1. Extract Certificates from PEM and PKCS12 Files
Extract a certificate from a PEM file (e.g., .crt
, .cer
, .pem
):
openssl x509 -in input.pem -out output.crt
- The -in option specifies the input PEM file.
- openssl x509 reads and outputs the X.509 certificate.
- -out specifies the output file format (output.crt in this case).
- This command can convert a PEM file to a .crt file.
Extract a certificate from a PKCS#12 file (e.g., .pfx
or .p12
):
openssl pkcs12 -in input.pfx -nokeys -out output.crt
- openssl pkcs12 handles PKCS#12 files (.pfx or .p12), which can contain both the certificate and private key.
- -nokeys tells OpenSSL to extract only the certificate, not the private key.
- -out specifies the output file containing the extracted certificate.
Extract the private key from a PKCS#12 file:
openssl pkcs12 -in input.pfx -nocerts -out output.key
-
openssl pkcs12
: Invokes the OpenSSL tool and specifies the PKCS#12 command, which works with PKCS#12 files.
-in input.pfx
: Specifies the input file (in this case,input.pfx
). This file is in PKCS#12 format and typically contains a private key and a public certificate (or chain of certificates).
-
-nocerts
: Tells OpenSSL to exclude certificates in the output, extracting only the private key. Without this, the output could include certificates if they’re part of the.pfx
file.
-out output.key
: Specifies the output file where the extracted private key will be saved (here,output.key
).
Extract the CA certificate chain from a PKCS#12 file:
openssl pkcs12 -in input.pfx -cacerts -nokeys -out ca-chain.crt
openssl pkcs12
: Invokes OpenSSL with thepkcs12
command, which is designed to work with PKCS#12 files (usually with.pfx
or.p12
extensions). PKCS#12 files typically bundle together certificates and private keys.
-in input.pfx
: Specifies the input PKCS#12 file (input.pfx
) that contains the CA certificates, user certificates, and/or private keys.
-cacerts
: This instructs OpenSSL to extract only the CA certificates from the PKCS#12 file, ignoring other certificates that may be present, such as user or server certificates.
-nokeys
: Ensures private keys are not extracted, so only the CA certificates are saved to the output file.
-out ca-chain.crt
: Specifies the output file (ca-chain.crt
) where the extracted CA certificates will be saved.
2. Convert Between Different Certificate Formats
PEM to DER:
openssl x509 -in input.pem -outform der -out output.der
-outform der
Specifies the output format as DER (binary format).DER is a binary format often used in Java environments, while PEM is a Base64-encoded text format.
PEM to PKCS#12 (PFX):
openssl pkcs12 -export -in input.pem -inkey private.key -out output.pfx -certfile ca.crt
-export
tells OpenSSL to create a PKCS#12 file.-in
specifies the certificate file (in PEM format).-inkey
specifies the private key associated with the certificate.-certfile
allows you to include a CA certificate, often part of a certificate chain.This command bundles the certificate, private key, and optional CA certificates into a PKCS#12 file.
PKCS#12 (PFX) to PEM:
openssl pkcs12 -in input.pfx -out output.pem -nodes
- -nodes stands for “no DES,” meaning the private key will not be encrypted. This makes the output PEM file easier to use but less secure since the private key is unprotected.
- Useful for converting .pfx files into separate PEM-encoded certificates and key files.
3. Encrypt and Decrypt Private Keys
Encrypt a private key using AES256:
openssl rsa -in private.key -out encrypted.key -aes256
- openssl rsa is used to handle RSA private keys.
- -aes256 applies AES-256 encryption, which will prompt for a passphrase.
- Encrypting a private key adds extra protection, especially if you’re storing it in a shared environment.
Remove the passphrase from an encrypted private key:
openssl rsa -in encrypted.key -out decrypted.key
- This command removes the passphrase from a private key file, making it easier to use in automated environments where manual passphrase entry isn’t feasible.
- Useful if you need to remove encryption from a key for application use.
4. Display and Verify Certificates
View certificate details:
openssl x509 -in certificate.crt -text -noout
- -text displays the certificate’s detailed information, like issuer, subject, and validity period.
- -noout prevents the raw certificate from being printed, so only the decoded text is shown.
- This helps confirm details about a certificate, like expiration or issuer.
Verify a certificate against a CA:
openssl verify -CAfile ca.crt certificate.crt
- -CAfile specifies the CA certificate file used to verify the certificate.
- openssl verify will check if certificate.crt is signed by the CA certificate specified.
- It is helpful in confirming trust in a certificate by verifying it against a known trusted CA.
5. Generate Keys and Certificates
Generate a private key:
openssl genpkey -algorithm RSA -out private.key -aes256
- openssl genpkey generates a new private key.
- -algorithm RSA specifies the key algorithm.
- -aes256 encrypts the private key using AES-256 and prompts for a passphrase.
