Buy from the highest-rated provider   Buy DigiCert Certificate x

The Most Common OpenSSL Commands

One of the most versatile SSL tools is OpenSSL which is an open source implementation of the SSL protocol. There are versions of OpenSSL for nearly every platform, including Windows, Linux, and Mac OS X. OpenSSL is commonly used to create the CSR and private key for many different platforms, including Apache. However, it also has hundreds of different functions that allow you to view the details of a CSR or certificate, compare an MD5 hash of the certificate and private key (to make sure they match), verify that a certificate is installed properly on any website, and convert the certificate to a different format. A compiled version of OpenSSL for Windows can be found here.

Compare SSL Certificates

If you don't want to bother with OpenSSL, you can do many of the same things with our SSL Certificate Tools. Below, we have listed the most common OpenSSL commands and their usage:

General OpenSSL Commands

These commands allow you to generate CSRs, Certificates, Private Keys and do other miscellaneous tasks.

  • Generate a new private key and Certificate Signing Request
    openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
  • Generate a self-signed certificate (see How to Create and Install an Apache Self Signed Certificate for more info)
    openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
  • Generate a certificate signing request (CSR) for an existing private key
    openssl req -out CSR.csr -key privateKey.key -new
  • Generate a certificate signing request based on an existing certificate
    openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key
  • Remove a passphrase from a private key
    openssl rsa -in privateKey.pem -out newPrivateKey.pem

Checking Using OpenSSL

If you need to check the information within a Certificate, CSR or Private Key, use these commands. You can also check CSRs and check certificates using our online tools.

  • Check a Certificate Signing Request (CSR)
    openssl req -text -noout -verify -in CSR.csr
  • Check a private key
    openssl rsa -in privateKey.key -check
  • Check a certificate
    openssl x509 -in certificate.crt -text -noout
  • Check a PKCS#12 file (.pfx or .p12)
    openssl pkcs12 -info -in keyStore.p12

Debugging Using OpenSSL

If you are receiving an error that the private doesn't match the certificate or that a certificate that you installed to a site is not trusted, try one of these commands. If you are trying to verify that an SSL certificate is installed correctly, be sure to check out the SSL Checker.

  • Check an MD5 hash of the public key to ensure that it matches with what is in a CSR or private key
    openssl x509 -noout -modulus -in certificate.crt | openssl md5
    openssl rsa -noout -modulus -in privateKey.key | openssl md5
    openssl req -noout -modulus -in CSR.csr | openssl md5
  • Check an SSL connection. All the certificates (including Intermediates) should be displayed
    openssl s_client -connect

Converting Using OpenSSL

These commands allow you to convert certificates and keys to different formats to make them compatible with specific types of servers or software. For example, you can convert a normal PEM file that would work with Apache to a PFX (PKCS#12) file and use it with Tomcat or IIS. Use our SSL Converter to convert certificates without messing with OpenSSL.

  • Convert a DER file (.crt .cer .der) to PEM
    openssl x509 -inform der -in certificate.cer -out certificate.pem
  • Convert a PEM file to DER
    openssl x509 -outform der -in certificate.pem -out certificate.der
  • Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM
    openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes

    You can add -nocerts to only output the private key or add -nokeys to only output the certificates.

  • Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)
    openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

Compare SSL Certificates

Originally posted on Sun Jan 13, 2008




A CSR is a file that is created on the server with a private key. You don't convert it to a CER (certificate file) but you can use it to create a certificate that will work with the private key that you generated. To do this you will need to get a certificate from a Certificate Authority listed on this site. You could also try creating a self-signed certificate depending on your needs.


how to convert .cer file format to a .pkcs file format using openssl on windows



A .cer file is usually in pem format so you can use the following command to convert a .cer to a pkcs12 format file but you will also need to have the private key available:

openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodesopenssl pkcs12 -export -out certificate.pfx -inkey privateKey.txt -in certificate.crt -certfile CACert.crtpkcs


There's an error in this step:

Generate a self-signed certificate
openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout certificate.crt -out privateKey.key

it should be:

Generate a self-signed certificate
openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout certificate.key -out privateKey.crt

Admin update: Thanks for pointing this out. It has now been updated.


how to get locale specific x509 attributes( country name, locality name, etc...)or user defined attributes whithout prompting for entry, when generating self signed key and certificate.



