Buy from the highest-rated provider   x

# The Most Common OpenSSL Commands

One of the most versatile SSL tools is OpenSSL which is an open source implementation of the SSL protocol. There are versions of OpenSSL for nearly every platform, including Windows, Linux, and Mac OS X. OpenSSL is commonly used to create the CSR and private key for many different platforms, including Apache. However, it also has hundreds of different functions that allow you to view the details of a CSR or certificate, compare an MD5 hash of the certificate and private key (to make sure they match), verify that a certificate is installed properly on any website, and convert the certificate to a different format. A compiled version of OpenSSL for Windows can be found here.

If you don't want to bother with OpenSSL, you can do many of the same things with our SSL Certificate Tools. Below, we have listed the most common OpenSSL commands and their usage:

## General OpenSSL Commands

These commands allow you to generate CSRs, Certificates, Private Keys and do other miscellaneous tasks.

• Generate a new private key and Certificate Signing Request
openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
• Generate a self-signed certificate (see How to Create and Install an Apache Self Signed Certificate for more info)
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
• Generate a certificate signing request (CSR) for an existing private key
openssl req -out CSR.csr -key privateKey.key -new
• Generate a certificate signing request based on an existing certificate
openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key
• Remove a passphrase from a private key
openssl rsa -in privateKey.pem -out newPrivateKey.pem

## Checking Using OpenSSL

If you need to check the information within a Certificate, CSR or Private Key, use these commands. You can also check CSRs and check certificates using our online tools.

• Check a Certificate Signing Request (CSR)
openssl req -text -noout -verify -in CSR.csr
• Check a private key
openssl rsa -in privateKey.key -check
• Check a certificate
openssl x509 -in certificate.crt -text -noout
• Check a PKCS#12 file (.pfx or .p12)
openssl pkcs12 -info -in keyStore.p12

## Debugging Using OpenSSL

If you are receiving an error that the private doesn't match the certificate or that a certificate that you installed to a site is not trusted, try one of these commands. If you are trying to verify that an SSL certificate is installed correctly, be sure to check out the SSL Checker.

• Check an MD5 hash of the public key to ensure that it matches with what is in a CSR or private key
openssl x509 -noout -modulus -in certificate.crt | openssl md5openssl rsa -noout -modulus -in privateKey.key | openssl md5openssl req -noout -modulus -in CSR.csr | openssl md5
• Check an SSL connection. All the certificates (including Intermediates) should be displayed
openssl s_client -connect www.paypal.com:443

## Converting Using OpenSSL

These commands allow you to convert certificates and keys to different formats to make them compatible with specific types of servers or software. For example, you can convert a normal PEM file that would work with Apache to a PFX (PKCS#12) file and use it with Tomcat or IIS. Use our SSL Converter to convert certificates without messing with OpenSSL.

• Convert a DER file (.crt .cer .der) to PEM
openssl x509 -inform der -in certificate.cer -out certificate.pem
• Convert a PEM file to DER
openssl x509 -outform der -in certificate.pem -out certificate.der
• Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM
openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes

You can add -nocerts to only output the private key or add -nokeys to only output the certificates.

• Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

Originally posted on Sun Jan 13, 2008

 Robert(2014-12-13) Tom,A CSR is a file that is created on the server with a private key. You don't convert it to a CER (certificate file) but you can use it to create a certificate that will work with the private key that you generated. To do this you will need to get a certificate from a Certificate Authority listed on this site. You could also try creating a self-signed certificate depending on your needs. ravi(2014-12-13) how to convert .cer file format to a .pkcs file format using openssl on windows Robert(2014-12-13) Ravi,A .cer file is usually in pem format so you can use the following command to convert a .cer to a pkcs12 format file but you will also need to have the private key available:openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodesopenssl pkcs12 -export -out certificate.pfx -inkey privateKey.txt -in certificate.crt -certfile CACert.crtpkcs alert(2014-12-13) There's an error in this step:Generate a self-signed certificateopenssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout certificate.crt -out privateKey.keyit should be:Generate a self-signed certificateopenssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout certificate.key -out privateKey.crtAdmin update: Thanks for pointing this out. It has now been updated. Robert(2014-12-13) how to get locale specific x509 attributes( country name, locality name, etc...)or user defined attributes whithout prompting for entry, when generating self signed key and certificate. Prabu(2014-12-13) HI,One of our clients are reneving their certificates on their side as it is due to expire and would be rolling over to a new certificate.They have provided a .cer file.Actually we decrypt the messages from them.I understand that I need to generate a .pem file from this .cer file.Can anyone help me in achieveing this.Thanks in Advance. buddhika(2014-12-13) I tried with "openssl x509 -inform der -in certificate.cer -out certificate.pem". But I want to convert it with the private key. Can any body help me... Robert(2014-12-13) If you need to renew a certificate, you will need to use a CSR file and not a CER file. A CER file typically contains the site certificate and any other certificates in the chain but it does not contain the private key. You will need to create a new CSR and private key, renew the certificate with your certificate authority using the CSR, and then install the new certificate that is issued. Gajendra Gaikwad(2014-12-13) Iam having a sendmail server 8.13and i want to use tls i have a CA Signed cert (root,interca and mail.cer) certificates, how can i use this to implement tls tom(2014-12-13) i'd like to convert csr to cer lantic(2014-12-13) hi guys,I generated a csr file and I sent it to CA, then they sent me a .cer file when I expected a .crt. Anybody could tell me what is the difference between .crt and .cer? obviously I have the private key .key as well.thanks in advance ! Robert(2014-12-13) Ct,You need to add the following to your OpenSSL command:-config "C:\OpenSSL\bin\openssl.cnf"Change the path to match where your openssl.cnf file is in your OpenSSL folder.Alternatively, you could add an Environment variable in Windows so you don't have to add that to every OpenSSL command. You can do this by right-clicking My Computer and selecting properties. Then navigate to the advanced tab (first click Advanced System Settings in Vista) and click the Environmental Variables button. Create a variable called OPENSSL_CONF and map this to the OpenSSL configuration file in C:\OpenSSL\bin\openssl.cnf or wherever your openssl.cnf file is. Robert(2014-12-13) Hi Lantic,A .cer and a .crt file are usually the same. Sometimes they are different because a CA can use whatever file extension they want but you can just use the .cer just like you would a .crt. Buba(2014-12-13) >>>>The .cer file is actually a pem file so you can just use the command above to convert it from pem to DER format.