Common OpenSSL Commands

These are some common commands that can be used with OpenSSL. Much of this information can be found in the related blog: Katholieke Universiteit Leuven. In addition, some good documentation can be found at madboa.com/geek/openssl/.

Certificate Generation and Signing

Generate a new private key and matching Certificate Signing Request (eg to send to a commercial CA)

openssl req -out MYCSR.csr -pubkey -new -keyout MYKEY.key -newkey rsa:2048

This will generate 2048-bit, key file. As soon as you issue the command, you will be prompted to enter some basic information about the entity being certified. The “Private Key” file generated, using the above command, won’t have secret pass-phrase associated with it (good when using with Apache server).

Removing the “-nodes” option from the above mentioned openssl command will ask for a pass-phrase and encrypt the private key. This can increase security, but the pass-phrase will be required each time Apache is started. To get a unsecure private key for your Windows-based Apache setup, you can use the following command:
Decrypt private key

openssl rsa -in MYKEY.key >> MYKEY-NOCRYPT.key

Generate a certificate siging request for an existing private key

openssl req -new -sha1 -days 3650 -key MYKEY.key -out MYCSR.csr

If you have an existing private key for some certificate, you can use this command to generate the certificate signing request (CSR) to send to the certificate authority (CA). If you are using your own CA, you can use one of the commands below to validate the CSR and convert it into a certificate (CRT).
Generate a certificate signing request based on an existing x509 certificate

openssl x509 -x509toreq -in MYCRT.crt -out MYCSR.csr -signkey MYKEY.key

Create self-signed certificate (can be used to sign other certificates)

openssl req -x509 -new -out MYCERT.crt -keyout MYKEY.key -days 3650

Sign a Certificate Signing Request

openssl x509 -req -in MYCSR.csr -CA MY-CA-CERT.crt -CAkey MY-CA-KEY.key -CAcreateserial -out MYCERT.crt -days 365

If you have the private key of the certificate authority (CA), you can sign certificates with it. This is the command to use for that purpose.

Conversion Commands

Convert DER (.crt .cer .der) to PEM

openssl x509 -inform der -in MYCERT.cer -out MYCERT.pem

Convert PEM to DER

openssl x509 -outform der -in MYCERT.pem -out MYCERT.der

Convert PKCS#12 (.pfx .p12) to PEM containing both private key and certificates

openssl pkcs12 -in KEYSTORE.pfx -out KEYSTORE.pem -nodes

Convert (add) a seperate key and certificate to a new keystore of type PKCS#12

openssl pkcs12 -export -in MYCERT.crt -inkey MYKEY.key -out KEYSTORE.p12 -name "tomcat"

Convert (add) a seperate key and certificate to a new keystore of type PKCS#12 for use with a server that should send the chain too (eg Tomcat)

openssl pkcs12 -export -in MYCERT.crt -inkey MYKEY.key -out KEYSTORE.p12 -name "tomcat" -CAfile MY-CA-CERT.crt -caname myCA -chain

Verification and Debugging Commands

Check a private key

openssl rsa -in MYKEY.key -check

Check a Certificate Signing Request

openssl req -text -noout -verify -in MYCSR.csr

Check a certificate

openssl x509 -in MYCERT.crt -text -noout

Check a PKCS#12 keystore

openssl pkcs12 -info -in KEYSTORE.p12

Check a trust chain of a certificate

openssl verify -CAfile MYCHAINFILE.pem -verbose MYCERT.crt

Debug an SSL connection (server doesn’t require certificate authentication)

openssl s_client -connect www.mytestserver.com:443

Debug an SSL connection with mutual certificate authentication

openssl s_client -connect idp.example.be:8443 -CAfile MY-CA-CERT.crt -cert MYCERT.crt -key MYKEY.key
Tagged

Leave a Reply

Your email address will not be published. Required fields are marked *