Most Popular

Login:

Your Login Details


Forget Your Password?

Create an account

The Most Common OpenSSL Commands

One of the most versatile SSL tools is OpenSSL which is an open source implementation of the SSL protocol. There are versions of OpenSSL for nearly every platform, including Windows, Linux, and Mac OS X. OpenSSL is commonly used to create the CSR and private key for many different platforms, including Apache. However, it also has hundreds of different functions that allow you to view the details of a CSR or certificate, compare an MD5 hash of the certificate and private key (to make sure they match), verify that a certificate is installed properly on any website, and convert the certificate to a different format. A compiled version of OpenSSL for Windows can be found here.

If you don't want to bother with OpenSSL, you can do many of the same things with our SSL Certificate Tools. Below, we have listed the most common OpenSSL commands and their usage:

General OpenSSL Commands

These commands allow you to generate CSRs, Certificates, Private Keys and do other miscellaneous tasks.

  • Generate a new private key and Certificate Signing Request 
    openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
  • Generate a self-signed certificate 
    openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout privateKey.key -out certificate.crt
  • Generate a certificate signing request (CSR) for an existing private key 
    openssl req -out CSR.csr -key privateKey.key -new
  • Generate a certificate signing request based on an existing certificate 
    openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key
  • Remove a passphrase from a private key 
    openssl rsa -in privateKey.pem -out newPrivateKey.pem

Checking Using OpenSSL

If you need to check the information within a Certificate, CSR or Private Key, use these commands. You can also check CSRs and check certificates using our online tools.

  • Check a Certificate Signing Request (CSR) 
    openssl req -text -noout -verify -in CSR.csr
  • Check a private key 
    openssl rsa -in privateKey.key -check
  • Check a certificate 
    openssl x509 -in certificate.crt -text -noout
  • Check a PKCS#12 file (.pfx or .p12) 
    openssl pkcs12 -info -in keyStore.p12

Debugging Using OpenSSL

If you are receiving an error that the private doesn't match the certificate or that a certificate that you installed to a site is not trusted, try one of these commands. If you are trying to verify that an SSL certificate is installed correctly, be sure to check out the SSL Checker.

  • Check an MD5 hash of the public key to ensure that it matches with what is in a CSR or private key 
    openssl x509 -noout -modulus -in certificate.crt | openssl md5
    openssl rsa -noout -modulus -in privateKey.key | openssl md5
    openssl req -noout -modulus -in CSR.csr | openssl md5
  • Check an SSL connection. All the certificates (including Intermediates) should be displayed 
    openssl s_client -connect www.paypal.com:443

Converting Using OpenSSL

These commands allow you to convert certificates and keys to different formats to make them compatible with specific types of servers or software. For example, you can convert a normal PEM file that would work with Apache to a PFX (PKCS#12) file and use it with Tomcat or IIS. Use our SSL Converter to convert certificates without messing with OpenSSL.

  • Convert a DER file (.crt .cer .der) to PEM 
    openssl x509 -inform der -in certificate.cer -out certificate.pem
  • Convert a PEM file to DER 
    openssl x509 -outform der -in certificate.pem -out certificate.der
  • Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM 
    openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes

    You can add -nocerts to only output the private key or add -nokeys to only output the certificates.

  • Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12) 
    openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

Digg Slashdot del.icio.us Reddit furl

Posted on January 11, 2008
Showing comments 1 to 20 of 21 | Next | Last
Robert
Posts: 8
Comment
Answers
Reply #21 on : Thu June 04, 2009, 19:39:23
Hi Bryan,

See this page on setting up Apache to use client certificates: http://www.vanemery.com/Linux/Apache/apache-SSL.html

You will want to include a CA file in a .p12 file whenever there is an intermediate certificate that needs to be installed.

suite,

The private key is generated on your server/computer. If you don't have it you will need to generate it again and create a new certificate. Contact your certificate provider for details of how to do this with them.
Last Edit: September 27, 2009, 12:41:28 by Robert  
Bryan
Posts: 12
Comment
When do you need to include a CA file in a .p12 client certificate
Reply #20 on : Wed June 03, 2009, 13:12:02
When do you need to include a CA file in a .p12 client certificate
suite
Posts: 12
Comment
convert .cer so can be imported into Firefox, pkcs#12? Note: No private key avail
Reply #19 on : Tue June 02, 2009, 20:25:13
I received a developers .cer file and would like Firefox to be able to import it so that I can use their web services from their server. Im assuming I have to convert it to some other format first but my .cer file did not come with a private key. Can I "add on" a private key of my own or get a format that Firefox can use without having a private key? Thank you for your time.
Bryan
Posts: 12
Comment
Issues with client authentication
Reply #18 on : Tue June 02, 2009, 19:48:50
I receive a "ssl_error_handshake_failure_alert" for client authentication. I am attempting to secure the admin area of a site.

Error logs read Re-negotiation handshake failed: Not accepted by client!?
Gajendra Gaikwad
Posts: 12
Comment
TLS implement
Reply #17 on : Mon June 01, 2009, 03:20:58
Iam having a sendmail server 8.13and i want to use tls i have a CA Signed cert (root,interca and mail.cer) certificates, how can i use this to implement tls
Robert
Posts: 8
Comment
Re: The Most Common OpenSSL Commands
Reply #16 on : Tue April 07, 2009, 08:00:51
Ct,

You need to add the following to your OpenSSL command:

-config "C:\OpenSSL\bin\openssl.cnf"

Change the path to match where your openssl.cnf file is in your OpenSSL folder.

