Some of the most common OpenSSL commands
Generally useful OpenSSL commands
These commands allow you to generate Certificate Signing Requests (CSRs), Certificates, Private Keys and do other miscellaneous tasks.
Generate a new private key and CSR
openssl req -new -newkey rsa:<number of bits> -out <filename for csr> -keyout <filename for key>
Generate a new CSR using an existing private key
openssl req -new -key <filename for existing key> -out <filename for csr>
Generate a new CSR based on an existing X509 (PEM) certificate and private key
openssl x509 -x509toreq -in <filename for existing crt> -signkey <filename for existing key> -out <filename for csr>
Generate a new CSR with Subject Alternative Names (SANs) (see config file information below)
openssl req -config <filename of config file> -new -newkey rsa:<number of bits> -out <filename for csr> -keyout <filename for key>
Generate a self-signed certificate
openssl req -x509 -sha256 -days 365 -newkey rsa:2048 -keyout <filename for new key> -out <filename for certificate>
Generate a certificate signing request (CSR) for an existing private key
openssl req -new -key <filename for existing key> -out <filename for csr>
Remove a passphrase from a private key
openssl rsa -in <filename for existing key> -out <filename for unencrypted key>
Add or change a passphrase for a private key
openssl rsa -aes256 -in <filename for existing key> -out <filename for encrypted key>
Checking Using OpenSSL
If you need to check the information within a Certificate, CSR or Private Key, use these commands.
Check a Certificate Signing Request (CSR)
openssl req -text -noout -verify -in <filename of CSR>
Check a private key
openssl rsa -check -in <filename of private key>
Check a certificate
openssl x509 -text -noout -in <filename of PEM certificate>
Check a PKCS#12 file (.pfx or .p12)
openssl pkcs12 -info -in <filename of PKCS12 certificate>
Debugging Using OpenSSL
If you are receiving an error that the private doesn’t match the certificate or that a certificate that you installed to a site is not trusted, try one of these commands.
Check an MD5 hash of the public key to ensure that it matches with what is in a CSR or private key
openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in privateKey.key | openssl md5
openssl req -noout -modulus -in CSR.csr | openssl md5
Check an SSL connection. All the certificates (including Intermediates) should be displayed
openssl s_client -connect www.paypal.com:443
Converting Using OpenSSL
These commands allow you to convert certificates and keys to different formats to make them compatible with specific types of servers or software.
Convert a DER file (.crt .cer .der) to PEM
openssl x509 -inform der -in certificate.cer -out certificate.pem
Convert a PEM file to DER
openssl x509 -outform der -in certificate.pem -out certificate.der
Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM
openssl pkcs12 -in keyStore.pfx -out keyStore.pem -aes256
You can add -nocerts to only output the private key or add -nokeys to only output the certificates.
Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
Creating a config file for ease and Subject Alternative Names (SANs)
SANs (subject alternative names) allow a single CRT to refer to multiple FQDNs. This differs from a wildcard certificate, which refers to all sub-domains of a given domain. The SANs can refer to wildly different domains, like www.example.com and www.example.net.
Generating a CSR with SANs requires using a separate configuration file to list the SANs. The file contains the following default openssl template, plus an additional section for subjectAltNames:
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
ST = State or Province Name (full name)
L = Locality Name (eg, city)
O = Organization Name (eg, company)
OU = Organizational Unit Name (eg, section)
CN = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = host.domain.com
DNS.2 = host1.domain.com
The first SAN entry should match the commonName (Subject) of the certificate.
Using ECDSA certificates
Elliptic Curve (EC) certificates offer some strong advantages over RSA certificates. With ECDSA you can get the same level of security as RSA but with smaller keys. Smaller keys are better than larger keys for several reasons. Smaller keys have faster algorithms for generating signatures because the math involves smaller numbers. Smaller public keys mean smaller certificates and less data to pass around to establish a TLS connection. This means quicker connections and faster loading times on websites.
openssl ecparam -list_curves
This will list all the curves available to choose from. We will generally only be interested in the following as these are widely supported in browsers.
prime256v1: X9.62/SECG curve over a 256 bit prime field
secp384r1 : NIST/SECG curve over a 384 bit prime field
Generating an EC private key
openssl ecparam -name <curve-name> -genkey -noout -out <filename of new private key>
Encrypting the private key (for importing into ClearPass, etc.)
openssl pkcs8 -topk8 -in <filename for existing key> -out <filename for encrypted key>
Generating an EC based CSR
This is done using the same method outlined above for RSA certs.
Checking an EC cert using openssl
This is done using the same method above for RSA certs. To check the private key though use the below.
openssl pkey -text -noout -in <filename for existing key>
Debugging EC certs using openssl
To check that a given private key belongs to an ECDSA certificate we need to extract the public key from both and compare.
openssl pkey -in <filename of private key> -pubout
openssl x509 -in <filename of PEM certificate> -pubkey