Useful OpenSSL Commands
12 May, 2023
Convert SSL certificate from DER to PEM
Sometimes the certificate files are encoded in a binary (DER) format. Many webservers (e.g. Nginx) can only handle plaintext (PEM) format.
$ openssl x509 -in der_encoded.crt -inform der -out pem_encoded.crt
Check SSL certificate and private key match
To check if a certificate matches a key, one can comapre the modulus value of both files. MD5 hash is calculated to make it easier to compare the values.
$ openssl x509 -noout -modulus -in certificate.crt | openssl md5
<hashed certificate modulus output>
$ openssl rsa -noout -modulus -in rsa.key | openssl md5
<hashed key modulus output>
Extract pfx file contents
Here we extract both the certificate and the corresponding key from a pcks12 (pfx) file.
// certificate file
$ openssl pkcs12 -in certificate.pfx -clcerts -nokeys -out certificate.crt
// private key
$ openssl pkcs12 -in certificate.pfx -nocerts -out extracted.key
You’ll probably need to decrypt the key as well:
$ openssl rsa -in extracted.key -out decrypted.key
Create pfx file
Sometimes services (Azure is particular) demand the certificate be in pkcs12 (pfx) format. This can be achieved by combining the certificate file and key.
$ openssl pkcs12 -inkey rsa.key -in cert.crt -export -out cert.pfx