One of our clients are reneving their certificates on their side as it is due to expire and would be rolling over to a new certificate.They have provided a .cer file.Actually we decrypt the messages from them.I understand that I need to generate a .pem file from this .cer file.Can anyone help me in achieveing this.

Thanks in Advance.


I tried with "openssl x509 -inform der -in certificate.cer -out certificate.pem". But I want to convert it with the private key. Can any body help me...


If you need to renew a certificate, you will need to use a CSR file and not a CER file. A CER file typically contains the site certificate and any other certificates in the chain but it does not contain the private key. You will need to create a new CSR and private key, renew the certificate with your certificate authority using the CSR, and then install the new certificate that is issued.

Gajendra Gaikwad(2014-12-13)

Iam having a sendmail server 8.13and i want to use tls i have a CA Signed cert (root,interca and mail.cer) certificates, how can i use this to implement tls


i'd like to convert csr to cer


hi guys,
I generated a csr file and I sent it to CA, then they sent me a .cer file when I expected a .crt. Anybody could tell me what is the difference between .crt and .cer? obviously I have the private key .key as well.
thanks in advance !



You need to add the following to your OpenSSL command:

-config "C:\OpenSSL\bin\openssl.cnf"

Change the path to match where your openssl.cnf file is in your OpenSSL folder.

Alternatively, you could add an Environment variable in Windows so you don't have to add that to every OpenSSL command. You can do this by right-clicking My Computer and selecting properties. Then navigate to the advanced tab (first click Advanced System Settings in Vista) and click the Environmental Variables button. Create a variable called OPENSSL_CONF and map this to the OpenSSL configuration file in C:\OpenSSL\bin\openssl.cnf or wherever your openssl.cnf file is.


Hi Lantic,

A .cer and a .crt file are usually the same. Sometimes they are different because a CA can use whatever file extension they want but you can just use the .cer just like you would a .crt.


>>>>The .cer file is actually a pem file so you can just use the command above to convert it from pem to DER format.<<<<

Do I need to rename certificate.cer to certificate.pem and then run commant to convert to DER, or just run:

openssl x509 -outform der -in certificate.cer -out certificate.der


You don't need to rename it. Just run the command.


The .cer file is actually a pem file so you can just use the command above to convert it from pem to DER format.


Hi Bryan,

See this page on setting up Apache to use client certificates:

You will want to include a CA file in a .p12 file whenever there is an intermediate certificate that needs to be installed.


The private key is generated on your server/computer. If you don't have it you will need to generate it again and create a new certificate. Contact your certificate provider for details of how to do this with them.


openssl req -newkey rsa:1024 -keyout -out req.pem openssl: fatal: open failed: No such file or directory

Any ideas?


I receive a "ssl_error_handshake_failure_alert" for client authentication. I am attempting to secure the admin area of a site.

Error logs read Re-negotiation handshake failed: Not accepted by client!?


I need to convert .cer certificate (generated by MS IIS) to .der file to be used on WebLogic (Sun Solaris), so both systems can use same Public key.

Is it 2 stages process as above:

1. Convert a DER file (.crt .cer .der) to PEM
and then
2. Convert a PEM file to DER

or can I directly convert .cer file to .der?


I received a developers .cer file and would like Firefox to be able to import it so that I can use their web services from their server. Im assuming I have to convert it to some other format first but my .cer file did not come with a private key. Can I "add on" a private key of my own or get a format that Firefox can use without having a private key? Thank you for your time.


When do you need to include a CA file in a .p12 client certificate



.cer files usually do not contain the private key so you will need to use the very last command to convert the .cer and the private key file into one .pfx file. (You can name it .pem instead of .pfx if you want).

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.txt -in certificate.crt -certfile CACert.crt

You may also be able to just paste the contents of the private key below the contents of the .cer files in a text editor. See the documentation for your device/server to find out if that is what it wants.


When I run
openssl req -out CSR.csr -pubkey -new -keyout privateKey.key

I get the following error
'unable to load config info from usr local ssl openssl.cnf'

How to solve this ?


Hey Karl,

It looks like you OpenSSL installation may be messed up. I would try to install a newer version and see if that helps.


Hi Nomad,

The private key was created when you created the CSR. If you don't know where it is, you will need to generate a new one and have VeriSign re-key your certificate.



