Skip to main content

OpenSSL is an open-source software library designed to secure digital communications and certificates. It is used by many websites and organizations worldwide to encrypt information in transit, such as emails, web traffic, and other data exchanged over the internet or computer networks. OpenSSL also provides a way for trusted entities to sign documents or digital certificates in order to verify the authenticity and integrity of the data. OpenSSL provides an invaluable security layer that helps to protect online transactions from malicious actors.

This article provides an overview of commonly used OpenSSL commands to work with SSL certificates. It covers various operations such as generating a new certificate, checking the details of an existing certificate, converting the certificate into different format, debugging when there is an error occurs, and pretty much everything that you need to know about OpenSSL.

The commands we have provided here can be more useful for creating, managing, and troubleshooting SSL certificates on various platforms. All this content made this article a valuable resource for system administrators and security professionals. The article also provides examples of how to use these commands in real-world scenarios with screenshots to give you a practical solution, helping readers to quickly and efficiently work with SSL certificates using OpenSSL.

What is OpenSSL?

OpenSSL is an open-source software library that provides cryptographic protocols and security algorithms for implementing secure communications over computer networks. It can be used to protect data from eavesdropping, and encryption of email messages, payment transactions other sensitive information. OpenSSL supports a wide range of cryptographic functions, including digital signature, key exchange, and public-key encryption schemes. It is widely used for web-based applications and can be integrated into a variety of software programs.

The OpenSSL library is available on Linux, macOS, and Windows, making it a popular choice amongst developers who need secure communication protocols. By leveraging the functions of OpenSSL, developers can create highly secure applications that protect user data from malicious actors.

What is OpenSSL Used For?

OpenSSL is a powerful and versatile tool that can be used for a wide range of tasks. Some of the things that can be done using OpenSSL include the following:

  1. Creating and managing SSL certificates: OpenSSL allows users to easily create and manage SSL certificates, which can be used to prove the identity of the entity.
  2. Creating and verifying digital signatures: OpenSSL’s libraries can be used to create digital signatures, which can be used to authenticate the identity of the sender and the integrity of the message.
  3. Generating private keys and certificate signing requests: OpenSSL can be used to generate private keys and CSRs, which are used in the process of obtaining an SSL certificate from a certificate authority.
  4. Creating and managing Certificate Authorities and Certificate Revocation Lists: OpenSSL can be used to create and manage CAs and CRLs, which are used to issue and revoke SSL certificates that have been compromised or are no longer needed.
  5. Converting certificate formats: OpenSSL can be used to convert certificates between different formats, such as CRT, CER, PEM, DER, CRT, PKCS7, and PKCS#12.
  6. Inspecting SSL Certificates: OpenSSL can be used to check the details of existing certificates, such as the validity period, the subject and issuer, and other details.
  7. SSL/TLS Testing: OpenSSL can be used to test the SSL/TLS configurations of servers and clients.

Please read these posts to learn more about OpenSSL and Digital Certificate:

    How Do You Check That OpenSSL is Installed on Your Machine?

    This verification procedure depends on the type of operating system platform. The different operating systems will have different procedures.

    1. Windows: On Windows, you can check if OpenSSL is installed by going to the Add/Remove Programs underneath Control Panel and searching for “OpenSSL”. If it’s installed, it will appear in the list of installed programs.
    2. macOS: you can check by searching for OpenSSL in the Applications folder.
    3. Linux: Open a terminal window and type “openssl version” (without quotes). If OpenSSL is installed, it will display the version number of your installed version.

    Generally, you can use the Linux method on Windows and mac. It works on all the operating systems. Check the OpenSSL documentation: If you are not sure where OpenSSL is installed, you can check the OpenSSL documentation. This usually contains information on how to install OpenSSL  on various platforms.

    Commands to Check the Version of OpenSSL

    Run this command on the terminal to check the version of OpenSSL.

    $ openssl version
    Commands to Check the Version of OpenSSL

    Important Abbreviations Related to the Digital Certificates:

    Here are some important abbreviations related to certificates:

