The Most Common OpenSSL Commands

One of the most versatile SSL tools is OpenSSL which is an open source implementation of the SSL protocol. There are versions of OpenSSL for nearly every platform, including Windows, Linux, and Mac OS X. OpenSSL is commonly used to create the CSR and private key for many different platforms, including Apache. However, it also has hundreds of different functions that allow you to view the details of a CSR or certificate, compare an MD5 hash of the certificate and private key (to make sure they match), verify that a certificate is installed properly on any website, and convert the certificate to a different format. A compiled version of OpenSSL for Windows can be found here.

If you don't want to bother with OpenSSL, you can do many of the same things with our SSL Certificate Tools. Below, we have listed the most common OpenSSL commands and their usage:

Compare SSL Certificates

General OpenSSL Commands

These commands allow you to generate CSRs, Certificates, Private Keys and do other miscellaneous tasks.

  • Generate a new private key and Certificate Signing Request
    openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
  • Generate a self-signed certificate (see How to Create and Install an Apache Self Signed Certificate for more info)
    openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
  • Generate a certificate signing request (CSR) for an existing private key
    openssl req -out CSR.csr -key privateKey.key -new
  • Generate a certificate signing request based on an existing certificate
    openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key
  • Remove a passphrase from a private key
    openssl rsa -in privateKey.pem -out newPrivateKey.pem

Checking Using OpenSSL

If you need to check the information within a Certificate, CSR or Private Key, use these commands. You can also check CSRs and check certificates using our online tools.

  • Check a Certificate Signing Request (CSR)
    openssl req -text -noout -verify -in CSR.csr
  • Check a private key
    openssl rsa -in privateKey.key -check
  • Check a certificate
    openssl x509 -in certificate.crt -text -noout
  • Check a PKCS#12 file (.pfx or .p12)
    openssl pkcs12 -info -in keyStore.p12

Debugging Using OpenSSL

If you are receiving an error that the private doesn't match the certificate or that a certificate that you installed to a site is not trusted, try one of these commands. If you are trying to verify that an SSL certificate is installed correctly, be sure to check out the SSL Checker.

  • Check an MD5 hash of the public key to ensure that it matches with what is in a CSR or private key
    openssl x509 -noout -modulus -in certificate.crt | openssl md5
    openssl rsa -noout -modulus -in privateKey.key | openssl md5
    openssl req -noout -modulus -in CSR.csr | openssl md5
  • Check an SSL connection. All the certificates (including Intermediates) should be displayed
    openssl s_client -connect

Converting Using OpenSSL

These commands allow you to convert certificates and keys to different formats to make them compatible with specific types of servers or software. For example, you can convert a normal PEM file that would work with Apache to a PFX (PKCS#12) file and use it with Tomcat or IIS. Use our SSL Converter to convert certificates without messing with OpenSSL.

  • Convert a DER file (.crt .cer .der) to PEM
    openssl x509 -inform der -in certificate.cer -out certificate.pem
  • Convert a PEM file to DER
    openssl x509 -outform der -in certificate.pem -out certificate.der
  • Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM
    openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes

    You can add -nocerts to only output the private key or add -nokeys to only output the certificates.

  • Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)
    openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

 Digg  Reddit

Posted on January 11, 2008
Showing comments 1 to 20 of 66 | Next | Last
Posts: 49
Of course, for this
Reply #66 on : Fri May 30, 2014, 12:28:25
Of course, for this to work, you'll need viartul hosts on ports 80 and 443 for your blog. Also, you'll need an SSL certificate for your blog. You can snag one from a reputable provider or make your own.
Posts: 49
Reply on #63 (Manish, Nov 2013)
Reply #65 on : Thu April 17, 2014, 03:03:55
I am no expert, but the version depends on cert extensions. A v1 cert has no extensions at all. So you will have to recreate your cert and supply some extensions.
Posts: 49
error converting to pkcs #12
Reply #64 on : Mon January 27, 2014, 10:16:17
im using the following command:

openssl pkcs12 -export -in < CAfilename1.cer > -out < CAfilename.cer2.p12> -name < “alias name”> /nhin/nss-3.12.4/bin/pk12util -i < CAfilename.cer2.p12> -n < alias name> -d $AS_HOME/domains/nssdomain/config replacing with correct info in brackets, yet command does nothing... it just lists the options... any help here would be appreciated
Posts: 49
Setting Version in Certificate Information
Reply #63 on : Mon November 18, 2013, 03:47:05
I have created CA certificate using openssl commands
After successful generation, Certificate information has version V1 which i want to change to V2 or V3 but i didn't find any command to change it. Kindly let me know do we have command for this also
Posts: 49
How to do i dump the keys generated by OpenSSL
Reply #62 on : Fri October 18, 2013, 23:48:21
Hi experts,
Im debugging OpenSSL code to rootcause BAD_RECORD_MAC error by ssl. by looking at the error it is digest failure. I just want to know what are the crypro algorithms and keys generated for the current session? Any API's are there to fetch this info???