<<<openssl pkcs12 -in cert.pfx -out cag.pem -nodesTo This:C:\OpenSSL\bin>openssl pkcs12 -in cert.pfx -nodes -out cag.pem Madan(2014-12-13) Hi,Is it possible to convert key the private key in RSA format to X509 format... Kindly advise on the possibility. Heinz(2014-12-13) Hello,running on a win2008 r2 as an administrator:What could be the reason that the following error occurs:C:\>cd C:\OpenSSL\binC:\OpenSSL\bin>dir C:\OpenSSL\bin\cert.pfxVolume in Laufwerk C: hat keine Bezeichnung.Volumeseriennummer: 7CD4-6EADVerzeichnis von C:\OpenSSL\bin06.09.2011 14:53 2.709 cert.pfx1 Datei(en), 2.709 Bytes0 Verzeichnis(se), 92.737.318.912 Bytes freiC:\OpenSSL\bin>openssl pkcs12 -in cert.pfx -out cag.pem -nodesUsage: pkcs12 [options]where options are-export output PKCS12 file-chain add certificate chain-inkey file private key if not infile-certfile f add all certs in f-CApath arg - PEM format directory of CA's-CAfile arg - PEM format file of CA's-name "name" use name as friendly name-caname "nm" use nm as CA friendly name (can be used more than once).-in infile input filename-out outfile output filename-noout don't output anything, just verify.-nomacver don't verify MAC.-nocerts don't output certificates.-clcerts only output client certificates.-cacerts only output CA certificates.-nokeys don't output private keys.-info give info about PKCS#12 structure.-des encrypt private keys with DES-des3 encrypt private keys with triple DES (default)-idea encrypt private keys with idea-aes128, -aes192, -aes256encrypt PEM output with cbc aes-nodes don't encrypt private keys-noiter don't use encryption iteration-maciter use MAC iteration-twopass separate MAC, encryption passwords-descert encrypt PKCS#12 certificates with triple DES (default RC2-40)-certpbe alg specify certificate PBE algorithm (default RC2-40)-keypbe alg specify private key PBE algorithm (default 3DES)-keyex set MS key exchange type-keysig set MS key signature type-password p set import/export password source-passin p input file pass phrase source-passout p output file pass phrase source-engine e use engine e, possibly a hardware device.-rand file;file;...load the file (or the files in the directory) intothe random number generator-CSP name Microsoft CSP name-LMK Add local machine keyset attribute to private keyC:\OpenSSL\bin>It would be very helpful, when you could help me to solve this issue.Thanks a lotRegardsHeinz JayOdom(2014-12-13) I am having the same issue Heinz is having in the post below mine.Anyone know what could be wrong? El-Shazli(2014-12-13) How could I convert SSL certificate from CER and P7B to apk to be able to set up on mobile Samsung Galaxy Tap p1000. Adam(2014-12-13) i'm using openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crtand it works perfectlybut when i want to run it from php like thissystem("openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt");my output file is always 0 bytes.i triedsystem('echo "Password" | openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt');with password, with no password ... when i run it from php it doenst worki think its because i can't seem to be able to send parameters when it asks me to input export passwordAny Suggestions ? powerhdeleon(2016-01-22) you solved this? Kem Jones(2016-08-09) try using the "-password pass:secret" parameter (where "secret" is your actual password). bryant(2014-12-13) use the -batch option to suppress the command line interaction Ramesh(2014-12-13) I would like to know how to import the received .cer file into the already existing .crt file. Robert(2014-12-13) Hi Nick,There is no way to convert a .crt to a .key file. If you can't locate the .key file you will need to generate a new key and CSR and re-key your certificate. Robert(2014-12-13) Hi Prasad,If you don't have the private key, you won't be able to covert it to a pfx file. You will need to generate a new certificate. Prasad(2014-12-13) Hiwould like to do followingconvert .PEM to PFX or .Cer to .PFXhowever dont have key for certificate only .pem and .cer file is availableHelp appriciated Jana(2014-12-13) openssl verify -CAfile Nick(2014-12-13) Hi All.Would like to know how to convert .crt file to .key file. David Spector(2017-10-19) (My answer already appears below.) snow6oy(2014-12-13) Very handy reference. The command to sign a certificate using your own CA might help too.openssl ca -in x.csr -out x.crt -config openssl.conf Alan(2014-12-13) I have a user cert (.cer) that I've imported onto my Windows machine. I use FireFox to Backup (not export) the cert as pkcs12, and it asks for a certificate backup password to be entered.If I then run the openssl command on the resulting pkcs12 file:openssl pkcs12 -in cert.p12And it has a private key section.Where did the private key come from? Mikhail(2014-12-13) Awesome article been trying to work out how to get my SAN SSL working on a unix box other servers are windows apps and this