    1. SSL: Secure Sockets Layer, a protocol used to establish secure connections over the internet.
    2. TLS: Transport Layer Security, a successor to SSL, which is used to establish secure connections over the internet.
    3. CA: Certificate Authority, an organization that issues digital certificates used to establish trust in SSL/TLS connections.
    4. CSR: Certificate Signing Request, a file that contains information about the certificate holder and the public key. It is used to apply for a certificate from a CA.
    5. CRT: Certificate, a digital certificate issued by a CA that contains information about the certificate holder and the public key.
    6. PEM: Privacy-enhanced Electronic Mail, a Base64 encoded file format that is used to store SSL/TLS certificates, private keys, and other cryptographic objects.
    7. DER: Distinguished Encoding Rules, a binary format used to store SSL/TLS certificates, private keys, and other cryptographic objects.
    8. PKCS: Public-Key Cryptography Standards, a set of standards for public-key cryptography, which includes formats for storing certificates and keys.
    9. X.509: A standard that defines the format of digital certificates used in SSL/TLS connections.
    10. CRL: Certificate Revocation List, a list of revoked certificates that is used to revoke SSL/TLS certificates that have been compromised or are no longer needed.
    11. SAN: Subject Alternative Name, a field in an SSL/TLS certificate that allows multiple hostnames or IP addresses to be associated with a single certificate.
    12. OV: Organization Validation, a type of SSL/TLS certificate that requires additional validation of the organization’s identity before the certificate is issued.
    13. EV: Extended Validation, a type of SSL/TLS certificate that requires the highest level of validation of the organization’s identity before the certificate is issued.
    14. OCSP: Online Certificate Status Protocol, a protocol used to check the revocation status of a certificate in real time.
    15. CAA: Certificate Authority Authorization, a DNS record that specifies which CAs are authorized to issue certificates for a domain.
    16. ECC: Elliptic Curve Cryptography, a type of public-key cryptography that uses elliptic curve mathematics to provide the same level of security as traditional methods with smaller key sizes.
    17. RSA: Rivest–Shamir–Adleman, a widely used public-key encryption algorithm that is based on the mathematical properties of large prime numbers.
    18. DH: Diffie-Hellman, a key-agreement protocol that allows two parties to establish a shared secret over an insecure communication channel.
    19. AES: Advanced Encryption Standard, a widely used symmetric encryption algorithm that can be used to encrypt and decrypt data.
    20. SHA: Secure Hash Algorithm, a widely used cryptographic hash function that can be used to create a unique digital fingerprint of a message or data.
    21. HSM: Hardware Security Module, a physical device that can store and manage cryptographic keys, and perform cryptographic operations.
    22. PKI: Public Key Infrastructure, a set of policies, procedures, and technologies used to manage digital certificates and public-key encryption.
    23. DSA: Digital Signature Algorithm, a standard for digital signatures, based on the mathematical properties of modular arithmetic and the discrete logarithm problem.
    24. DH: Diffie-Hellman, a key-agreement protocol that allows two parties to establish a shared secret over an insecure communication channel.
    25. ECDSA: Elliptic Curve Digital Signature Algorithm, a digital signature algorithm based on elliptic curve cryptography, that can be used to create digital signatures.

    How to Generate A Self-Signed Certificate Using OpenSSL?

    Generating a self-signed certificate using OpenSSL is a relatively simple process. The first step is to generate the key pair, which has a private key as well as a public key. This will be used to sign the certificate in Step 4. The second step is to extract the public key from the key pair. The third step is to generate a Certificate Signing Request (CSR). This will be used by the certificate authority (CA) to create the self-signed certificate. You will be prompted to enter a variety of information, such as the common name, organization name, organization unit, country code, email address, and many more. Finally, generate the self-signed certificate using the private key and CSR. Simple, Isn’t it?

    Time needed: 15 minutes.

    How to Generate A Self-Signed Certificate Using OpenSSL?

    1. Generate Key pair using OpenSSLTo create the key pair, run this command in your terminal:

      $ openssl genrsa -out private.key 2048

      This command will generate an RSA key pair with a length of 2048.


      OpenSSL Command to Generate a Private Key or Key Pair
    2. Extract the public key from the key pairRun this command to extract the public key from the key pair generated in step 1.

      $ openssl rsa -in private.key -pubout -out public.key


      OpenSSL Command to Extract the Pubic Key from the Key pair
    3. Generate a Certificate Signing Request (CSR)The next step is to generate a Certificate Signing Request (CSR). This will be used by the certificate authority (CA) to create the self-signed certificate. To generate the CSR, run this command in your terminal:

      You will be prompted to enter a variety of information, such as the common name, organization name, organization unit, country code, email address, optional password, and many more. Enter the valid input it asks to generate the CSR. For example, the country name should be two char country codes. The common name should be the FQDN or IP to which you are going to get the certificate. The CSR is now ready for the CA to generate a self-signed certificate.

      $ openssl req -new -key private.key -out certificate.csr

      We suggest verifying the CSR generated before you submit it to the Certificate Authority. Run this command to verify the details of your CSR.