I have a CER from VeriSign and I need to export it as a PKCS12 format to import it to a web server application.

Where is the private key created in this process? Basically I guess I need the steps from the CER to getting it to PKCS12.

Thanks much!



Had need to get a cert into eDirectory and it only wanted PKCS#12 while all I had was CER and KEY from when I got a cert for their SMTP daemon.
Problem solved and I didn't need to do a bunch of reading to get there from here.


In the effort of restoring a clients crashed server, we have the cert and the .CSR but not the .key

Is there a way to recreate the .key from the csr?

Thank you in Advance

sara sat(2014-12-13)

hi all
how can i cross certify 2 self sign certificates


I have two files pfx and pem file. Can you please let me know what command do i need to use to convert into .cer and .key file. I want to install these certficates in sql server and sql server understands only .cer and .key file. So please let me know command to convert?


Hi Will,

There is no way to restore the .key file. You will need to create a new one and then reissue your certificate.


Hi Madan,

The key may already be in X509 format if you can read it in a text editor. If you cannot, it is probably in binary format (der). In that case you can convert it to x509 using the converter or running the OpenSSL command.


Solution to Reply to #22:

Move the '-nodes' option from this:
C:\OpenSSL\bin>openssl pkcs12 -in cert.pfx -out cag.pem -nodes

To This:
C:\OpenSSL\bin>openssl pkcs12 -in cert.pfx -nodes -out cag.pem



Is it possible to convert key the private key in RSA format to X509 format... Kindly advise on the possibility.



running on a win2008 r2 as an administrator:

What could be the reason that the following error occurs:

C:\>cd C:\OpenSSL\bin

C:\OpenSSL\bin>dir C:\OpenSSL\bin\cert.pfx
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 7CD4-6EAD

Verzeichnis von C:\OpenSSL\bin

06.09.2011 14:53 2.709 cert.pfx
1 Datei(en), 2.709 Bytes
0 Verzeichnis(se), 92.737.318.912 Bytes frei

C:\OpenSSL\bin>openssl pkcs12 -in cert.pfx -out cag.pem -nodes
Usage: pkcs12 [options]
where options are
-export output PKCS12 file
-chain add certificate chain
-inkey file private key if not infile
-certfile f add all certs in f
-CApath arg - PEM format directory of CA's
-CAfile arg - PEM format file of CA's
-name "name" use name as friendly name
-caname "nm" use nm as CA friendly name (can be used more than once).
-in infile input filename
-out outfile output filename
-noout don't output anything, just verify.
-nomacver don't verify MAC.
-nocerts don't output certificates.
-clcerts only output client certificates.
-cacerts only output CA certificates.
-nokeys don't output private keys.
-info give info about PKCS#12 structure.
-des encrypt private keys with DES
-des3 encrypt private keys with triple DES (default)
-idea encrypt private keys with idea
-aes128, -aes192, -aes256
encrypt PEM output with cbc aes
-nodes don't encrypt private keys
-noiter don't use encryption iteration
-maciter use MAC iteration
-twopass separate MAC, encryption passwords
-descert encrypt PKCS#12 certificates with triple DES (default RC2-40)
-certpbe alg specify certificate PBE algorithm (default RC2-40)
-keypbe alg specify private key PBE algorithm (default 3DES)
-keyex set MS key exchange type
-keysig set MS key signature type
-password p set import/export password source
-passin p input file pass phrase source
-passout p output file pass phrase source
-engine e use engine e, possibly a hardware device.
-rand file;file;...
load the file (or the files in the directory) into
the random number generator
-CSP name Microsoft CSP name
-LMK Add local machine keyset attribute to private key


It would be very helpful, when you could help me to solve this issue.

Thanks a lot




I am having the same issue Heinz is having in the post below mine.

Anyone know what could be wrong?


How could I convert SSL certificate from CER and P7B to apk to be able to set up on mobile Samsung Galaxy Tap p1000.


i'm using openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
and it works perfectly
but when i want to run it from php like this

system("openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt");

my output file is always 0 bytes.
i tried

system('echo "Password" | openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt');

with password, with no password ... when i run it from php it doenst work
i think its because i can't seem to be able to send parameters when it asks me to input export password

Any Suggestions ?


you solved this?