little number gave me what I had been searching for for almost 2 weeks never had to use openssl before.pfx converted and got me my priv key generated on II6 so I could get it onto the unix box.Might be an old article but it works for me.MikhailMelbourne, Australiawww.hostingworx.com.au Rohit Sijwali(2014-12-13) Hi,I want to know that how the passphrase is stored in the Private key file and how openssl or other utility can erify the password. Mahean(2014-12-13) How to generate a new private key and Certificate Signing Request using DSA Algorithm from open SSL command mahesh(2014-12-13) how to verify the CRL certificate? andError 60: server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none. any one get solution for this? abraham(2014-12-13) For a Cisco Device I require a certificate which must include SAN (alternative subject names) so my Web authentication can work. I tried to open the certificate that I created using the following command but I am getting an error:OpenSSL> x509 -text -in c:\openssl\MYCertificate.pemI am running Openssl in a Win7 64bits laptop and created certificates in the past which are working fine.ERROR:Error opening Certificate :\openssl\MYCertificate.pem4292:error:02001002:system library:fopen:No such file or directory:.\crypto\bio\bss_file.c:352:fopen('c:\openssl\MYCertificate.pem','rb')4292:error:20074002:BIO routines:FILE_CTRL:system lib:.\crypto\bio\bss_file.c:354:unable to load certificateerror in x509OpenSSL> Ginny McLeoad(2017-04-26) That's a windows issue. You are supposed to have a folder on the same drive you're running it from named "openssl" at the top level and inside that, MYCertificate.pem. Maybe you can use command line options to specify an alternate location or create that folder. (I know its been 2 years but somebody else probably has the same issue) Shubham Mittal(2017-06-20) Hi Ginny,I have same issue. How to resolve that?OpenSSL> x509 -req -days 365 -in C:\CSR\PM.csr -CA C:\Certificates\RootCA.crt -CAkey C:\Keys\RootCA.key -set_serial 01 -out C:\Certificates\pm.crtSignature oksubject=/C=IN/ST=Maharashtra/L=Pune/O=Column Technologies/OU=Cloud Computing/CN=CLMPUNVP08Error opening CA Certificate C:\Certificates\RootCA.crt4624:error:02001002:system library:fopen:No such file or directory:.\crypto\bio\bss_file.c:406:fopen('C:\Certificates\RootCA.crt','rb')4624:error:20074002:BIO routines:FILE_CTRL:system lib:.\crypto\bio\bss_file.c:408:unable to load certificateerror in x509 Murthy(2014-12-13) Hi,Is it possible to concatinate 3 pem files into 1 if so what is the command in pksc12.Desc: we have 3 web servers above these 3 we have a load balancer, we need to give the keys of these 3 web servers to the load balancer site. As the site is accessible with the common URL we need to give all the 3 keys in a single pem file and upload.Regards,Murthy. JRJ(2014-12-13) You make it up. The passphrase is used to protect the private key. When any application attempts to use the private key (or you import it into a keystore), the user will be prompted to supply the passphrase. Ankit(2014-12-13) Hi All,Can anyone help me in generating a CSR that has multiple State names. I am basically looking to get this for a Validation point. Please help if anyone is aware of how to achieve this. Vlion(2014-12-13) Hi everyone. Hope you are great. Can you please help with this question? When converting a pem certificate to pkcs12 I'm asked for a export password. What is it?Thanks and Regards John Lin(2015-08-25) you can try to leave it blank. just ignore the request and return twice. jossy(2014-12-13) Hi,I tried exporting my certificate to below format.DER enabled X.509(cer)Base64 encoded X.509(cer)PKCS7(p7b)Option to export private key is disabled for me in IE.I was trying to convert the above files to PEM format using openSSL to be used in load runner Vugen for playback.Any help would be appreciated.I am getting some errorOpenSSL> pkcs12 -in M:/scripts/IBDFocus/WF01/cert/jossyB64.cer -out M:/scripts/IBDFocus/WF01/cert/jossy.pem10272:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:.\crypto\asn1\tasn_dec.c:1316:10272:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:.\crypto\asn1\tasn_dec.c:380:Type=PKCS12error in pkcs12OpenSSL> x509 -inform der -in M:/scripts/IBDFocus/WF01/cert/jossyB64.cer -out M:/scripts/IBDFocus/WF01/cert/jossy.pemunable to load certificate10272:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:.