Useful OpenSSL Commands
12 May, 2023
Recently I was looking over my notes, and found a list of OpenSSL commands I often use when working with TLS certificates. I thought it would be convenient to have them publically available, so here they are.
Convert SSL certificate from DER to PEM
Many webservers (e.g. NGINX) require the certificate to be plain text.
Convert DER (binary) encoded certificate to PEM (Base64 ASCII) format:
$ openssl x509 -in der_encoded.crt -inform der -out pem_encoded.crt
Check SSL certificate and private key match
To check whether a given certificate matches a private key, one can compare the modulus
value of both.
MD5 hash is calculated to make it easier to compare the values. If the values match, you know you have a working certificate-key-pair:
$ openssl x509 -noout -modulus -in certificate.crt | openssl md5
<hashed certificate modulus output>
$ openssl rsa -noout -modulus -in rsa.key | openssl md5
<hashed key modulus output>
Extract pfx file contents
Extract both the certificate and the corresponding private key from a pcks12 (pfx) file:
// certificate file
$ openssl pkcs12 -in certificate.pfx -clcerts -nokeys -out certificate.crt
// private key
$ openssl pkcs12 -in certificate.pfx -nocerts -out extracted.key
You’ll probably need to decrypt the key as well:
$ openssl rsa -in extracted.key -out decrypted.key
Create a pfx file
Sometimes services (e.g. Azure) demand the certificate be in pkcs12 (pfx) format.
This can be achieved by combining the certificate file and key into a pkcs12 file:
$ openssl pkcs12 -inkey rsa.key -in cert.crt -export -out cert.pfx