Posts: 49
first of all i got t
Reply #61 on : Mon September 30, 2013, 13:54:12
first of all i got the same thing you can not access the sevrer cause you do not own it 404 error is connection time outmeans well your ip does not alowed acces to sevrer
Posts: 49
Unable to convert to PEM format.
Reply #60 on : Thu September 19, 2013, 12:28:36
I tried exporting my certificate to below format.
DER enabled X.509(cer)
Base64 encoded X.509(cer)
Option to export private key is disabled for me in IE.
I was trying to convert the above files to PEM format using openSSL to be used in load runner Vugen for playback.
Any help would be appreciated.
I am getting some error

OpenSSL> pkcs12 -in M:/scripts/IBDFocus/WF01/cert/jossyB64.cer -out M:/scripts/IBDFocus/WF01/cert/jossy.pem
10272:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:.\crypto\asn1\tasn_dec.c:1316:
10272:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:.\crypto\asn1\tasn_dec.c:380:Type=PKCS12
error in pkcs12
OpenSSL> x509 -inform der -in M:/scripts/IBDFocus/WF01/cert/jossyB64.cer -out M:/scripts/IBDFocus/WF01/cert/jossy.pem
unable to load certificate
10272:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:.\crypto\asn1\tasn_dec.c:1316:
10272:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:.\crypto\asn1\tasn_dec.c:380:Type=X509
error in x509

Thank you,
Posts: 16
Re: How to generate .crt and .key files
Reply #59 on : Thu August 22, 2013, 08:40:31
You can't generate a .key file if you only have the CSR. You will need to generate a new CSR and Key and have your certificate provider sign the new key (by reissuing or rekeying the certificate).
Posts: 49
How to generate .crt and .key files
Reply #58 on : Wed August 21, 2013, 11:33:41
May i know what is the procedure to generate .crt and .key files for an existing .csr file. When i requested the Cybertrust Public SureServer Standard SSL Certificate they issued me two .pem files(cert.pem and chainp7.pem). Is there any possibility to create .crt and .key files using those .pem files?
Posts: 49
CSR with mulitple State name
Reply #57 on : Fri June 21, 2013, 00:55:29
Hi All,

Can anyone help me in generating a CSR that has multiple State names. I am basically looking to get this for a Validation point. Please help if anyone is aware of how to achieve this.
Posts: 49
RE: PKCS12 Export Password
Reply #56 on : Mon May 13, 2013, 15:32:58
You make it up. The passphrase is used to protect the private key. When any application attempts to use the private key (or you import it into a keystore), the user will be prompted to supply the passphrase.
Posts: 49
PKCS12 Export Password
Reply #55 on : Thu May 02, 2013, 08:39:32
Hi everyone. Hope you are great. Can you please help with this question? When converting a pem certificate to pkcs12 I'm asked for a export password. What is it?

Thanks and Regards
Posts: 49
I want to open my certificate to check SAN names
Reply #54 on : Mon April 08, 2013, 14:24:31
For a Cisco Device I require a certificate which must include SAN (alternative subject names) so my Web authentication can work. I tried to open the certificate that I created using the following command but I am getting an error:

OpenSSL> x509 -text -in c:\openssl\MYCertificate.pem

I am running Openssl in a Win7 64bits laptop and created certificates in the past which are working fine.


Error opening Certificate :\openssl\MYCertificate.pem
4292:error:02001002:system library:fopen:No such file or directory:.\crypto\bio\bss_file.c:352:fopen('c:\openssl\MYCertificate.pem','rb')
4292:error:20074002:BIO routines:FILE_CTRL:system lib:.\crypto\bio\bss_file.c:354:
unable to load certificate
error in x509
Posts: 49
concatinate 3 .pem file into 1 .pem file
Reply #53 on : Thu February 21, 2013, 01:33:51
Is it possible to concatinate 3 pem files into 1 if so what is the command in pksc12.

Desc: we have 3 web servers above these 3 we have a load balancer, we need to give the keys of these 3 web servers to the load balancer site. As the site is accessible with the common URL we need to give all the 3 keys in a single pem file and upload.

Posts: 49
DSA Algorithm
Reply #52 on : Wed December 12, 2012, 06:22:10
How to generate a new private key and Certificate Signing Request using DSA Algorithm from open SSL command
Posts: 49
Reply #51 on : Thu December 06, 2012, 03:45:37
how to verify the CRL certificate? and
Error 60: server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none. any one get solution for this?
Rohit Sijwali
Posts: 49
Re: The Most Common OpenSSL Commands
Reply #50 on : Tue October 23, 2012, 01:33:51
I want to know that how the passphrase is stored in the Private key file and how openssl or other utility can erify the password.
Posts: 49
FireFox Cert Backup
Reply #49 on : Wed August 29, 2012, 11:45:01
I have a user cert (.cer) that I've imported onto my Windows machine. I use FireFox to Backup (not export) the cert as pkcs12, and it asks for a certificate backup password to be entered.

If I then run the openssl command on the resulting pkcs12 file:

openssl pkcs12 -in cert.p12

And it has a private key section.

Where did the private key come from?
Posts: 49
Re: The Most Common OpenSSL Commands
Reply #48 on : Sat August 11, 2012, 09:55:53
Awesome article been trying to work out how to get my SAN SSL working on a unix box other servers are windows apps and this little number gave me what I had been searching for for almost 2 weeks never had to use openssl before.

pfx converted and got me my priv key generated on II6 so I could get it onto the unix box.
Might be an old article but it works for me.

Melbourne, Australia
Posts: 16
Re:.crt to .key
Reply #47 on : Fri July 27, 2012, 10:16:27
Hi Nick,

There is no way to convert a .crt to a .key file. If you can't locate the .key file you will need to generate a new key and CSR and re-key your certificate.
Showing comments 1 to 20 of 66 | Next | Last

Write a comment

If you have trouble reading the code, click on the code itself to generate a new random code.
Security Code:
Post Comment