibly a hardware device.
-rand file;file;...
load the file (or the files in the directory) into
the random number generator
-CSP name Microsoft CSP name
-LMK Add local machine keyset attribute to private key

C:\OpenSSL\bin>


It would be very helpful, when you could help me to solve this issue.

Thanks a lot

Regards

Heinz
Robert
Posts: 10
Comment
Re: covert RSA private key to X509
Reply #34 on : Wed August 24, 2011, 18:38:39
Hi Madan,

The key may already be in X509 format if you can read it in a text editor. If you cannot, it is probably in binary format (der). In that case you can convert it to x509 using the converter or running the OpenSSL command.
Madan
Posts: 26
Comment
covert RSA private key to X509
Reply #33 on : Wed August 24, 2011, 07:09:13
Hi,

Is it possible to convert key the private key in RSA format to X509 format... Kindly advise on the possibility.
sara sat
Posts: 26
Comment
cross certification
Reply #32 on : Mon May 09, 2011, 06:08:52
hi all
how can i cross certify 2 self sign certificates
SafeTinspector
Posts: 26
Comment
Good, concise, just what I needed. Thanks
Reply #31 on : Thu April 28, 2011, 14:04:02
Had need to get a cert into eDirectory and it only wanted PKCS#12 while all I had was CER and KEY from when I got a cert for their SMTP daemon.
Problem solved and I didn't need to do a bunch of reading to get there from here.
siteadmin
Posts: 3
Comment
Re: CSR to Key
Reply #30 on : Wed April 27, 2011, 21:31:31
Hi Will,

There is no way to restore the .key file. You will need to create a new one and then reissue your certificate.
Will
Posts: 26
Comment
CSR to Key
Reply #29 on : Wed April 27, 2011, 17:24:56
In the effort of restoring a clients crashed server, we have the cert and the .CSR but not the .key

Is there a way to recreate the .key from the csr?

Thank you in Advance
Shanker
Posts: 26
Comment
How to convert pfx and pem files into .cer and .key file
Reply #28 on : Fri April 15, 2011, 13:17:57
I have two files pfx and pem file. Can you please let me know what command do i need to use to convert into .cer and .key file. I want to install these certficates in sql server and sql server understands only .cer and .key file. So please let me know command to convert?
Robert
Posts: 10
Comment
Re: From CER to PKCS12
Reply #27 on : Tue March 29, 2011, 21:21:45
Hi Nomad,

The private key was created when you created the CSR. If you don't know where it is, you will need to generate a new one and have VeriSign re-key your certificate.
Nomad
Posts: 26
Comment
From CER to PKCS12
Reply #26 on : Tue March 29, 2011, 18:36:38
Hi,

I have a CER from VeriSign and I need to export it as a PKCS12 format to import it to a web server application.

Where is the private key created in this process? Basically I guess I need the steps from the CER to getting it to PKCS12.

Thanks much!

Nomad
siteadmin
Posts: 3
Comment
Re: Failed: no such file or directory.
Reply #25 on : Thu December 30, 2010, 08:38:44
Hey Karl,

It looks like you OpenSSL installation may be messed up. I would try to install a newer version and see if that helps.
Karl
Posts: 26
Comment
Failed: no such file or directory.
Reply #24 on : Wed December 29, 2010, 13:07:20
openssl req -newkey rsa:1024 -keyout server.pf.key -out req.pem
ld.so.1: openssl: fatal: libssl.so.0.9.7: open failed: No such file or directory
Killed

Any ideas?
siteadmin
Posts: 3
Comment
Re: .cer and .crt
Reply #23 on : Sat October 16, 2010, 10:03:58
Hi Lantic,

A .cer and a .crt file are usually the same. Sometimes they are different because a CA can use whatever file extension they want but you can just use the .cer just like you would a .crt.
lantic
Posts: 26
Comment
.cer and .crt
Reply #22 on : Sat October 16, 2010, 07:10:33
hi guys,
I generated a csr file and I sent it to CA, then they sent me a .cer file when I expected a .crt. Anybody could tell me what is the difference between .crt and .cer? obviously I have the private key .key as well.
thanks in advance !
Robert
Posts: 10
Comment
Answers
Reply #21 on : Thu June 04, 2009, 19:39:23
Hi Bryan,

See this page on setting up Apache to use client certificates: http://www.vanemery.com/Linux/Apache/apache-SSL.html

You will want to include a CA file in a .p12 file whenever there is an intermediate certificate that needs to be installed.

suite,

The private key is generated on your server/computer. If you don't have it you will need to generate it again and create a new certificate. Contact your certificate provider for details of how to do this with them.
Last Edit: September 27, 2009, 12:41:28 by Robert  
Showing comments 1 to 20 of 40 | Next | Last

Write a comment


If you have trouble reading the code, click on the code itself to generate a new random code.
Security Code:
 
Post Comment