Most Popular

Login:

Your Login Details


Forget Your Password?

Create an account

The Most Common OpenSSL Commands

One of the most versatile SSL tools is OpenSSL which is an open source implementation of the SSL protocol. There are versions of OpenSSL for nearly every platform, including Windows, Linux, and Mac OS X. OpenSSL is commonly used to create the CSR and private key for many different platforms, including Apache. However, it also has hundreds of different functions that allow you to view the details of a CSR or certificate, compare an MD5 hash of the certificate and private key (to make sure they match), verify that a certificate is installed properly on any website, and convert the certificate to a different format. A compiled version of OpenSSL for Windows can be found here.

If you don't want to bother with OpenSSL, you can do many of the same things with our SSL Certificate Tools. Below, we have listed the most common OpenSSL commands and their usage:

General OpenSSL Commands

These commands allow you to generate CSRs, Certificates, Private Keys and do other miscellaneous tasks.

  • Generate a new private key and Certificate Signing Request 
    openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
  • Generate a self-signed certificate 
    openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout privateKey.key -out certificate.crt
  • Generate a certificate signing request (CSR) for an existing private key 
    openssl req -out CSR.csr -key privateKey.key -new
  • Generate a certificate signing request based on an existing certificate 
    openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key
  • Remove a passphrase from a private key 
    openssl rsa -in privateKey.pem -out newPrivateKey.pem

Checking Using OpenSSL

If you need to check the information within a Certificate, CSR or Private Key, use these commands. You can also check CSRs and check certificates using our online tools.

  • Check a Certificate Signing Request (CSR) 
    openssl req -text -noout -verify -in CSR.csr
  • Check a private key 
    openssl rsa -in privateKey.key -check
  • Check a certificate 
    openssl x509 -in certificate.crt -text -noout
  • Check a PKCS#12 file (.pfx or .p12) 
    openssl pkcs12 -info -in keyStore.p12

Debugging Using OpenSSL

If you are receiving an error that the private doesn't match the certificate or that a certificate that you installed to a site is not trusted, try one of these commands. If you are trying to verify that an SSL certificate is installed correctly, be sure to check out the SSL Checker.

  • Check an MD5 hash of the public key to ensure that it matches with what is in a CSR or private key 
    openssl x509 -noout -modulus -in certificate.crt | openssl md5
    openssl rsa -noout -modulus -in privateKey.key | openssl md5
    openssl req -noout -modulus -in CSR.csr | openssl md5
  • Check an SSL connection. All the certificates (including Intermediates) should be displayed 
    openssl s_client -connect www.paypal.com:443

Converting Using OpenSSL

These commands allow you to convert certificates and keys to different formats to make them compatible with specific types of servers or software. For example, you can convert a normal PEM file that would work with Apache to a PFX (PKCS#12) file and use it with Tomcat or IIS. Use our SSL Converter to convert certificates without messing with OpenSSL.

  • Convert a DER file (.crt .cer .der) to PEM 
    openssl x509 -inform der -in certificate.cer -out certificate.pem
  • Convert a PEM file to DER 
    openssl x509 -outform der -in certificate.pem -out certificate.der
  • Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM 
    openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes

    You can add -nocerts to only output the private key or add -nokeys to only output the certificates.

  • Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12) 
    openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

Digg Slashdot del.icio.us Reddit furl

Posted on January 11, 2008
Showing comments 1 to 10 of 21 | Next | Last
Robert
Posts: 8
Comment
Answers
Reply #21 on : Thu June 04, 2009, 19:39:23
Hi Bryan,

See this page on setting up Apache to use client certificates: http://www.vanemery.com/Linux/Apache/apache-SSL.html

You will want to include a CA file in a .p12 file whenever there is an intermediate certificate that needs to be installed.

suite,

The private key is generated on your server/computer. If you don't have it you will need to generate it again and create a new certificate. Contact your certificate provider for details of how to do this with them.
Last Edit: September 27, 2009, 12:41:28 by Robert  
Bryan
Posts: 12
Comment
When do you need to include a CA file in a .p12 client certificate
Reply #20 on : Wed June 03, 2009, 13:12:02
When do you need to include a CA file in a .p12 client certificate
suite
Posts: 12
Comment
convert .cer so can be imported into Firefox, pkcs#12? Note: No private key avail
Reply #19 on : Tue June 02, 2009, 20:25:13
I received a developers .cer file and would like Firefox to be able to import it so that I can use their web services from their server. Im assuming I have to convert it to some other format first but my .cer file did not come with a private key. Can I "add on" a private key of my own or get a format that Firefox can use without having a private key? Thank you for your time.
Bryan
Posts: 12
Comment
Issues with client authentication
Reply #18 on : Tue June 02, 2009, 19:48:50
I receive a "ssl_error_handshake_failure_alert" for client authentication. I am attempting to secure the admin area of a site.

Error logs read Re-negotiation handshake failed: Not accepted by client!?
Gajendra Gaikwad
Posts: 12
Comment
TLS implement
Reply #17 on : Mon June 01, 2009, 03:20:58
Iam having a sendmail server 8.13and i want to use tls i have a CA Signed cert (root,interca and mail.cer) certificates, how can i use this to implement tls
Robert
Posts: 8
Comment
Re: The Most Common OpenSSL Commands
Reply #16 on : Tue April 07, 2009, 08:00:51
Ct,

You need to add the following to your OpenSSL command:

-config "C:\OpenSSL\bin\openssl.cnf"

Change the path to match where your openssl.cnf file is in your OpenSSL folder.

Alternatively, you could add an Environment variable in Windows so you don't have to add that to every OpenSSL command. You can do this by right-clicking My Computer and selecting properties. Then navigate to the advanced tab (first click Advanced System Settings in Vista) and click the Environmental Variables button. Create a variable called OPENSSL_CONF and map this to the OpenSSL configuration file in C:\OpenSSL\bin\openssl.cnf or wherever your openssl.cnf file is.
ct
Posts: 12
Comment
Re: The Most Common OpenSSL Commands
Reply #15 on : Tue April 07, 2009, 03:37:00
When I run
openssl req -out CSR.csr -pubkey -new -keyout privateKey.key

I get the following error
'unable to load config info from usr local ssl openssl.cnf'

How to solve this ?
Robert
Posts: 8
Comment
Re: CER to DER
Reply #14 on : Thu November 06, 2008, 16:52:21
You don't need to rename it. Just run the command.
Buba
Posts: 12
Comment
CER to DER
Reply #13 on : Thu November 06, 2008, 08:16:08
>>>>The .cer file is actually a pem file so you can just use the command above to convert it from pem to DER format.<<<<

Do I need to rename certificate.cer to certificate.pem and then run commant to convert to DER, or just run:

openssl x509 -outform der -in certificate.cer -out certificate.der
Robert
Posts: 8
Comment
Re: .CER to .DER
Reply #12 on : Tue November 04, 2008, 16:54:19
The .cer file is actually a pem file so you can just use the command above to convert it from pem to DER format.
Showing comments 1 to 10 of 21 | Next | Last

Write a comment


If you have trouble reading the code, click on the code itself to generate a new random code.
Security Code:
 
Post Comment