- This command is commonly used to generate a new RSA private key for certificate requests.
Generate a self-signed certificate:
openssl req -new -x509 -key private.key -out selfsigned.crt -days 365
- -new creates a new certificate request.
- -x509 tells OpenSSL to create a self-signed certificate rather than a CSR.
- -key specifies the private key to use for signing.
- -days 365 sets the certificate’s validity period to 365 days.
- Self-signed certificates are typically used for testing or internal applications without external validation.
6. Display MD5, SHA-1, or SHA-256 Fingerprints of a Certificate
To verify a certificate’s fingerprint (a unique identifier):
MD5 Fingerprint:
openssl x509 -in certificate.crt -noout -fingerprint -md5
SHA-1 Fingerprint:
openssl x509 -in certificate.crt -noout -fingerprint -sha1
SHA-256 Fingerprint:
openssl x509 -in certificate.crt -noout -fingerprint -sha256
7. Check Certificate Expiration Date
To see when a certificate expires:
openssl x509 -in certificate.crt -noout -enddate
- This displays the expiration date in UTC format, which helps monitor certificate validity.
8. Show the Serial Number of a Certificate
openssl x509 -in certificate.crt -noout -serial
9. Convert Certificates to Base64 or Hex Encoding
- This can be helpful if you need to store or transmit certificates in a specific format.
Convert to Base64:
openssl base64 -in certificate.crt -out certificate_base64.txt
A Base64 certificate refers to a certificate encoded in Base64 format, often using the PEM (Privacy-Enhanced Mail) encoding standard. Base64 encoding represents binary data in an ASCII string format, making it more readable and easier to share across systems that only support text (e.g., emails or configuration files).
Convert to Hex:
openssl x509 -in certificate.crt -outform der | xxd -p > certificate_hex.txt
A “hex certificate” generally refers to an SSL/TLS certificate represented in hexadecimal (hex) format. Typically, certificates are encoded in Base64 within PEM or DER formats. However, they can also be displayed in hex format, often for inspection or troubleshooting.
When converted to hex, the certificate’s binary (or DER) contents are represented as a series of hexadecimal values. Two hexadecimal characters represent each byte, making it easier to copy or share as text without losing any binary information.
Uses of Hex Certificates:
- Debugging: Hex representation allows easier debugging, inspection, and comparison of certificate data.
- Embedded Systems: In some applications (e.g., IoT devices), certificates are stored or transmitted in hex format for compatibility.
- Certificate Pinning: Hex representations are sometimes used in certificate pinning, where a hash of the certificate or public key in hex format is pinned to verify authenticity.
10. Generate a Certificate Signing Request (CSR) with Subject Alternative Names (SANs)
You can create a configuration template if your CSR needs multiple domain names (SANs).
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
commonName = Common Name
[v3_req]
subjectAltName = @alt_names
[alt_names]
DNS.1 = example.com
DNS.2 = www.example.com
Use this configuration to generate a CSR:
openssl req -new -key private.key -out request.csr -config san.cnf
11. Verify Key and Certificate Match
To confirm that a private key and certificate match (useful if you have many certificates and keys):
- Check if a private key matches a certificate:
openssl x509 -noout -modulus -in certificate.crt | openssl sha256
openssl rsa -noout -modulus -in private.key | openssl sha256
Example:
ls -lthr
total 40K
-rw------- 1 lab lab 1.7K Nov 2 11:05 server01.securewlanmsp-private.key
-rw-rw-r-- 1 lab lab 1.1K Nov 2 11:08 server01.securewlanmsp-csr.csr
-rw------- 1 lab lab 3.2K Nov 2 11:44 LABROOTCA-Private.key
-rw-rw-r-- 1 lab lab 2.1K Nov 2 11:47 LABROOTCA-CSR.cert
-rw-rw-r-- 1 lab lab 1005 Nov 2 11:59 RootCA.conf
-rw-rw-r-- 1 lab lab 5.9K Nov 2 12:00 server01.securewlanmsp.crt
-rw-r--r-- 1 lab lab 2.9K Nov 4 07:54 LABROOTCA-BASE64.txt
openssl x509 -noout -modulus -in LABROOTCA-CSR.cert | openssl sha256
SHA2-256(stdin)= 174a04bb8e29fe1d5610723939fd0e965b644b2670bf631b366b8fff27911d44
openssl rsa -noout -modulus -in LABROOTCA-Private.key | openssl sha256
SHA2-256(stdin)= 174a04bb8e29fe1d5610723939fd0e965b644b2670bf631b366b8fff27911d44
12. Debugging SSL/TLS Connections
You can use OpenSSL to diagnose SSL/TLS connections to ensure certificates are properly configured.
Test a connection to an HTTPS server:
openssl s_client -connect example.com:443
Verify that the certificate chain is correct:
openssl s_client -connect example.com:443 -showcerts