Kem Jones(2016-08-09)

try using the "-password pass:secret" parameter (where "secret" is your actual password).


use the -batch option to suppress the command line interaction


I would like to know how to import the received .cer file into the already existing .crt file.


Hi Nick,

There is no way to convert a .crt to a .key file. If you can't locate the .key file you will need to generate a new key and CSR and re-key your certificate.


Hi Prasad,

If you don't have the private key, you won't be able to covert it to a pfx file. You will need to generate a new certificate.


would like to do following
convert .PEM to PFX or .Cer to .PFX
however dont have key for certificate only .pem and .cer file is available

Help appriciated


openssl verify -CAfile <ca-bundle.crt> <certificate.crt>


Hi All.

Would like to know how to convert .crt file to .key file.

David Spector(2017-10-19)

(My answer already appears below.)


Very handy reference. The command to sign a certificate using your own CA might help too.

openssl ca -in x.csr -out x.crt -config openssl.conf


I have a user cert (.cer) that I've imported onto my Windows machine. I use FireFox to Backup (not export) the cert as pkcs12, and it asks for a certificate backup password to be entered.

If I then run the openssl command on the resulting pkcs12 file:

openssl pkcs12 -in cert.p12

And it has a private key section.

Where did the private key come from?


Awesome article been trying to work out how to get my SAN SSL working on a unix box other servers are windows apps and this little number gave me what I had been searching for for almost 2 weeks never had to use openssl before.

pfx converted and got me my priv key generated on II6 so I could get it onto the unix box.
Might be an old article but it works for me.

Melbourne, Australia

Rohit Sijwali(2014-12-13)

I want to know that how the passphrase is stored in the Private key file and how openssl or other utility can erify the password.


How to generate a new private key and Certificate Signing Request using DSA Algorithm from open SSL command


how to verify the CRL certificate? and
Error 60: server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none. any one get solution for this?


For a Cisco Device I require a certificate which must include SAN (alternative subject names) so my Web authentication can work. I tried to open the certificate that I created using the following command but I am getting an error:

OpenSSL> x509 -text -in c:\openssl\MYCertificate.pem

I am running Openssl in a Win7 64bits laptop and created certificates in the past which are working fine.


Error opening Certificate :\openssl\MYCertificate.pem
4292:error:02001002:system library:fopen:No such file or directory:.\crypto\bio\bss_file.c:352:fopen('c:\openssl\MYCertificate.pem','rb')
4292:error:20074002:BIO routines:FILE_CTRL:system lib:.\crypto\bio\bss_file.c:354:
unable to load certificate
error in x509

Ginny McLeoad(2017-04-26)

That's a windows issue. You are supposed to have a folder on the same drive you're running it from named "openssl" at the top level and inside that, MYCertificate.pem. Maybe you can use command line options to specify an alternate location or create that folder. (I know its been 2 years but somebody else probably has the same issue)

Shubham Mittal(2017-06-20)

Hi Ginny,

I have same issue. How to resolve that?

OpenSSL> x509 -req -days 365 -in C:\CSR\PM.csr -CA C:\Certificates\RootCA.crt -C
Akey C:\Keys\RootCA.key -set_serial 01 -out C:\Certificates\pm.crt
Signature ok
subject=/C=IN/ST=Maharashtra/L=Pune/O=Column Technologies/OU=Cloud Computing/CN=
Error opening CA Certificate C:\Certificates\RootCA.crt
4624:error:02001002:system library:fopen:No such file or directory:.\crypto\bio\
4624:error:20074002:BIO routines:FILE_CTRL:system lib:.\crypto\bio\bss_file.c:40
unable to load certificate
error in x509


Is it possible to concatinate 3 pem files into 1 if so what is the command in pksc12.

Desc: we have 3 web servers above these 3 we have a load balancer, we need to give the keys of these 3 web servers to the load balancer site. As the site is accessible with the common URL we need to give all the 3 keys in a single pem file and upload.



You make it up. The passphrase is used to protect the private key. When any application attempts to use the private key (or you import it into a keystore), the user will be prompted to supply the passphrase.


Hi All,

Can anyone help me in generating a CSR that has multiple State names. I am basically looking to get this for a Validation point. Please help if anyone is aware of how to achieve this.


Hi everyone. Hope you are great. Can you please help with this question? When converting a pem certificate to pkcs12 I'm asked for a export password. What is it?

