Skip to content

OpenSSL Certificate Commands

OpenSSL is a robust toolkit used for managing SSL/TLS certificates and private keys. It supports various cryptographic operations, including generating CSRs, converting file formats, and verifying secure connections.

Common Certificate Formats

Certificates and keys can be stored in several distinct formats, each serving different use cases.

PEM Format (Privacy-Enhanced Mail) is the most common format used for certificates.^[600-developer-tools-security-security-file-extension-name.md] * Encoding: Base64 encoded ASCII files. * Extensions: .pem, .crt, .cer, .key. * Usage: Most servers (e.g., Apache) expect certificates and private keys to be in separate PEM files.^[600-developer-tools-security-security-file-extension-name.md]

DER Format (Distinguished Encoding Rules) is the binary form of a certificate.^[600-developer-tools-security-security-file-extension-name.md] * Encoding: Binary. * Extensions: .der, .cer. * Usage: Typically used in Java platforms. Unlike PEM, it does not contain "BEGIN/END CERTIFICATE" statements.^[600-developer-tools-security-security-file-extension-name.md]

PKCS#7 Format (.P7B) stores certificates and chain certificates (Intermediate CAs) but excludes the private key.^[600-developer-tools-security-security-file-extension-name.md] * Encoding: Base64 ASCII. * Usage: Commonly supported by Microsoft Windows and Java Tomcat.^[600-developer-tools-security-security-file-extension-name.md]

PKCS#12 Format (.PFX / .P12) is a binary format used to store the server certificate, intermediate certificates, and the private key in a single, encryptable file.^[600-developer-tools-security-security-file-extension-name.md] * Extensions: .pfx, .p12. * Usage: Typically used on Windows machines to import and export certificates.^[600-developer-tools-security-security-file-extension-name.md]

Generating a Certificate Signing Request (CSR)

A CSR (Certificate Signing Request) is required when applying for an SSL certificate from a vendor.^[600-developer-tools-security-security-file-extension-name.md] It contains information such as the Common Name (domain), Organization, and Country.^[600-developer-tools-security-security-file-extension-name.md]

To generate a 2048-bit RSA private key and a CSR simultaneously (without a private key password):

[OpenSSL](<./openssl.md>) req -new -newkey rsa:2048 -nodes -out xxxx.csr -keyout xxxx.key -subj "/C=tw/ST=xxxx/L=xxxx/O=xxxx/OU=xxxx/CN=xxx.xxx.xxx"
  • xxxx.csr: The CSR file to provide to the Certificate Authority (CA).
  • xxxx.key: The private key that must be kept secure.^[600-developer-tools-security-security-file-extension-name.md]

Converting Certificate Formats

OpenSSL is frequently used to convert certificates between formats (e.g., for Windows compatibility).

PKCS#12 to PEM (Public Key)

To extract the public key (certificate) from a .pfx file (PKCS#12) and save it as a .crt file (PEM), use the pkcs12 command with the -nokeys flag:^[600-developer-tools-security-security-file-extension-name.md]

[OpenSSL](<./openssl.md>) pkcs12 -in localhost.pfx -out localhost.crt -nokeys -nodes

PEM to PKCS#12 (Key + Certificate)

To combine a private key (server.key) and a certificate (server.crt) into a single .pfx file (PKCS#12), use the export command.^[600-developer-tools-security-security-file-extension-name.md] You will be prompted to set an export password:^[600-developer-tools-security-security-file-extension-name.md]

[OpenSSL](<./openssl.md>) pkcs12 -export -in server.crt -inkey server.key -out server.pfx

Verifying and Saving Remote Certificates

You can retrieve the certificate served by a remote host and save it to a file using s_client:^[600-developer-tools-security-security-file-extension-name.md]

[OpenSSL](<./openssl.md>) s_client -connect example.com:443 -servername example.com -showcerts </dev/null 2>/dev/null | sed -n '/^-----BEGIN CERT/,/^-----END CERT/p' > example.crt

This command connects to example.com on port 443, suppresses the interactive input and extra output, and uses sed to parse only the certificate blocks into example.crt.^[600-developer-tools-security-security-file-extension-name.md]

Sources

^[600-developer-tools-security-security-file-extension-name.md]