OpenSSL Commands

A brief guide to some useful features of OpenSSL, specifically related to SSL certificates.

Generate a CSR from a key and CRT file

openssl x509 -in NAME_crt -x509toreq -signkey NAME_key -out NAME_csr

Checking out the details of keys, certs and CSRs

  • x509 cert

    openssl x509 -text -noout -in NAME_crt
  • rsa key (seeing the modulus, etc)

    openssl rsa -text -noout -in NAME_key
  • csr

    openssl req -text -noout -in NAME_csr 


Adding a passphrase

Using pp password

pp | openssl rsa -des3 -passout fd:0 -in NAME_key.nopass -out NAME_key


openssl rsa -des3 -in NAME_key.nopass -out NAME_key

Removing a passphrase

Using pp password:

pp | openssl rsa -in NAME_key -out NAME_key.nopass -passin fd:0


openssl rsa -in NAME_key -out NAME_key.nopass

Check validity of certificate

Simple verify

openssl verify NAME_crt

Visual inspection of output of key and cert

openssl rsa -in NAME_key -text
openssl x509 -in NAME_crt -text -noout

Convert key and cert to Windows pkcs/p12/pfx format

You can leave off the password and just have pass: (an empty password) but Windows might forcefully ask for a password when you import. I don't think the -name specifier matters much.

openssl pkcs12 -export -in "domain_crt" -inkey "domain_key" -out "domain.p12" -name "domain" -passout pass:test123

Working with PKCS7 certificates


Depending on what you ask for, SSL providers can give you a signed certificate in a variety of formats. To clarify, you have to deal with formats and encodings.

The format is a container for the signed data, while the encoding is how it's transmitted or attached to an email. PEM and DER are common encodings, being plaintext and binary respectively. We pretty much only ever have to deal with PEM data (which is the base64 representation of the bits).

The most common format is x509, a single self-contained certificate. x509 does not include the private key material, so you must transport two files if dealing with x509. Multiple x509 files will be present if you have a full chain of trust to a root.

PKCS7 is another format used to transport certificates. It can encapsulate a full chain of trust, which is useful if a server wishes to provide the chain to a client.

PKCS12 is used to store private keys along with the associated certificate/s, protected by a password.

What to do

When asked, it's usually easiest/best to say that the certificate request relates to an apache server. You're pretty much assured of getting a PEM-encoded x509 cert, which is the easiest to deal with and most widely accepted.

If you get a PKCS7 certificate, you can either throw it directly to IIS/Windows (which should just work), or manually split out the x509 certicate/s you actually want.

  1. Get the file saved somewhere, example.com_pkcs7

  2. openssl pkcs7 -in example.com_pkcs7 -print_certs

  3. Scroll through the output and copy the certificate you need. Chances are it'll be the first in the file (pkcs7 probably goes along the chain of trust from the "leaf" to the "root")
  4. Dump the data to a new file somewhere, example.com_crt

  5. Do whatever you need to do, the certificate is in a usable format now
  6. Remember to get the key as well

See also:

  • Links to Anchor public wiki articles that relate to this article.
  • Can include articles that are directly linked within the content above, example below:
  • No game server hosting

References/External Links

Other pages in similar categories