Useful OpenSSL Commands

Below are listed (in no particular order) a handful of useful OpenSSL commands I find myself using often.

Convert SSL certificate from DER to PEM

Sometimes the certificate files are encoded in binary (DER) format. Many webservers (e.g. Nginx) can only handle PEM (plaintext) format, so converting is often necessary:

$ openssl x509 -in der_encoded.crt -inform der -out pem_encoded.crt

Check SSL certificate and private key match

Sometimes it’s useful to make sure a given certificate matches a private key.
This can be done by comparing the modulus value of both files. MD5 hash is calculated to make it easier to compare the values:

$ openssl x509 -noout -modulus -in certificate.crt | openssl md5
<hashed certificate modulus output>

$ openssl rsa -noout -modulus -in rsa.key | openssl md5
<hashed key modulus output>

Extract pfx file contents

Often times i receive certificates in pcks12 (pfx) format, and need to extract the SSL certificate and private key from them:

// certificate file
$ openssl pkcs12 -in certificate.pfx -clcerts -nokeys -out certificate.crt

// private key
$ openssl pkcs12 -in certificate.pfx -nocerts -out extracted.key

You’ll probably need to decrypt the key as well:

$ openssl rsa -in extracted.key -out decrypted.key

Create pfx file

Sometimes services (Azure is particular) demands the certificate be in pkcs12 (pfx) format, which means the certificate and key need to be combined to a single file:

$ openssl pkcs12 -inkey rsa.key -in cert.crt -export -out cert.pfx