Thanks and Regards

John Lin(2015-08-25)

you can try to leave it blank. just ignore the request and return twice.


I tried exporting my certificate to below format.
DER enabled X.509(cer)
Base64 encoded X.509(cer)
Option to export private key is disabled for me in IE.
I was trying to convert the above files to PEM format using openSSL to be used in load runner Vugen for playback.
Any help would be appreciated.
I am getting some error

OpenSSL> pkcs12 -in M:/scripts/IBDFocus/WF01/cert/jossyB64.cer -out M:/scripts/IBDFocus/WF01/cert/jossy.pem
10272:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:.\crypto\asn1\tasn_dec.c:1316:
10272:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:.\crypto\asn1\tasn_dec.c:380:Type=PKCS12
error in pkcs12
OpenSSL> x509 -inform der -in M:/scripts/IBDFocus/WF01/cert/jossyB64.cer -out M:/scripts/IBDFocus/WF01/cert/jossy.pem
unable to load certificate
10272:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:.\crypto\asn1\tasn_dec.c:1316:
10272:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:.\crypto\asn1\tasn_dec.c:380:Type=X509
error in x509

Thank you,


You can't generate a .key file if you only have the CSR. You will need to generate a new CSR and Key and have your certificate provider sign the new key (by reissuing or rekeying the certificate).


Hi experts,
Im debugging OpenSSL code to rootcause BAD_RECORD_MAC error by ssl. by looking at the error it is digest failure. I just want to know what are the crypro algorithms and keys generated for the current session? Any API's are there to fetch this info???



im using the following command:

openssl pkcs12 -export -in < CAfilename1.cer > -out < CAfilename.cer2.p12> -name < “alias name”> /nhin/nss-3.12.4/bin/pk12util -i < CAfilename.cer2.p12> -n < alias name> -d $AS_HOME/domains/nssdomain/config replacing with correct info in brackets, yet command does nothing... it just lists the options... any help here would be appreciated


first of all i got the same thing you can not access the sevrer cause you do not own it 404 error is connection time outmeans well your ip does not alowed acces to sevrer


I am no expert, but the version depends on cert extensions. A v1 cert has no extensions at all. So you will have to recreate your cert and supply some extensions.


May i know what is the procedure to generate .crt and .key files for an existing .csr file. When i requested the Cybertrust Public SureServer Standard SSL Certificate they issued me two .pem files(cert.pem and chainp7.pem). Is there any possibility to create .crt and .key files using those .pem files?


I have created CA certificate using openssl commands
After successful generation, Certificate information has version V1 which i want to change to V2 or V3 but i didn't find any command to change it. Kindly let me know do we have command for this also


Of course, for this to work, you'll need viartul hosts on ports 80 and 443 for your blog. Also, you'll need an SSL certificate for your blog. You can snag one from a reputable provider or make your own.

Ginny McLeoad(2017-04-26)

Let me push "Lets encrypt" which is a free EFF certificate method. Its not for everybody, but if you're nerdy, it is pretty nice. It does require some technical knowledge.


There is also a "Check connection via SMTP" - STARTTLS or not - possible:

openssl s_client -starttls smtp &#91 -cipher 'ALL:!RC4' &#93 -connect

Here, openssl uses a connection to the mail server of and checks the starttls option. With the switch -cipher, you can select between cipher algorithms, here, "all without RC4". Don't use the brackets. That means, you can use this switch or not.


DH parameter generation:

openssl dhparam -out dhparam.pem 2048


If you wanted 4096, add the -dsaparam so you're not waiting for 2 days for the command to complete.

openssl dhparam -dsaparam -out dhparam.pem 4096


At this point, I strongly recommend adding '-sha256' when creating a new csr, to get a SHA256 certificate rather than an outdated SHA1 certificate.

SSL Shopper(2015-04-24)

Thanks. I added that to the self-signed certificate CSR command. I didn't add it to the others because certificate providers almost always ignore what is in the CSR and use whatever algorithm they want to sign the actual certificate when it is issued (and all certificate providers should be issuing SHA2 by default now because SHA1 certificates will soon stop working in web browsers).


Sadly, "should" isn't necessarily "will." A number of providers are still issuing SHA1 certificates by default. Hopefully recent browser changes will force the change, but it hasn't happened yet.