\crypto\asn1\tasn_dec.c:1316:10272:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:.\crypto\asn1\tasn_dec.c:380:Type=X509error in x509Thank you,Jossy Robert(2014-12-13) You can't generate a .key file if you only have the CSR. You will need to generate a new CSR and Key and have your certificate provider sign the new key (by reissuing or rekeying the certificate). Timothy(2014-12-13) Hi experts,Im debugging OpenSSL code to rootcause BAD_RECORD_MAC error by ssl. by looking at the error it is digest failure. I just want to know what are the crypro algorithms and keys generated for the current session? Any API's are there to fetch this info???ThanksTimothy Matt(2014-12-13) im using the following command:openssl pkcs12 -export -in < CAfilename1.cer > -out < CAfilename.cer2.p12> -name < Ã¢Â€Âœalias nameÃ¢Â€Â> /nhin/nss-3.12.4/bin/pk12util -i < CAfilename.cer2.p12> -n < alias name> -d \$AS_HOME/domains/nssdomain/config replacing with correct info in brackets, yet command does nothing... it just lists the options... any help here would be appreciated Alexandr(2014-12-13) first of all i got the same thing you can not access the sevrer cause you do not own it 404 error is connection time outmeans well your ip does not alowed acces to sevrer Merk(2014-12-13) I am no expert, but the version depends on cert extensions. A v1 cert has no extensions at all. So you will have to recreate your cert and supply some extensions. Sreedhar(2014-12-13) May i know what is the procedure to generate .crt and .key files for an existing .csr file. When i requested the Cybertrust Public SureServer Standard SSL Certificate they issued me two .pem files(cert.pem and chainp7.pem). Is there any possibility to create .crt and .key files using those .pem files? Manish(2014-12-13) I have created CA certificate using openssl commandsAfter successful generation, Certificate information has version V1 which i want to change to V2 or V3 but i didn't find any command to change it. Kindly let me know do we have command for this also Nisha(2014-12-13) Of course, for this to work, you'll need viartul hosts on ports 80 and 443 for your blog. Also, you'll need an SSL certificate for your blog. You can snag one from a reputable provider or make your own. Ginny McLeoad(2017-04-26) Let me push "Lets encrypt" which is a free EFF certificate method. Its not for everybody, but if you're nerdy, it is pretty nice. It does require some technical knowledge.https://letsencrypt.org/ ewert59(2014-12-13) There is also a "Check connection via SMTP" - STARTTLS or not - possible:openssl s_client -starttls smtp [ -cipher 'ALL:!RC4' ] -connect alt1.gmail-smtp-in.l.google...:25Here, openssl uses a connection to the mail server of google.com and checks the starttls option. With the switch -cipher, you can select between cipher algorithms, here, "all without RC4". Don't use the brackets. That means, you can use this switch or not. antoniok.spb(2015-03-12) DH parameter generation:openssl dhparam -out dhparam.pem 2048 Jim(2016-06-18) If you wanted 4096, add the -dsaparam so you're not waiting for 2 days for the command to complete.openssl dhparam -dsaparam -out dhparam.pem 4096 NoelTheOne(2015-04-24) At this point, I strongly recommend adding '-sha256' when creating a new csr, to get a SHA256 certificate rather than an outdated SHA1 certificate. SSL Shopper(2015-04-24) Thanks. I added that to the self-signed certificate CSR command. I didn't add it to the others because certificate providers almost always ignore what is in the CSR and use whatever algorithm they want to sign the actual certificate when it is issued (and all certificate providers should be issuing SHA2 by default now because SHA1 certificates will soon stop working in web browsers). NoelTheOne(2015-04-25) Sadly, "should" isn't necessarily "will." A number of providers are still issuing SHA1 certificates by default. Hopefully recent browser changes will force the change, but it hasn't happened yet. Ginny McLeoad(2017-04-26) It is now forbidden to issue SHA1 and I had to hunt long and hard in 2016 to get one that worked with our ancient gear. Now, there should be no chance of SHA1 from a commercial provider, thank goodness. NoelTheOne(2017-04-27) Yes, good riddance. Sally Vuong(2015-09-22) Hi what does -des3 mean in openssl? SSL Shopper(2015-09-22) Using the -des3 option will encrypt private keys with triple DES which is the default so you don't need to specify it. Swaroop(2015-11-16) I'm getting this issue, when i'm trying