      $ openssl req -text -in certificate.csr -noout -verify


      OpenSSL Commands to a Generate CSR
    4. Generate the self-signed certificateFinally, generate the self-signed certificate using the private key and CSR. Run this command to generate the self-signed certificate on the terminal:

      $ openssl x509 -in certificate.csr -out certificate.crt -req -signkey private.key -days 365


      OpenSSL Command to Generate a self-signed Certificate

     

    See Also How To Fix CVE-2022-27511(2), Security Bypass Vulnerability In Citrix ADM

    Most Useful OpenSSL Commands to Work With SSL Certificates

    Before we head toward the most useful OpenSSL commands to work with SSL certificates, let’s see the structure of OpenSSL commands.

    Structure of a typical OpenSSL command:

    The structure of a simple OpenSSL command typically looks like this:

    openssl <command> <options>

    The main command is ‘openssl’ which is followed by a subcommand <command> and <options>. It is allowed to use multiple subcommands and options in a single line so that multiple things can be performed in a single command.

    The subcommand can be any of the cryptographic functions supported by the OpenSSL library. Some examples of subcommands include genpkey, req, x509, pkcs12, rsa, verify, etc. These subcommands are used to perform specific cryptographic operations.

    Options <options> are any additional arguments required to work the command. Typically options are used to give input or get the output of the comment. Examples: -req, -days, -in, -out, etc.

    If you struggle to identify the ‘subcommands’ over ‘options’ in lengthy OpenSSL commands, here is the tip. The key identifier that differentiates ‘subcommands’ from ‘options’ is the ‘-‘ symbol.

    Example for a simple OpenSSL command:

    $ openssl genrsa -out private.key 2048

    In the above command, ‘genrsa’ is the subcommand, ‘-out’ is an option, ‘private.key’ specifies the output file name, and ‘2048’ is the key pair length.

    Example of an OpenSSL with multiple subcommands and options:

    $ openssl x509 -in certificate.csr -out certificate.crt -req -signkey private.key -days 365

    OpenSSL Commands to Generate SSL Certificates and Keys

    In this section, we are going to see the Most Useful OpenSSL Commands to Work With SSL Certificates.

    #1. OpenSSL Command to Generate a Private Key or Key Pair

    $ openssl genrsa -out private.key 2048

    This command generates a new RSA key pair and saves it in a file named “private.key” in the current directory.

    Terminal screenshot with the command to generate a new RSA key pair and saves it

    #2. OpenSSL Command to Extract the Pubic Key from the Key pair

    $ openssl rsa -in private.key -pubout -out public.key

    This command extracts the public key from the ‘private.key’ key pair and saves it in ‘public.key’ file.

    Terminal screenshot with the command to extract the public key from 'private.key' key pair and saves it

    #3. OpenSSL Commands to a Generate CSR

    $ openssl req -new -key private.key -out certificate.csr 

    This command will prompt you to enter a variety of information, such as the common name, organization name, organization unit, country code, email address, optional password, and many more. Enter the valid input it asks to generate the CSR. This command generates a CSR and saves it in a file named ‘certificate.csr.’

    Terminal screenshot with the command to generate a CSR and saves it

    #4. OpenSSL Command to Generate a self-signed Certificate

    $ openssl x509 -in certificate.csr -out certificate.crt -req -signkey private.key -days 365

    This command generates a self-signed certificate and saves it in a file named ‘certificate.crt.’

    Terminal screenshot with the command to generate a self-signed certificate and save it

    #5. OpenSSL Command to Generate a new Private Key and Certificate Signing Request in a Single Command

    openssl req -out certificate.csr -new -newkey rsa:2048 -nodes -keyout private.key

    This command generates a new private key and CSR and saves them in a file named ‘certificate.csr’ and ‘private.key.’

    Terminal screenshot with the command to generate a new private key and CSR and save them

    #6. OpenSSL Command to Generate a Certificate Signing Request (CSR) for an existing Private Key

    openssl req -out newcsr.csr -key private.key -new

    This command generates a new CSR and saves it in a file named ‘newcsr.csr’ for  the existing private key.

    Terminal screenshot with the command to generate a new CSR and save it

    #7. OpenSSL Command to Generate a Certificate Signing Request (CSR) based on an existing Certificate

    openssl x509 -x509toreq -in certificate.crt -out newcsr2.csr -signkey private.key

    This command generates a new Certificate Signing Request (CSR) and save it in a file named ‘newcsr2.csr.’

    #8. OpenSSL Command to Encrypt or add Passphrase to a Private Key

    openssl rsa -aes256 -in private.key -out private_secure.pem

    OR

    openssl rsa -aes256 -in private.key -out private_secure.key

    You can keep the encrypted key pair in .key or .pem format. Both are valid.

