Blog About
Below are listed (in no particular order) a handful of useful OpenSSL commands I find myself using often.
Sometimes the certificate files are encoded in binary (DER) format. Many webservers (e.g. Nginx) can only handle PEM (plaintext) format, so converting is often necessary:
$ openssl x509 -in der_encoded.crt -inform der -out pem_encoded.crt
Sometimes it’s useful to make sure a given certificate matches a private key.
This can be done by comparing the modulus value of both files. MD5 hash is calculated to make it easier to compare the values:
$ openssl x509 -noout -modulus -in certificate.crt | openssl md5
<hashed certificate modulus output>
$ openssl rsa -noout -modulus -in rsa.key | openssl md5
<hashed key modulus output>
Often times i receive certificates in pcks12 (pfx) format, and need to extract the SSL certificate and private key from them:
// certificate file
$ openssl pkcs12 -in certificate.pfx -clcerts -nokeys -out certificate.crt
// private key
$ openssl pkcs12 -in certificate.pfx -nocerts -out extracted.key
You’ll probably need to decrypt the key as well:
$ openssl rsa -in extracted.key -out decrypted.key
Sometimes services (Azure is particular) demands the certificate be in pkcs12 (pfx) format, which means the certificate and key need to be combined to a single file:
$ openssl pkcs12 -inkey rsa.key -in cert.crt -export -out cert.pfx