to connect to server through .pem filecurl: (58) unable to set private key file: '/tmp/.pem' type PEM Ye Wang(2015-11-16) Use this to check Diffie-Hellman primes via: openssl dhparam -in dhparams.pem -text -noout and dhparams.pem can be generated by openssl dhparam -out dhparams.pem 2048 Franck Dakia(2015-11-18) Thank You! David Valladares(2016-01-04) Nice post. Thank You!!! Drummer Ubuntu(2016-06-27) This is pretty awesome, thank you! Deryck Henson(2016-08-06) 8 years later and still relevant. I love it. Spent hours on this and now all of a sudden I'm finished. Jan Lund(2018-02-21) 10 years - and counting...Excellent stuff :-) Shade1982(2018-03-22) Same here. Yannick Majoros(2019-12-10) 2067 here. I still use these commands to convert my 2^32 bit keys to authenticate to the time portal. Cheertaz! Benedict Tesha(2019-02-17) 11 years and counting. Cool stuff Michael P.(2019-03-21) 11 years 2 months 1 week 1 day and counting.... Dinesh verma(2019-06-03) 11 years, 4 months, 22 days Still relevant. Alex(2019-10-10) 11 years, 8 months and Still relevant. Luke(2019-11-10) 4319 days or 11 years, 9 months, 28 days. Still relevant. Jason Mathew(2020-01-06) 11 Years, 11 Months, 3 Weeks, 5 Days. Still relevant Humberto Martinez(2020-03-10) 12 years, still relevant ! Nameless(2020-04-28) 12 years, 2 months, Quarantine time but this is still relevant! Ahmed Andaloes(2020-06-11) 12 years, 3 months, this is still relevant! Leonardo Rodrigues(2020-07-06) 12 years, 4 months, still relevant! Scott(2020-07-28) This thread has so much reddit in it.2020 - the year sysadmins went full retard Leonardo Felicetti(2021-05-26) 2021 Still relevant :D AhmedM(2022-02-08) 2022 still relevant Coderhehe(2022-09-25) RIP Her Majesty Queen Elizabeth II, openssl still relevant Akos Korsos(2020-01-17) 12 years and 5 days, still relevant Faruk Ca(2020-05-04) 12 years a few month and not even corona can stop it :) AND still relevant! John King(2020-01-24) 15 years 3 months and counting... GregInFla60(2020-02-19) 12 years one month and six days Caio César(2021-10-27) 13 years 9 months 14 day and counting.. Lego(2020-07-17) 12 years and 4 month, in isolation without much to do and this info is still relevant. Sai Phanindra Tummidi(2020-10-14) 12 years 7 months... still not able to find proper definition or example what PEM pile is for and how to create it ...... Anton Sokolov(2021-04-05) 13 years and 3 months. Still relevant ATrober(2016-08-31) This doesn't export the private key:Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEMopenssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodesPer openssl, https://www.openssl.org/doc...-nodesdon't encrypt the private keys at all. SSL Shopper(2016-09-01) Thanks. It will export the private key, but you are correct that it won't be encrypted. This is often necessary when using a PEM file but it is important to be very careful with the PEM at that point. EM(2016-09-14) What would the command be to read the values that were set when the .csr file was created? We need to know what the former SA had set in our old .csr files on our servers.The command used to create the csr was openssl req -new -key filename.key -out filename.csr SSL Shopper(2016-09-15) Hi Elijah! You can use the CSR Decoder tool at https://www.sslshopper.com/... or an OpenSSL command like: openssl req -in mycsr.csr -noout -text Sverre Rakkenes(2016-09-29) I have used this page as my SSL anything page for years, and I love it.. so just wanted to say thanks! this is still useful. pratik(2016-09-29) hello,what openssl commands should I use in cygwin to convert .cer files (Root.cer, IntermediateCA.cer and Actualcert.cer) and xyz.key file into .pfx file?Thank you in advance. SSL Shopper(2016-09-29) You'll want to use something like this:openssl pkcs12 -export -out certificate.pfx -inkey xyz.key -in Actualcert.cer -certfile IntermediateCA.cerThe root cert really isn't necessary. You can view the OpenSSL documentation at https://www.openssl.org/doc... Michael Andreas Purwoadi(2016-10-16) Hi folks,I have 2 questions here :1. How to include the additional Aggregat Variable Assertion in CN using openssl, when we create a new certificate for client ?2. Is it possible to include more than one GeneralName in the SubjectAltName, how can we do it ?Regards,Michael A. Purwoadi ruwanindika(2016-10-22) Cheers, I come to this page every time I need to use openssl :-) Souvik Chanda(2017-03-28) What is the use of -nodes in the command