Useful OpenSSL Commands

Recently I was looking over my notes, and found a list of OpenSSL commands I often use when working with TLS certificates. I thought it would be convenient to have them publically available, so here they are.

Convert SSL certificate from DER to PEM

Many webservers (e.g. NGINX) require the certificate to be plain text.
Convert DER (binary) encoded certificate to PEM (Base64 ASCII) format:

$ openssl x509 -in der_encoded.crt -inform der -out pem_encoded.crt

Check SSL certificate and private key match

To check whether a given certificate matches a private key, one can compare the modulus value of both.

MD5 hash is calculated to make it easier to compare the values. If the values match, you know you have a working certificate-key-pair:

$ openssl x509 -noout -modulus -in certificate.crt | openssl md5
<hashed certificate modulus output>

$ openssl rsa -noout -modulus -in rsa.key | openssl md5
<hashed key modulus output>

Extract pfx file contents

Extract both the certificate and the corresponding private key from a pcks12 (pfx) file:

// certificate file
$ openssl pkcs12 -in certificate.pfx -clcerts -nokeys -out certificate.crt

// private key
$ openssl pkcs12 -in certificate.pfx -nocerts -out extracted.key

You’ll probably need to decrypt the key as well:

$ openssl rsa -in extracted.key -out decrypted.key

Create a pfx file

Sometimes services (e.g. Azure) demand the certificate be in pkcs12 (pfx) format.
This can be achieved by combining the certificate file and key into a pkcs12 file:

$ openssl pkcs12 -inkey rsa.key -in cert.crt -export -out cert.pfx