Alternatively, you could add an Environment variable in Windows so you don't have to add that to every OpenSSL command. You can do this by right-clicking My Computer and selecting properties. Then navigate to the advanced tab (first click Advanced System Settings in Vista) and click the Environmental Variables button. Create a variable called OPENSSL_CONF and map this to the OpenSSL configuration file in C:\OpenSSL\bin\openssl.cnf or wherever your openssl.cnf file is.
ct
Posts: 12
Comment
Re: The Most Common OpenSSL Commands
Reply #15 on : Tue April 07, 2009, 03:37:00
When I run
openssl req -out CSR.csr -pubkey -new -keyout privateKey.key

I get the following error
'unable to load config info from usr local ssl openssl.cnf'

How to solve this ?
Robert
Posts: 8
Comment
Re: CER to DER
Reply #14 on : Thu November 06, 2008, 16:52:21
You don't need to rename it. Just run the command.
Buba
Posts: 12
Comment
CER to DER
Reply #13 on : Thu November 06, 2008, 08:16:08
>>>>The .cer file is actually a pem file so you can just use the command above to convert it from pem to DER format.<<<<

Do I need to rename certificate.cer to certificate.pem and then run commant to convert to DER, or just run:

openssl x509 -outform der -in certificate.cer -out certificate.der
Robert
Posts: 8
Comment
Re: .CER to .DER
Reply #12 on : Tue November 04, 2008, 16:54:19
The .cer file is actually a pem file so you can just use the command above to convert it from pem to DER format.
Buba
Posts: 12
Comment
.CER to .DER
Reply #11 on : Tue November 04, 2008, 11:51:06
I need to convert .cer certificate (generated by MS IIS) to .der file to be used on WebLogic (Sun Solaris), so both systems can use same Public key.

Is it 2 stages process as above:

1. Convert a DER file (.crt .cer .der) to PEM
and then
2. Convert a PEM file to DER

or can I directly convert .cer file to .der?
Robert
Posts: 8
Comment
Re: CER to PEM
Reply #10 on : Tue October 07, 2008, 20:49:12
If you need to renew a certificate, you will need to use a CSR file and not a CER file. A CER file typically contains the site certificate and any other certificates in the chain but it does not contain the private key. You will need to create a new CSR and private key, renew the certificate with your certificate authority using the CSR, and then install the new certificate that is issued.
Prabu
Posts: 12
Comment
CER to PEM
Reply #9 on : Mon October 06, 2008, 22:08:41
HI,

One of our clients are reneving their certificates on their side as it is due to expire and would be rolling over to a new certificate.They have provided a .cer file.Actually we decrypt the messages from them.I understand that I need to generate a .pem file from this .cer file.Can anyone help me in achieveing this.

Thanks in Advance.
Robert
Posts: 8
Comment
Re: .cer to .pem with private key
Reply #8 on : Mon September 22, 2008, 15:57:43
buddhika,

.cer files usually do not contain the private key so you will need to use the very last command to convert the .cer and the private key file into one .pfx file. (You can name it .pem instead of .pfx if you want).

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.txt -in certificate.crt -certfile CACert.crt

You may also be able to just paste the contents of the private key below the contents of the .cer files in a text editor. See the documentation for your device/server to find out if that is what it wants.
buddhika
Posts: 12
Comment
.cer to .pem with private key
Reply #7 on : Mon September 22, 2008, 04:34:10
I tried with "openssl x509 -inform der -in certificate.cer -out certificate.pem". But I want to convert it with the private key. Can any body help me...
Robert
Posts: 8
Comment
Re: need to convert .cer to .pkcs format
Reply #6 on : Sat July 26, 2008, 14:38:13
Ravi,

A .cer file is usually in pem format so you can use the following command to convert a .cer to a pkcs12 format file but you will also need to have the private key available:

openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodesopenssl pkcs12 -export -out certificate.pfx -inkey privateKey.txt -in certificate.crt -certfile CACert.crtpkcs
ravi
Posts: 12
Comment
need to convert .cer to pkcs format
Reply #5 on : Sat July 26, 2008, 06:43:50
how to convert .cer file format to a .pkcs file format using openssl on windows
swapna
Posts: 1
Comment
Get locale specific x509 attributes
Reply #4 on : Tue June 17, 2008, 23:04:11
how to get locale specific x509 attributes( country name, locality name, etc...)or user defined attributes whithout prompting for entry, when generating self signed key and certificate.
alert
Posts: 12
Comment
error
Reply #3 on : Thu June 05, 2008, 01:39:03
There's an error in this step:

Generate a self-signed certificate
openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout certificate.crt -out privateKey.key

it should be:

Generate a self-signed certificate
openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout certificate.key -out privateKey.crt

Admin update: Thanks for pointing this out. It has now been updated.
Robert
Posts: 8
Comment
CSR to DER
Reply #2 on : Tue March 25, 2008, 21:26:30
Tom,

A CSR is a file that is created on the server with a private key. You don't convert it to a CER (certificate file) but you can use it to create a certificate that will work with the private key that you generated. To do this you will need to get a certificate from a Certificate Authority listed on this site. You could also try creating a self-signed certificate depending on your needs.
Showing comments 1 to 20 of 21 | Next | Last

Write a comment


If you have trouble reading the code, click on the code itself to generate a new random code.
Security Code:
 
Post Comment