to convert .pfx to .pem???Please let me know if I can use openssl pkcs12 -in keyStore.pfx -out keyStore.key -nodes SSL Shopper(2017-03-29) The -nodes option just tells OpenSSL not to encrypt the .key file so a password doesn't have to be entered. You can omit it and provide a password to keep the file more secure if the file will be moved around at all. Souvik Chanda(2017-03-29) I want my .pfx ssl certificate to be converted into .key format with password protection. kindly help me with the command...Thanks :) SSL Shopper(2017-03-30) openssl pkcs12 -in keyStore.pfx -out keyStore.key -nocertsThat command should work. Sam Mingolelli(2018-03-05) That option can be confusing because you think it's the word nodes but it's actually means "no" des. From the pkcs12 man page: -nodes don't encrypt the private keys at all. umashankardas(2017-05-17) Hi, This is a great resource. Just that, It does not solve my problem. I'm implementing safari support for push notifications. The APN server module needs 2 files 1) cert.pem 2) key.pem .My inputs for this are a) *.p12 file b) *.cer file.Both of them are binary..I have worked very hard to generate this. But for some reason my key.pem validation fails.My command for generating key.pem is openssl x509 -in ~/certificate/website_aps_production-3.cer -inform DER -outform PEM -out key.pemAnd my command for generating cert.pem is openssl x509 -inform DER -outform PEM -in ~/certificate/Certificates.p12 -out cert.pemFor some reason when I validate the key.pem it fails. It gives an error even if I replace x509 with rsa also.Do you have any thoughts on this? Paramasivan Palanisamy(2017-07-07) how do i convert .pem to .cer SSL Shopper(2017-07-07) Generally speaking, those are just file extensions so you might be able to just rename the file depending on what you are using the certificate with. Priya(2017-10-03) So useful for parsing Google API private keys. Thank you! David Spector(2017-10-19) Doesn't show how to create a trusted local (localhost) certificate given that the local machine has a trusted CA certificate. disqus_saHiVqVQmw(2017-10-27) Excellent just discovered this. Josh Enders(2017-11-30) The fact that there aren't ads on this page is a tragedy your_mom_knows_what_i_mean(2018-03-02) Or a blessing... depending on the teat you suckle. SS(2018-02-08) this is the best and most compact information I ever found.... kudos to the author!! Luke Handsfree(2018-02-15) Dear friends at SSL Shopper. Thanks ever so for this page; many years ago it was an educator, and now it's a great sanity check for muscle memory! Much gratitude to you :) Ali(2018-03-09) nice and helpful article Harrison Tao(2018-04-01) How do I convert .cer to .crtI don't need .pem! [ 班 ]Ben Channel(2018-04-18) Let say your .cer file is in DER format and you want your .crt file to be in PEM format.openssl x509 -in xxx.cer -inform DER -out xxx.crt -outform PEM Pranesh(2018-06-29) Can someone post the example of generating .csr file with passing the arguments in non interactive mode like how to pass in shell script. Below example throwing an error using "-subj"openssl req -new -key dummy.com.key -out dummy.com.csr -passin pass:yyyyyy -subj “/C=US/ST=CA/L=Washington/O=fffff/OU=ggggg/emailAddress=s@y.in”unknown option “/C=US/ST=CA/L=Washington/O=fffff/OU=ggggg/emailAddress=s@y.in” Karim Boudart(2018-07-20) Still very relevant 10 years later, thanksjust to add, here's how to get the certificate fingerprintopenssl x509 -fingerprint -noout -in *certificate.crt* Nan Li(2020-06-19) Is there any way to pass in the content of the certificate instead of the path? David Spector(2018-10-31) How about viewing various files? SSL Shopper(2018-10-31) Most files can be viewed with a text editor. If they are encoded, you will need to use the OpenSSL commands under "Checking Using OpenSSL" to decode them. click funnels(2019-01-13) This is my go through page whenever I need help with openssl. Truly speaking, it's a cheatsheet. jorge(2020-11-30) I visit about twice a month :] Hoshimatsu( ͡° ͜ʖ ͡°)(2019-02-19) 11 years and continuing... wonder I should be a cyber security expert in future? Lyas Spiehler(2019-05-02) OpenSSL is a great, powerful tool, but using it from the CLI can be slow and complicated. https://certificatetools.com/ is an awesome site that streamlines the creation of CSRs, self-signed certificates and even a root CA. It also shows the OpenSSL commands used so everything can be done securely offline. Leandro