Ginny McLeoad(2017-04-26)

It is now forbidden to issue SHA1 and I had to hunt long and hard in 2016 to get one that worked with our ancient gear. Now, there should be no chance of SHA1 from a commercial provider, thank goodness.


Yes, good riddance.

Sally Vuong(2015-09-22)

Hi what does -des3 mean in openssl?

SSL Shopper(2015-09-22)

Using the -des3 option will encrypt private keys with triple DES which is the default so you don't need to specify it.


I'm getting this issue, when i'm trying to connect to server through .pem file

curl: (58) unable to set private key file: '/tmp/.pem' type PEM

Ye Wang(2015-11-16)

Use this to check Diffie-Hellman primes via: `openssl dhparam -in dhparams.pem -text -noout` and `dhparams.pem` can be generated by `openssl dhparam -out dhparams.pem 2048`

Franck Dakia(2015-11-18)

Thank You!

David Valladares(2016-01-04)

Nice post. Thank You!!!

Drummer Ubuntu(2016-06-27)

This is pretty awesome, thank you!

Deryck Henson(2016-08-06)

8 years later and still relevant. I love it. Spent hours on this and now all of a sudden I'm finished.

Jan Lund(2018-02-21)

10 years - and counting...
Excellent stuff :-)


Same here.

Yannick Majoros(2019-12-10)

2067 here. I still use these commands to convert my 2^32 bit keys to authenticate to the time portal. Cheertaz!

Benedict Tesha(2019-02-17)

11 years and counting. Cool stuff

Michael P.(2019-03-21)

11 years 2 months 1 week 1 day and counting....

Dinesh verma(2019-06-03)

11 years, 4 months, 22 days Still relevant.


11 years, 8 months and Still relevant.


4319 days or 11 years, 9 months, 28 days. Still relevant.

Jason Mathew(2020-01-06)

11 Years, 11 Months, 3 Weeks, 5 Days. Still relevant

Humberto Martinez(2020-03-10)

12 years, still relevant !


12 years, 2 months, Quarantine time but this is still relevant!

Ahmed Andaloes(2020-06-11)

12 years, 3 months, this is still relevant!

Leonardo Rodrigues(2020-07-06)

12 years, 4 months, still relevant!


This thread has so much reddit in it.

2020 - the year sysadmins went full retard

Leonardo Felicetti(2021-05-26)

2021 Still relevant :D


2022 still relevant


RIP Her Majesty Queen Elizabeth II, openssl still relevant

Akos Korsos(2020-01-17)

12 years and 5 days, still relevant

Faruk Ca(2020-05-04)

12 years a few month and not even corona can stop it :) AND still relevant!

John King(2020-01-24)

15 years 3 months and counting...


12 years one month and six days

Caio César(2021-10-27)

13 years 9 months 14 day and counting..


12 years and 4 month, in isolation without much to do and this info is still relevant.

Sai Phanindra Tummidi(2020-10-14)

12 years 7 months... still not able to find proper definition or example what PEM pile is for and how to create it ......

Anton Sokolov(2021-04-05)

13 years and 3 months. Still relevant


This doesn't export the private key:

Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM
openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes

Per openssl,

don't encrypt the private keys at all.

SSL Shopper(2016-09-01)

Thanks. It will export the private key, but you are correct that it won't be encrypted. This is often necessary when using a PEM file but it is important to be very careful with the PEM at that point.


What would the command be to read the values that were set when the .csr file was created? We need to know what the former SA had set in our old .csr files on our servers.
The command used to create the csr was
openssl req -new -key filename.key -out filename.csr

SSL Shopper(2016-09-15)

Hi Elijah! You can use the CSR Decoder tool at or an OpenSSL command like: openssl req -in mycsr.csr -noout -text

Sverre Rakkenes(2016-09-29)

I have used this page as my SSL anything page for years, and I love it.. so just wanted to say thanks! this is still useful.



what openssl commands should I use in cygwin to convert .cer files (Root.cer, IntermediateCA.cer and Actualcert.cer) and xyz.key file into .pfx file?

Thank you in advance.

SSL Shopper(2016-09-29)

You'll want to use something like this:

openssl pkcs12 -export -out certificate.pfx -inkey xyz.key -in Actualcert.cer -certfile IntermediateCA.cer

The root cert really isn't necessary. You can view the OpenSSL documentation at

Michael Andreas Purwoadi(2016-10-16)

Hi folks,

I have 2 questions here :

1. How to include the additional Aggregat Variable Assertion in CN using openssl, when we create a new certificate for client ?
2. Is it possible to include more than one GeneralName in the SubjectAltName, how can we do it ?