    Terminal screenshot with the OpenSSL Command to Encrypt or add Passphrase to a Private Key

    #9. OpenSSL Command to Decrypt or Remove a Passphrase from a Private Key

    openssl rsa -in private_secure.pem -out newprivate.pem

    OR

    openssl rsa -in private_secure.key -out newprivate.key

    This command removes the passphrase and decrypts the private key, and saves it in a file named newprivate.key.

    Terminal screenshot with the command to remove the passphrase and decrypts the private key, and save it

    OpenSSL Commands to Convert SSL Certificates

    There could be several reasons why you may need to convert SSL certificates from one format to another. The main reason would be compatibility. Different systems and applications may require certificates to be in a specific format. Some systems or applications may not be able to handle certain file formats. In such cases, it is necessary to convert the certificate to a different format that the system or application can understand. For example, some web servers may require certificates to be in PEM format, while others may require them to be in PKCS#12 format.

    OpenSSL can be used to convert SSL certificates between different formats. Let’s see how to convert from one file format to another.

    #1. OpenSSL Commands to Convert a Certificate from CRT to PEM

    openssl x509 -inform der -in certificate.crt -out certificate.pem

    This command will convert the certificate in CRT format named “certificate.crt” to PEM format and save it in a file named “certificate.pem” in the current directory. Note: this command can be used to convert .cer certificates.

    Terminal screenshot with the OpenSSL Commands to Convert a Certificate from CRT to PEM

    PEM Certificate vs PEM Key file

    Both the PEM Certificate and PEM Key file are different entities and made for different purpose. They can’t be interchangeable. Don’t be confused between them.

    PEM stands for Privacy Enhanced Mail. PEM Certificate is a file that is used to store X.509 certificates. Where as PEM Key file is a file used to store private and publick key pair.

    A PEM certificate typically contains the public key of a certificate and not the private key.

    A PEM certificate file typically contains the following information:

    • The X.509 certificate in base64 encoded format
    • The certificate’s public key
    • Optionally, any intermediate CA certificates

    Use ‘cat’ command to differentiate the PEM Key file from the PEM Certificate. A PEM Key file contains a private key would typically have a header that says “BEGIN RSA PRIVATE KEY” or “BEGIN PRIVATE KEY”.

    #2. OpenSSL Commands to Convert a Certificate from CRT to PKCS7

    openssl crl2pkcs7 -nocrl -certfile certificate.crt -out certificate.p7b

    This command will convert the certificate in CRT format named “certificate.crt” to PKCS7 format and save it in a file named “certificate.p7b” in the current directory.

    Terminal screenshot with the OpenSSL Commands to Convert a Certificate from CRT to PKCS7

    #3. OpenSSL Commands to Convert a Certificate from CRT to PKCS#12

    PKCS#12 and PFX are both file formats that are used to store X.509 certificates and private keys. The main difference between them is the file extension, PKCS#12 uses the file extension .p12 or .pfx, and PFX uses the file extension .pfx. Both formats are used for the same purpose, which is to provide a secure way to store and transport digital certificates and private keys. PKCS#12 is the standard for storing the certificate and private key developed by RSA Laboratories, while PFX is Microsoft’s variant of the PKCS#12 standard.

    openssl pkcs12 -export -in certificate.crt -inkey private.key -out certificate.p12

    OR

    openssl pkcs12 -export -in certificate.crt -inkey private.key -out certificate.pfx

    This command will convert the certificate in CRT format named “certificate.crt” and private key named “private.key” to PKCS#12 format and save it in a file named “certificate.p12” in the current directory.

    Terminal screenshot with the OpenSSL Commands to Convert a Certificate from CRT to PKCS#12

    It’s important to note that PKCS#12 format is also known as P12 format, and it is used to store one or more certificates and private key. It’s encrypted by default and can’t be decoded in base64, and It will prompt you to enter a password to protect the certificate and key.

    It’s important to note that PKCS#12 format is also known as P12 format, and it is used to store one or more certificates and private key. It’s encrypted by default and can’t be decoded in base64, and It will prompt you to enter a password to protect the certificate and key.

    #4. OpenSSL Commands to Convert a Certificate from CRT to DER

    openssl x509 -in certificate.crt -outform DER -out certificate.der

    This command will convert the certificate in CRT format named “certificate.crt” to DER format and save it in a file named “certificate.der” in the current directory.

     

    Terminal screenshot with the OpenSSL Commands to Convert a Certificate from CRT to DER

    It’s important to note that DER is a binary format and can’t be decoded in base64, and it is typically used to store X.509 certificates and CRLs (Certificate Revocation Lists) in a compact and efficient way.

