OpenSSL Certificate Cheat Sheet
Category : Cheat Sheets
These commands cover the basics of OpenSSL and are valid for either Windows or Linux with the exception that paths may need to be corrected for the respective platform.
For windows http://www.openssl.org/related/binaries.html
sudo apt-get install openssl
Create Private Key
The last argument in the below line is the key length. This can be changed to 2048 or 4096 if required for better encryption.
openssl genrsa -des3 -out server.key 1024
Generate a CSR (Certificate Signing Request)
You will be asked for the details of the certificate such as domain name and address when running this command.
openssl req -new -key server.key -out server.csr
Remove Passphrase from Key
Some applications do not allow for the private key to have a passphrase. The below commands will remove the passphrase – be careful as it will mean the key is no longer protected and can be viewed by anyone with read access to the file.
openssl rsa -in server-with-passphrase.key -out server.key
Generating a Self-Signed Certificate
Once you have generated a key and CSR you will need to sign the request and generate the public certificate. If you do not have a certificate authority you can sign the certificate yourself. The below will generate a certificate which is valid for one year.
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Convert x509 to pem
openssl x509 -inform der -in server.crt -out server.pem
pkcs12 to pem – key only
Use the below command to extract only the key from a pkcs12 certificate.
openssl pkcs12 -nocerts -in c:\server.pfx -out c:\server-key.key
pkcs12 to pem – certificate only
Use the below command to extract only the public certificate from a pkcs12 certificate.
openssl pkcs12 -nokeys -in server.pfx -out server-cert.cer
Check a private key
You can check a private key with the below command.
openssl rsa -in privateKey.key -check
Check a certificate
Use the below command to check a certificate.
openssl x509 -in certificate.crt -text -noout