Michael A. Purwoadi


Cheers, I come to this page every time I need to use openssl :-)

Souvik Chanda(2017-03-28)

What is the use of -nodes in the command to convert .pfx to .pem???
Please let me know if I can use openssl pkcs12 -in keyStore.pfx -out keyStore.key -nodes

SSL Shopper(2017-03-29)

The -nodes option just tells OpenSSL not to encrypt the .key file so a password doesn't have to be entered. You can omit it and provide a password to keep the file more secure if the file will be moved around at all.

Souvik Chanda(2017-03-29)

I want my .pfx ssl certificate to be converted into .key format with password protection. kindly help me with the command...
Thanks :)

SSL Shopper(2017-03-30)

openssl pkcs12 -in keyStore.pfx -out keyStore.key -nocerts

That command should work.

Sam Mingolelli(2018-03-05)

That option can be confusing because you think it's the word nodes but it's actually means "no" des. From the pkcs12 man page:

don't encrypt the private keys at all.

Hi, This is a great resource. Just that, It does not solve my problem. I'm implementing safari support for push notifications. The APN server module needs 2 files
1) cert.pem 2) key.pem .

My inputs for this are
a) *.p12 file
b) *.cer file.

Both of them are binary..

I have worked very hard to generate this. But for some reason my key.pem validation fails.

My command for generating key.pem is openssl x509 -in ~/certificate/website_aps_production-3.cer -inform DER -outform PEM -out key.pem

And my command for generating cert.pem is
openssl x509 -inform DER -outform PEM -in ~/certificate/Certificates.p12 -out cert.pem

For some reason when I validate the key.pem it fails. It gives an error even if I replace x509 with rsa also.

Do you have any thoughts on this?

Paramasivan Palanisamy(2017-07-07)

how do i convert .pem to .cer

SSL Shopper(2017-07-07)

Generally speaking, those are just file extensions so you might be able to just rename the file depending on what you are using the certificate with.


So useful for parsing Google API private keys. Thank you!

David Spector(2017-10-19)

Doesn't show how to create a trusted local (localhost) certificate given that the local machine has a trusted CA certificate.


Excellent just discovered this.

Josh Enders(2017-11-30)

The fact that there aren't ads on this page is a tragedy


Or a blessing... depending on the teat you suckle.


this is the best and most compact information I ever found.... kudos to the author!!

Luke Handsfree(2018-02-15)

Dear friends at SSL Shopper. Thanks ever so for this page; many years ago it was an educator, and now it's a great sanity check for muscle memory! Much gratitude to you :)


nice and helpful article

Harrison Tao(2018-04-01)

How do I convert .cer to .crt

I don't need .pem!

[ 班 ]Ben Channel(2018-04-18)

Let say your .cer file is in DER format and you want your .crt file to be in PEM format.
openssl x509 -in xxx.cer -inform DER -out xxx.crt -outform PEM


Can someone post the example of generating .csr file with passing the arguments in non interactive mode like how to pass in shell script. Below example throwing an error using "-subj"

openssl req -new -key -out -passin pass:yyyyyy -subj “/C=US/ST=CA/L=Washington/O=fffff/OU=ggggg/”

unknown option “/C=US/ST=CA/L=Washington/O=fffff/OU=ggggg/”

Karim Boudart(2018-07-20)

Still very relevant 10 years later, thanks
just to add, here's how to get the certificate fingerprint
openssl x509 -fingerprint -noout -in *certificate.crt*

Nan Li(2020-06-19)

Is there any way to pass in the content of the certificate instead of the path?

David Spector(2018-10-31)

How about viewing various files?

SSL Shopper(2018-10-31)

Most files can be viewed with a text editor. If they are encoded, you will need to use the OpenSSL commands under "Checking Using OpenSSL" to decode them.

click funnels(2019-01-13)

This is my go through page whenever I need help with openssl. Truly speaking, it's a cheatsheet.


I visit about twice a month :]

Hoshimatsu( ͡° ͜ʖ ͡°)(2019-02-19)

11 years and continuing... wonder I should be a cyber security expert in future?