    #5. OpenSSL Commands to Convert a Certificate from DER to PEM

    openssl x509 -inform DER -in certificate.der -out certificate.pem

    This command will convert the certificate in DER format named “certificate.der” to PEM format and save it in a file named “certificate.pem” in the current directory.

    Terminal screenshot with the OpenSSL Commands to Convert a Certificate from DER to PEM

    #6. OpenSSL Commands to Convert a Certificate from DER to CRT

    openssl x509 -inform DER -in certificate.der -out certificate.crt

    This command will convert the certificate in DER format named “certificate.der” to CRT format and save it in a file named “certificate.crt” in the current directory.

    Terminal screenshot with the OpenSSL Commands to Convert a Certificate from DER to CRT

    It’s important to note that the CRT file format is just a container format, and the data inside it can be encoded in various ways, and it is commonly used to store X.509 certificates.

    #7. OpenSSL Commands to Convert a Certificate from DER to PKCS7

    openssl crl2pkcs7 -nocrl -certfile certificate.der -out certificate.p7b

    This command will convert the certificate in DER format named “certificate.der” to PKCS7 format and save it in a file named “certificate.p7b” in the current directory.

    Terminal screenshot with the OpenSSL Commands to Convert a Certificate from DER to PKCS7

    It’s important to note that PKCS7 format is also known as P7B format, and it is used to store one or more certificates, typically including the end-user certificate and any intermediate CA certificates, but it doesn’t contain the private key.

    #8. OpenSSL Commands to Convert a Certificate from DER to PKCS#12

    Practically, it is not possible to convert DER to PKCS#12, since DER is an unreadable binary file. The Certificate should be in either CRT or CER to convert to PKCS#12 or P12. Please refer to the #3 command for more information.

    #9. OpenSSL Commands to Convert a Certificate from PKCS7 to CRT

    openssl pkcs7 -print_certs -in certificate.p7b -out certificate.crt

    This command will convert the certificate in PKCS7 format named “certificate.p7b” to CRT format and save it in a file named “certificate.crt” in the current directory.

    Terminal screenshot with the OpenSSL Commands to Convert a Certificate from PKCS7 to CRT

    #10. OpenSSL Commands to Convert a Certificate from PKCS7 to PEM

    openssl pkcs7 -print_certs -in certificate.p7b -out certificate.pem

    This command will convert the certificate in PKCS7 format named “certificate.p7b” to PEM format and save it in a file named “certificate.pem” in the current directory.

    Terminal screenshot with the OpenSSL Commands to Convert a Certificate from PKCS7 to PEM

    #11. OpenSSL Commands to Convert a Certificate from PKCS7 to PKCS#12

    It is not possible to directly convert a certificate from PKCS7 format to PKCS#12 format. Because PKCS7 format is used for storing one or more certificates, typically including the end-user certificate and any intermediate CA certificates, but it doesn’t contain the private key. At the same time, PKCS#12 format is used to store one or more certificates and a private key.

    In order to convert a certificate from PKCS7 format to PKCS#12 format, you will need to first extract the private key and the certificate in PEM format and then use the OpenSSL command to create a PKCS#12 file which includes both the certificate and the private key.

    Here is an example command:

    openssl pkcs7 -print_certs -in certificate.p7b -out certificate.pem
    openssl pkcs12 -export -in certificate.pem -inkey private.key -out certificate.p12

    This command will convert the certificate in PKCS7 format named “certificate.p7b” to PEM format using the first command and then using the second command. It will convert the PEM format certificate and private key to PKCS#12 format and save it in a file named “certificate.p12” in the current directory.

    Terminal screenshot with the OpenSSL Commands to Convert a Certificate from PKCS7 to PKCS#12

    #12. OpenSSL Commands to Convert a Certificate from PKCS7 to DER

    It is not possible to directly convert a certificate from PKCS7 format to DER format. Because PKCS7 format is used for storing one or more certificates, typically including the end-user certificate and any intermediate CA certificates, but it doesn’t contain the private key. While DER format is a binary format, and it is typically used to store X.509 certificates and CRLs (Certificate Revocation Lists) in a compact and efficient way.

    In order to convert a certificate from PKCS7 format to DER format, you will need to first extract the certificate in PEM format and then use the OpenSSL command to convert PEM to DER format.

    Here is an example command:

    openssl pkcs7 -print_certs -in certificate.p7b -out certificate.pem
    openssl x509 -in certificate.pem -outform DER -out certificate.der

    This command will convert the certificate in PKCS7 format named “certificate.p7b” to PEM format using the first command, and then using the second command, it will convert the PEM format certificate to DER format and save it in a file named “certificate.der” in the current directory.

    Terminal screenshot with the OpenSSL Commands to Convert a Certificate from PKCS7 to DER

    #13. OpenSSL Commands to Convert a Certificate from PEM to CRT

    The PEM format and CRT format are both base64 container formats that are used to store X.509 certificates. PEM is used to store public certificates or the entire certificate chain (private key, public key, root certificates). So, a certificate in the PEM format can be used as it is in a CRT format because it’s the same format, and it just depends on the file extension. PEM can be used where ever CRT is being used. No conversion is required.

    #14. OpenSSL Commands to Convert a Certificate from PEM to PKCS#12

    openssl pkcs12 -export -in certificate.pem -inkey private.key -out certificate.p12

    This command will convert the certificate in PEM format named “certificate.pem” and the private key named “private.key” to PKCS#12 format and save it in a file named “certificate.p12” in the current directory.

    Terminal screenshot with the OpenSSL Commands to Convert a Certificate from PEM to PKCS#12

    #15. OpenSSL Commands to Convert a Certificate from PEM to PKCS7

    It is not possible to directly convert a certificate from PEM format to PKCS7 format. Because PKCS7 format is used for storing one or more certificates, typically including the end-user certificate and any intermediate CA certificates, but it doesn’t contain the private key. While PEM format can include just the public certificate or the entire certificate chain (private key, public key, root certificates), and it is base64 encoded.

    In order to convert a certificate from PEM format to PKCS7 format, you will need to first extract the public certificate and any intermediate CA certificates from the PEM file, then use the OpenSSL command to create a PKCS7 file.

    #16. OpenSSL Commands to Convert a Certificate from PEM to DER

    openssl x509 -in certificate.pem -outform DER -out certificate.der

    This command will convert the certificate in PEM format named “certificate.pem” to DER format and save it in a file named “certificate.der” in the current directory.

    Terminal screenshot with the OpenSSL Commands to Convert a Certificate from PEM to DER

    #17. OpenSSL Commands to Convert a Certificate from PKCS#12 to PEM

    openssl pkcs12 -in certificate.p12 -out certificate.pem -nodes

    This command will convert the certificate in PKCS#12 format named “certificate.p12” to PEM format and save it in a file named “certificate.pem” in the current directory. It will prompt you to enter the password that was used to encrypt the certificate in PKCS#12 format. If the certificate was not encrypted, you don’t have to use the -nocerts option.

    Terminal screenshot with the OpenSSL Commands to Convert a Certificate from PKCS#12 to PEM

    #18. OpenSSL Commands to Convert a Certificate from PKCS#12 to CRT

    The CRT format and PKCS#12 format are both container formats that are used to store X.509 certificates. The CRT file format is used to store X.509 certificates, While PKCS#12 format is used to store one or more certificates and private key. It’s also encrypted by default.

    It’s important to note that a certificate in the PKCS#12 format can be used as it is in a CRT format because it’s the same format, and it just depends on the file extension.

    #19. OpenSSL Commands to Convert a Certificate from PKCS#12 to DER

    openssl pkcs12 -in certificate.p12 -out certificate.der -nodes -nokeys

    This command will convert the certificate in PKCS#12 format named “certificate.p12” to DER format and save it in a file named “certificate.der” in the current directory. It will prompt you to enter the password that was used to encrypt the certificate in PKCS#12 format.

    Terminal screenshot with the OpenSSL Commands to Convert a Certificate from PKCS#12 to DER

    #20. OpenSSL Commands to Convert a Certificate from PKCS#12 to PKCS7

    It is not possible to directly convert a certificate from PKCS#12 format to PKCS7 format. Because PKCS7 format is used for storing one or more certificates, typically including the end-user certificate and any intermediate CA certificates, but it doesn’t contain the private key. At the same time, PKCS#12 format is used to store one or more certificates and private key. It’s also encrypted by default.

    In order to convert a certificate from PKCS#12 format to PKCS7 format, you will need to first extract the public certificate and any intermediate CA certificates from the PKCS#12 file using OpenSSL, then use the OpenSSL command to create a PKCS7 file.

    Here is an example command:

    openssl pkcs12 -in certificate.p12 -out certificate.p7b -nokeys -nodes

    This command will convert the certificate in PKCS#12 format named “certificate.p12” to PKCS7 format and save it in a file named “certificate.p7b” in the current directory. It will prompt you to enter the password that was used to encrypt the certificate in PKCS#12 format.

    Terminal screenshot with the OpenSSL Commands to Convert a Certificate from PKCS#12 to PKCS7

    OpenSSL Commands to Debug SSL Certificates and Keys

    OpenSSL is a powerful tool that can be used to debug SSL certificates and keys. In this section, we tried showing a few important commands that you can try when you are ended up in some trouble.

    #1. OpenSSL Command to Verify the Certificate

    openssl x509 -in certificate.crt -text -noout

    This command will display the details of the certificate, including the subject, issuer, and the public key.

     

    See Also How To Fix CVE-2022-0543- A Critical Lua Sandbox Escape Vulnerability In Redis

    Terminal screenshot with OpenSSL Command to Verify the Certificate

    #2. OpenSSL Commands to Check the Expiration date of a Certificate

    openssl x509 -in certificate.crt -enddate -noout

    This command will display the expiration date of the certificate.

    Terminal screenshot with the OpenSSL Commands to Check the Expiration date of a Certificate

    #3. OpenSSL Command to Check a Private key

    openssl rsa -in private.key -check

    This command will check the private key and display any errors or warnings.

    Terminal screenshot with the OpenSSL Command to Check a Private key

    #4. OpenSSL Command to Verify the Certificate Signing Request (CSR)

    openssl req -text -in certificate.csr -noout -verify

    This command will display the details of the certificate signing request (CSR), including the subject, issuer, and public key.

    Terminal screenshot with the OpenSSL Command to Verify the Certificate Signing Request (CSR)

    #5. OpenSSL Commands to Check the Hash Value of A Certificate

    OpenSSL can be used to calculate the hash value of an X.509 certificate. A hash value is a unique value that is calculated based on the content of the certificate. It can be used to check the integrity of the certificate and to verify that it has not been tampered with. Here are some common OpenSSL commands that can be used to check the hash value of a certificate:

    openssl x509 -noout -fingerprint -md5 -inform pem -in certificate.crt
    openssl x509 -noout -fingerprint -sha1 -inform pem -in certificate.crt
    openssl x509 -noout -fingerprint -sha256 -inform pem -in certificate.crt
    openssl x509 -noout -fingerprint -sha512 -inform pem -in certificate.crt

    Note: It’s important to note that the above command will work only if the certificate is in PEM format. If you have a certificate in DER format, you need to use the -inform DER option.

    openssl x509 -noout -fingerprint -sha1 -inform der -in certificate.crt
    Terminal screenshot with OpenSSL Commands to Check the Hash Value of A Certificate

    #6. OpenSSL Command to Verify the SSL/TLS version Accepted by a Site

    openssl s_client -connect host:port

    This command will initiate an SSL connection to the specified host and port and display the details of the SSL connection, including the certificate chain and the cipher suite.

    openssl s_client -connect host:port -ssl2

    This command will initiate an SSL connection to the specified host and port using SSL2 and display the details of the SSL connection.

    openssl s_client -connect host:port -ssl2

    This command will initiate an SSL connection to the specified host and port using SSL3 and display the details of the SSL connection.

    openssl s_client -connect host:port -tls1_1

    This command will initiate an SSL connection to the specified host and port using TLS 1.1 and display the details of the SSL connection.

    openssl s_client -connect host:port -tls1_2

    This command will initiate an SSL connection to the specified host and port using TLS 1.2 and display the details of the SSL connection.

    openssl s_client -connect host:port -tls1_3

    This command will initiate an SSL connection to the specified host and port using TLS 1.3 and display the details of the SSL connection.

    #7. OpenSSL Commands to Check the Certificate Expiry of a Site

    echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -enddate

    Where “example.com” is the URL you want to check the SSL certificate for and “443” is the port number for HTTPS connections.

    This command uses the openssl s_client command to initiate an SSL connection to the specified URL and port and the openssl x509 command to extract the expiration date of the certificate.

    Terminal screenshot with the OpenSSL Commands to Check the Certificate Expiry of a Site

    #8. OpenSSL Commands to Check A Particular Cipher is Accepted by a Site

    openssl s_client -connect example.com:443 -cipher ECDHE-RSA-AES256-GCM-SHA384

    Where “example.com” is the URL you want to check the SSL certificate for, “443” is the port number for HTTPS connections, and “ECDHE-RSA-AES256-GCM-SHA384” is the cipher you want to check for.

    #9. OpenSSL Commands to List all the Cipher Supported by a Server

    openssl ciphers -v 'ALL:COMPLEMENTOFALL' | grep -i -o -w -E 'TLS_.*'

    It’s important to note that this command will only check the ciphers that are supported by the server and not the client.

    #10. OpenSSL Command to Verify the Certificate Chain

    openssl verify -verbose -CAfile ca-bundle.crt certificate.crt

    Where “ca-bundle.crt” is the file that contains the root and intermediate CA certificates, and “certificate.crt” is the end-entity certificate file. This command uses the openssl verify command to verify the certificate chain, using the CA certificates from the file “ca-bundle.crt”. It will display the result of the verification process and indicate whether the certificate chain is valid or not.

    Terminal screenshot with the OpenSSL Command to Verify the Certificate Chain

    #11. OpenSSL Commands to Retrieve or Download the Certificate of a Site

    openssl s_client -connect example.com:443 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM > certificate.pem

    This command uses the openssl s_client command to initiate an SSL connection to the specified URL and port and the -showcerts option to display the entire certificate chain. The openssl x509 command is used to convert the certificate from DER format to PEM format and the > symbol is used to redirect the output to a file named “certificate.pem”

    Terminal screenshot with the OpenSSL Commands to Retrieve or Download the Certificate of a Site

    #12. OpenSSL Commands to Verify the Same Public Key File in Key Pair, CSR, and Certificate

    It is important to verify that the public key and the certificate match to ensure the security of the SSL/TLS connection. OpenSSL can be used to verify that the public key and the certificate match.

    openssl pkey -pubout -in private.key | openssl sha256

    This command extracts the public key from the ‘private.key’ key pair and generates the sha256 hash of the public key.

    openssl req -pubkey -in certificate.csr -noout | openssl sha256

    This command extracts the public key from the ‘certificate.csr’ CSR and generates the sha256 hash of the public key.

    openssl x509 -pubkey -in certificate.crt -noout | openssl sha256

    This command extracts the public key from the ‘certificate.crt’ certificate and generates the sha256 hash of the public key.

    Terminal screenshot with the command to extract the public key from the 'certificate.crt'

    #13. OpenSSL Commands to Verify the Same Private Key File in Key Pair, CSR, and Certificate

    It is important to verify that the private key and the certificate match to ensure the security of the SSL/TLS connection. OpenSSL can be used to verify that the private key and the certificate match.

    openssl rsa -noout -modulus -in private.key | openssl sha256

    This command extracts the private key from the ‘private.key’ key pair and generates the sha256 hash of the private key.

    openssl req -noout -modulus -in certificate.csr | openssl sha256

    This command extracts the private key from the ‘certificate.csr’ CSR and generates the sha256 hash of the private key.

    openssl x509 -noout -modulus -in certificate.crt | openssl sha256

    This command extracts the private key from the ‘certificate.crt’ certificate and generates the sha256 hash of the private key.

    Terminal screenshot with the command to extract the private key from the 'certificate.crt'

    What is the difference between SSL and OpenSSL?

    SSL is a protocol that was widely used to establish secure connections over the internet until it was replaced by its successor, TLS (Transport Layer Security). SSL provides a secure communication channel between a client and a server by encrypting the data that is transmitted. It is designed to ensure the confidentiality, integrity, and authenticity of data exchanged over the internet.

    OpenSSL, on the other hand, is an open-source implementation of the SSL and TLS protocols. It provides a collection of libraries and tools that can be used to secure internet communication, protect sensitive data, and perform other cryptographic operations. OpenSSL is designed to be a versatile tool that can be used in many different scenarios and environments.

    In summary, SSL is a protocol used to establish secure connections over the internet, while OpenSSL is an open-source implementation of the SSL and TLS protocols that provides a collection of libraries and tools for cryptographic operations.

    Is OpenSSL free to use?

    Yes, OpenSSL is free and open-source software. It can be downloaded and used without any costs. It is available under a dual-license model, consisting of the OpenSSL License and the SSLeay License. For the OpenSSL 3.0 release and later releases derived from that, the Apache License v2 applies. For any release made before OpenSSL 3.0 (namely the 1.1.1, 1.1.0, 1.0.2, and all prior releases, including those not currently supported), the dual OpenSSL and SSLeay license applies. It is important to consult the OpenSSL license and legal advice before using it in a commercial or production environment.

    Is OpenSSL available for Windows?

    OpenSSL has no pre-compelled OpenSSL libraries for any platform. It has released only binary source code. It’s the Linux distributions that released a pre-compelled version for their distributions. However, Some third-party services have offered to provide pre-compelled OpenSSL libraries for Win32/64. One such service offering a pre-compelled OpenSSL library for Microsoft Windows is slproweb.com/products/Win32OpenSSL.html

    Leave a Reply