Useful OpenSSL Commands

Convert SSL certificate from DER to PEM

Sometimes the certificate files are encoded in a binary (DER) format. Many webservers (e.g. Nginx) can only handle plaintext (PEM) format.

$ openssl x509 -in der_encoded.crt -inform der -out pem_encoded.crt

Check SSL certificate and private key match

To check if a certificate matches a key, one can comapre the modulus value of both files. MD5 hash is calculated to make it easier to compare the values.

$ openssl x509 -noout -modulus -in certificate.crt | openssl md5
<hashed certificate modulus output>

$ openssl rsa -noout -modulus -in rsa.key | openssl md5
<hashed key modulus output>

Extract pfx file contents

Here we extract both the certificate and the corresponding key from a pcks12 (pfx) file.

// certificate file
$ openssl pkcs12 -in certificate.pfx -clcerts -nokeys -out certificate.crt

// private key
$ openssl pkcs12 -in certificate.pfx -nocerts -out extracted.key

You’ll probably need to decrypt the key as well:

$ openssl rsa -in extracted.key -out decrypted.key

Create pfx file

Sometimes services (Azure is particular) demand the certificate be in pkcs12 (pfx) format. This can be achieved by combining the certificate file and key.

$ openssl pkcs12 -inkey rsa.key -in cert.crt -export -out cert.pfx