Takeda(2019-09-16) More than 11 years, and actual... :) REM(2019-10-20) Create a new certificate to update the expired one with the existing private key and CSR.openssl x509 -req -in CSR.csr -days 3650 -signkey private.key -out certificate.crt Mateus Caruccio(2019-10-24) Verify certificate from remote server:With SNI:openssl s_client -showcerts -servername www.example.com -connect www.example.com:443 Ref: https://stackoverflow.com/a/7886248/1006369 Avijit Dutta(2019-11-02) What 'random state' means Carl Lee(2019-11-04) sorry for the noob question. but is if I want to renew my certficate, do create a csr with existing private key or existing certificate? then when I go to replace the odl cert with the new, can i just place the new cert (with the same name) in the old location so i dont have to change any code for the website? SSL Shopper(2019-11-06) Hi Carl,It is best practice to create a new private key when you renew a certificate. Once you've received the new certificate, you can place it in the same location with the same filename as the old one so you don't have to change any code. Let your certificate provider know if you need help with any part of renewing the certificate. Carl Lee(2019-11-06) so I would do the first commandopenssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.keyand use same name and file location like you said? SSL Shopper(2019-11-06) Correct. That should work for renewing a certificate. Carl Lee(2019-11-14) Cool. Do I change to a directory where the current cert is not? Then run the syntax with the same privatekey name as the current one? or Do i change to the directory where the certs are and use a different privateKey name. Or neither?the question is based on possible disruption. I dont want to overwrite something that is in use. Or to rename the privatekey and have the cert not know that the name was changed. SSL Shopper(2019-11-15) To avoid disruption, I would create the key in a different directory and then replace the key and cert file when it is issued. You can rename the old cert and key and move the new ones into the same directory with the same names. Carl Lee(2019-12-05) alright. I have the cert. everything has the same name but in a different directory.just rename the old ones and place the new files in the original directory? do I need to restart anything?Sorry. Just super paranoid that I will do it wrong.And thank you for all your help. SSL Shopper(2019-12-06) Yes, that should work. You will need to restart the web server before the new certificates become active. Make sure to contact your certificate provider if you run into any problems. Carl Lee(2019-12-06) ok. i lied. one last question/verification. To restart the webserver (Ubuntu), I run?:sudo service apache2 restart SSL Shopper(2019-12-07) That should do it! Binh Thanh Nguyen(2020-02-21) Thanks, nice post Anton Kuznecov(2020-03-30) ok I have trouble understanding this. How can I convert jks to p12 in openssl? SSL Shopper(2020-03-31) Hi Anton,I believe you can just use keytool to do that conversion. See https://stackoverflow.com/q... Massimiliano Adamo(2020-05-04) 12 year later, it's still relevant, but it lack the commands to deal with ECC keys :-) Karthick p(2020-05-22) Hi Guys,Anyone can help me to generate SHA512 Certificate ? Please share the working link or contact for it.Thanks,Karthick Suprabha Hajare(2020-05-27) Hey anyone can help me , How can i convert .crt file into Pem file with extracted private key..... SSL Shopper(2020-05-27) Hi Suprabha,A .crt file doesn't include a private key so you'll need to export the private key first to get it int a .pem file. This varies by platform so you'll need to search for instructions to do this for your platform (IIS, Apache, nginx, etc.) Nan Li(2020-06-19) Hello here,Is there any command I can use to generate the fingerprint with the content of the certificate instead of the path?Thanks in advance! JunYoung Oh(2020-07-09) 2020.07.09 Still alive Gang(2020-07-16) This will last ever until quantum computing is everyday life. Andres Fernando Leon(2020-09-30) Thanks for this wonderful great post. This is useful very useful indeed. Thanks a lot. kk(2021-06-11) I want to get the certificate thumbprint of my crt file. How do I do that? C-3PO(2021-09-08) Thanks a lot for your instructions! Cool stuff Sandip Mohite(2021-12-15) verify error:num=18:self signed certificateverify return:1I am getting above error, Can any one provide any solution