Login:

The Most Common OpenSSL Commands

One of the most versatile SSL tools is OpenSSL which is an open source implementation of the SSL protocol. There are versions of OpenSSL for nearly every platform, including Windows, Linux, and Mac OS X. OpenSSL is commonly used to create the CSR and private key for many different platforms, including Apache. However, it also has hundreds of different functions that allow you to view the details of a CSR or certificate, compare an MD5 hash of the certificate and private key (to make sure they match), verify that a certificate is installed properly on any website, and convert the certificate to a different format. A compiled version of OpenSSL for Windows can be found here.

If you don't want to bother with OpenSSL, you can do many of the same things with our SSL Certificate Tools. Below, we have listed the most common OpenSSL commands and their usage:

Compare SSL Certificates

General OpenSSL Commands

These commands allow you to generate CSRs, Certificates, Private Keys and do other miscellaneous tasks.

Generate a new private key and Certificate Signing Request

openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key

Generate a self-signed certificate (see How to Create and Install an Apache Self Signed Certificate for more info)
```
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
```
Generate a certificate signing request (CSR) for an existing private key
```
openssl req -out CSR.csr -key privateKey.key -new
```

Generate a certificate signing request based on an existing certificate

openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key

Remove a passphrase from a private key

openssl rsa -in privateKey.pem -out newPrivateKey.pem

Checking Using OpenSSL

If you need to check the information within a Certificate, CSR or Private Key, use these commands. You can also check CSRs and check certificates using our online tools.

Check a Certificate Signing Request (CSR)

openssl req -text -noout -verify -in CSR.csr

Check a private key
```
openssl rsa -in privateKey.key -check
```

Check a certificate

openssl x509 -in certificate.crt -text -noout

Check a PKCS#12 file (.pfx or .p12)
```
openssl pkcs12 -info -in keyStore.p12
```

Debugging Using OpenSSL

If you are receiving an error that the private doesn't match the certificate or that a certificate that you installed to a site is not trusted, try one of these commands. If you are trying to verify that an SSL certificate is installed correctly, be sure to check out the SSL Checker.

Check an MD5 hash of the public key to ensure that it matches with what is in a CSR or private key

openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in privateKey.key | openssl md5
openssl req -noout -modulus -in CSR.csr | openssl md5

Check an SSL connection. All the certificates (including Intermediates) should be displayed
```
openssl s_client -connect www.paypal.com:443
```

Converting Using OpenSSL

These commands allow you to convert certificates and keys to different formats to make them compatible with specific types of servers or software. For example, you can convert a normal PEM file that would work with Apache to a PFX (PKCS#12) file and use it with Tomcat or IIS. Use our SSL Converter to convert certificates without messing with OpenSSL.

Convert a DER file (.crt .cer .der) to PEM

openssl x509 -inform der -in certificate.cer -out certificate.pem

Convert a PEM file to DER

openssl x509 -outform der -in certificate.pem -out certificate.der

Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM
```
openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes
```
You can add -nocerts to only output the private key or add -nokeys to only output the certificates.

Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

Digg del.icio.us Reddit

Posted on January 11, 2008

Showing comments 1 to 20 of 56 | Next | Last

JRJ
Posts: 40

RE: PKCS12 Export Password
Reply #56 on : Mon May 13, 2013, 15:32:58

You make it up. The passphrase is used to protect the private key. When any application attempts to use the private key (or you import it into a keystore), the user will be prompted to supply the passphrase.

Vlion
Posts: 40

PKCS12 Export Password
Reply #55 on : Thu May 02, 2013, 08:39:32

Hi everyone. Hope you are great. Can you please help with this question? When converting a pem certificate to pkcs12 I'm asked for a export password. What is it?

Thanks and Regards

abraham
Posts: 40

I want to open my certificate to check SAN names
Reply #54 on : Mon April 08, 2013, 14:24:31

For a Cisco Device I require a certificate which must include SAN (alternative subject names) so my Web authentication can work. I tried to open the certificate that I created using the following command but I am getting an error:

OpenSSL> x509 -text -in c:\openssl\MYCertificate.pem

I am running Openssl in a Win7 64bits laptop and created certificates in the past which are working fine.

ERROR:

Error opening Certificate :\openssl\MYCertificate.pem
4292:error:02001002:system library:fopen:No such file or directory:.\crypto\bio\bss_file.c:352:fopen('c:\openssl\MYCertificate.pem','rb')
4292:error:20074002:BIO routines:FILE_CTRL:system lib:.\crypto\bio\bss_file.c:354:
unable to load certificate
error in x509
OpenSSL>

Murthy
Posts: 40

concatinate 3 .pem file into 1 .pem file
Reply #53 on : Thu February 21, 2013, 01:33:51

Hi,
Is it possible to concatinate 3 pem files into 1 if so what is the command in pksc12.

