A brief guide to some useful features of OpenSSL, specifically related to SSL certificates.
- OpenSSL Commands
- Generate a CSR from a key and CRT file
- Checking out the details of keys, certs and CSRs
- Check validity of certificate
- Convert key and cert to Windows pkcs/p12/pfx format
- Working with PKCS7 certificates
- See also:
- References/External Links
- Other pages in similar categories
Generate a CSR from a key and CRT file
openssl x509 -in NAME_crt -x509toreq -signkey NAME_key -out NAME_csr
Checking out the details of keys, certs and CSRs
openssl x509 -text -noout -in NAME_crt
rsa key (seeing the modulus, etc)
openssl rsa -text -noout -in NAME_key
openssl req -text -noout -in NAME_csr
Adding a passphrase
Using pp password
pp | openssl rsa -des3 -passout fd:0 -in NAME_key.nopass -out NAME_key
openssl rsa -des3 -in NAME_key.nopass -out NAME_key
Removing a passphrase
Using pp password:
pp | openssl rsa -in NAME_key -out NAME_key.nopass -passin fd:0
openssl rsa -in NAME_key -out NAME_key.nopass
Check validity of certificate
openssl verify NAME_crt
Visual inspection of output of key and cert
openssl rsa -in NAME_key -text openssl x509 -in NAME_crt -text -noout
Convert key and cert to Windows pkcs/p12/pfx format
You can leave off the password and just have pass: (an empty password) but Windows might forcefully ask for a password when you import. I don't think the -name specifier matters much.
openssl pkcs12 -export -in "domain_crt" -inkey "domain_key" -out "domain.p12" -name "domain" -passout pass:test123
Working with PKCS7 certificates
Depending on what you ask for, SSL providers can give you a signed certificate in a variety of formats. To clarify, you have to deal with formats and encodings.
The format is a container for the signed data, while the encoding is how it's transmitted or attached to an email. PEM and DER are common encodings, being plaintext and binary respectively. We pretty much only ever have to deal with PEM data (which is the base64 representation of the bits).
The most common format is x509, a single self-contained certificate. x509 does not include the private key material, so you must transport two files if dealing with x509. Multiple x509 files will be present if you have a full chain of trust to a root.
PKCS7 is another format used to transport certificates. It can encapsulate a full chain of trust, which is useful if a server wishes to provide the chain to a client.
PKCS12 is used to store private keys along with the associated certificate/s, protected by a password.
What to do
When asked, it's usually easiest/best to say that the certificate request relates to an apache server. You're pretty much assured of getting a PEM-encoded x509 cert, which is the easiest to deal with and most widely accepted.
If you get a PKCS7 certificate, you can either throw it directly to IIS/Windows (which should just work), or manually split out the x509 certicate/s you actually want.
Get the file saved somewhere, example.com_pkcs7
openssl pkcs7 -in example.com_pkcs7 -print_certs
- Scroll through the output and copy the certificate you need. Chances are it'll be the first in the file (pkcs7 probably goes along the chain of trust from the "leaf" to the "root")
Dump the data to a new file somewhere, example.com_crt
- Do whatever you need to do, the certificate is in a usable format now
- Remember to get the key as well
- Links to Anchor public wiki articles that relate to this article.
- Can include articles that are directly linked within the content above, example below: