OpenSSL mostly used commands

Here's a list of mostly used openssl commands:

1. Create key + csr:

$> openssl req -new -nodes -keyout server.key -out server.csr -newkey rsa:4096

2. Create key only:

$> openssl genrsa -des3 -out server.key.crypted 4096

3. Remove password from key:

$> openssl rsa -in server.key.crypted -out server.key

4. Generate CSR

$> openssl req -new -key server.key -out server.csr

5. Self generated certificate

$> openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

6. View the details of CSR

$> openssl req -noout -text -in server.csr

7. Check a Certificate Signing Request (CSR)

$> openssl req -text -noout -verify -in CSR.csr

8. Check a private key

$> openssl rsa -in privateKey.key -check

9. Check a certificate

$> openssl x509 -in certificate.crt -text -noout

10. Check a PKCS#12 file (.pfx or .p12)

$> openssl pkcs12 -info -in keyStore.p12

11. Convert .crt to .pfx for IIS server

$> openssl pkcs12 -export -out server.pfx -inkey server.key -in server.crt

How do I extract information from a certificate? (from: )

An SSL certificate contains a wide range of information: issuer, valid dates, subject, and some hardcore crypto stuff. The x509 subcommand is the entry point for retrieving this information. The examples below all assume that the certificate you want to examine is stored in a file named cert.pem.

Using the -text option will give you the full breadth of information.

$> openssl x509 -text -in cert.pem
Other options will provide more targeted sets of data.

# who issued the cert?
$> openssl x509 -noout -in cert.pem -issuer

# to whom was it issued?
$> openssl x509 -noout -in cert.pem -subject

# for what dates is it valid?
$> openssl x509 -noout -in cert.pem -dates

# the above, all at once
$> openssl x509 -noout -in cert.pem -issuer -subject -dates

# what is its hash value?
$> openssl x509 -noout -in cert.pem -hash

$> openssl x509 -noout -in cert.pem -serial

# what is its MD5 fingerprint?
#> openssl x509 -noout -in cert.pem -fingerprint -md5

# what is its SHA1 fingerprint?
$> openssl x509 -noout -in cert.pem -fingerprint -sha1


Trackback specific URI for this entry

This link is not meant to be clicked. It contains the trackback URI for this entry. You can use this URI to send ping- & trackbacks from your own blog to this entry. To copy the link, right click and select "Copy Shortcut" in Internet Explorer or "Copy Link Location" in Mozilla.

No Trackbacks


Display comments as Linear | Threaded

No comments

Add Comment

You can use [geshi lang=lang_name [,ln={y|n}]][/geshi] tags to embed source code snippets.
Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.
To leave a comment you must approve it via e-mail, which will be sent to your address after submission.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.