Desc: we have 3 web servers above these 3 we have a load balancer, we need to give the keys of these 3 web servers to the load balancer site. As the site is accessible with the common URL we need to give all the 3 keys in a single pem file and upload.

Regards,
Murthy.

Mahean
Posts: 40

DSA Algorithm
Reply #52 on : Wed December 12, 2012, 06:22:10

How to generate a new private key and Certificate Signing Request using DSA Algorithm from open SSL command

mahesh
Posts: 40

UEC
Reply #51 on : Thu December 06, 2012, 03:45:37

how to verify the CRL certificate? and
Error 60: server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none. any one get solution for this?

Rohit Sijwali
Posts: 40

Re: The Most Common OpenSSL Commands
Reply #50 on : Tue October 23, 2012, 01:33:51

Hi,
I want to know that how the passphrase is stored in the Private key file and how openssl or other utility can erify the password.

Alan
Posts: 40

FireFox Cert Backup
Reply #49 on : Wed August 29, 2012, 11:45:01

I have a user cert (.cer) that I've imported onto my Windows machine. I use FireFox to Backup (not export) the cert as pkcs12, and it asks for a certificate backup password to be entered.

If I then run the openssl command on the resulting pkcs12 file:

openssl pkcs12 -in cert.p12

And it has a private key section.

Where did the private key come from?

Mikhail
Posts: 40

Re: The Most Common OpenSSL Commands
Reply #48 on : Sat August 11, 2012, 09:55:53

Awesome article been trying to work out how to get my SAN SSL working on a unix box other servers are windows apps and this little number gave me what I had been searching for for almost 2 weeks never had to use openssl before.

pfx converted and got me my priv key generated on II6 so I could get it onto the unix box.
Might be an old article but it works for me.

Mikhail
Melbourne, Australia
www.hostingworx.com.au

Robert
Posts: 15

Re:.crt to .key
Reply #47 on : Fri July 27, 2012, 10:16:27

Hi Nick,

There is no way to convert a .crt to a .key file. If you can't locate the .key file you will need to generate a new key and CSR and re-key your certificate.

Nick
Posts: 40

.crt to .key
Reply #46 on : Fri July 27, 2012, 02:13:44

Hi All.

Would like to know how to convert .crt file to .key file.

snow6oy
Posts: 40

Re: The Most Common OpenSSL Commands
Reply #45 on : Mon July 09, 2012, 15:06:50

Very handy reference. The command to sign a certificate using your own CA might help too.

openssl ca -in x.csr -out x.crt -config openssl.conf

Robert
Posts: 15

Re: How to convert .PEM to PFX or .Cer to .PFX dont have key for certificate
Reply #44 on : Fri June 15, 2012, 09:57:16

Hi Prasad,

If you don't have the private key, you won't be able to covert it to a pfx file. You will need to generate a new certificate.

Prasad
Posts: 40

How to convert .PEM to PFX or .Cer to .PFX dont have key for certificate
Reply #43 on : Thu June 14, 2012, 10:35:56

Hi
would like to do following
convert .PEM to PFX or .Cer to .PFX
however dont have key for certificate only .pem and .cer file is available

Help appriciated

Jana
Posts: 40

Verify Certificate against a CA bundle file using openssl
Reply #42 on : Fri March 02, 2012, 03:02:13

openssl verify -CAfile <CA-bundle.crt> <Certificate.crt>

Ramesh
Posts: 40

How to import the certificate
Reply #41 on : Tue February 21, 2012, 08:55:10

I would like to know how to import the received .cer file into the already existing .crt file.

bryant
Posts: 40

in reply to #39
Reply #40 on : Thu January 26, 2012, 13:36:36

use the -batch option to suppress the command line interaction

Adam
Posts: 40

Convert from crt to pfx
Reply #39 on : Fri December 02, 2011, 23:46:16

i'm using openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
and it works perfectly
but when i want to run it from php like this

system("openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt");

my output file is always 0 bytes.
i tried

system('echo "Password" | openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt');

with password, with no password ... when i run it from php it doenst work
i think its because i can't seem to be able to send parameters when it asks me to input export password

Any Suggestions ?

El-Shazli
Posts: 40

convert to apk
Reply #38 on : Sun October 16, 2011, 06:26:00

How could I convert SSL certificate from CER and P7B to apk to be able to set up on mobile Samsung Galaxy Tap p1000.

JayOdom
Posts: 40

convert pfx to pem
Reply #37 on : Fri September 16, 2011, 15:08:06

Solution to Reply to #22:

Move the '-nodes' option from this:
C:\OpenSSL\bin>openssl pkcs12 -in cert.pfx -out cag.pem -nodes

To This:
C:\OpenSSL\bin>openssl pkcs12 -in cert.pfx -nodes -out cag.pem