Lyas Spiehler(2019-05-02)

OpenSSL is a great, powerful tool, but using it from the CLI can be slow and complicated. is an awesome site that streamlines the creation of CSRs, self-signed certificates and even a root CA. It also shows the OpenSSL commands used so everything can be done securely offline.

Leandro Takeda(2019-09-16)

More than 11 years, and actual... :)


Create a new certificate to update the expired one with the existing private key and CSR.
openssl x509 -req -in CSR.csr -days 3650 -signkey private.key -out certificate.crt

Mateus Caruccio(2019-10-24)

Verify certificate from remote server:

With SNI:

openssl s_client -showcerts -servername -connect </dev/null

Without SNI:

openssl s_client -showcerts -connect </dev>


Avijit Dutta(2019-11-02)

What 'random state' means

Carl Lee(2019-11-04)

sorry for the noob question. but is if I want to renew my certficate, do create a csr with existing private key or existing certificate? then when I go to replace the odl cert with the new, can i just place the new cert (with the same name) in the old location so i dont have to change any code for the website?

SSL Shopper(2019-11-06)

Hi Carl,

It is best practice to create a new private key when you renew a certificate. Once you've received the new certificate, you can place it in the same location with the same filename as the old one so you don't have to change any code. Let your certificate provider know if you need help with any part of renewing the certificate.

Carl Lee(2019-11-06)

so I would do the first command

openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key

and use same name and file location like you said?

SSL Shopper(2019-11-06)

Correct. That should work for renewing a certificate.

Carl Lee(2019-11-14)

Cool. Do I change to a directory where the current cert is not? Then run the syntax with the same privatekey name as the current one? or Do i change to the directory where the certs are and use a different privateKey name. Or neither?
the question is based on possible disruption. I dont want to overwrite something that is in use. Or to rename the privatekey and have the cert not know that the name was changed.

SSL Shopper(2019-11-15)

To avoid disruption, I would create the key in a different directory and then replace the key and cert file when it is issued. You can rename the old cert and key and move the new ones into the same directory with the same names.

Carl Lee(2019-12-05)

alright. I have the cert. everything has the same name but in a different directory.
just rename the old ones and place the new files in the original directory? do I need to restart anything?
Sorry. Just super paranoid that I will do it wrong.

And thank you for all your help.

SSL Shopper(2019-12-06)

Yes, that should work. You will need to restart the web server before the new certificates become active. Make sure to contact your certificate provider if you run into any problems.

Carl Lee(2019-12-06)

ok. i lied. one last question/verification. To restart the webserver (Ubuntu), I run?:

sudo service apache2 restart

SSL Shopper(2019-12-07)

That should do it!

Binh Thanh Nguyen(2020-02-21)

Thanks, nice post

Anton Kuznecov(2020-03-30)

ok I have trouble understanding this. How can I convert jks to p12 in openssl?

SSL Shopper(2020-03-31)

Hi Anton,

I believe you can just use keytool to do that conversion. See

Massimiliano Adamo(2020-05-04)

12 year later, it's still relevant, but it lack the commands to deal with ECC keys :-)

Karthick p(2020-05-22)

Hi Guys,

Anyone can help me to generate SHA512 Certificate ? Please share the working link or contact for it.


Suprabha Hajare(2020-05-27)

Hey anyone can help me , How can i convert .crt file into Pem file with extracted private key.....

SSL Shopper(2020-05-27)

Hi Suprabha,

A .crt file doesn't include a private key so you'll need to export the private key first to get it int a .pem file. This varies by platform so you'll need to search for instructions to do this for your platform (IIS, Apache, nginx, etc.)

Nan Li(2020-06-19)

Hello here,

Is there any command I can use to generate the fingerprint with the content of the certificate instead of the path?

Thanks in advance!

JunYoung Oh(2020-07-09)

2020.07.09 Still alive


This will last ever until quantum computing is everyday life.

Andres Fernando Leon(2020-09-30)

Thanks for this wonderful great post. This is useful very useful indeed. Thanks a lot.


I want to get the certificate thumbprint of my crt file. How do I do that?


Thanks a lot for your instructions! Cool stuff

Sandip Mohite(2021-12-15)

verify error:num=18:self signed certificate
verify return:1

I am getting above error, Can any one provide any solution