Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Handy OpenSSL command-line combinations I've used - they might've been hard to find or come up with, so capturing them here.
@echo off
if _%1_==__ goto USAGE
openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout mycert.pem -out mycert.pem -subj "/CN=My Cert Name"
openssl pkcs12 -export -out mycert.pfx -inkey mycert.pem -in mycert.pem -passout pass:%1
openssl x509 -inform pem -in mycert.pem -outform der -out mycert.cer
openssl pkcs12 -in mycert.pfx -nodes -passin pass:%1 | openssl x509 -noout -fingerprint
openssl x509 -in mycert.pem -noout -fingerprint
openssl x509 -in mycert.pem -noout -subject
openssl x509 -in mycert.pem -noout -text | grep "RSA Public Key"
goto END
:USAGE
echo %0 password-for-private-key
:END
## create certificates with same key set in PKCS #12 (.pfx), X.509 (.pem), and CER (.cer) formats.
## PKCS #12 (.pfx) and X.509 (.pem) certificates will have private keys.
## show thumbprints and subjects.
openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout mycert.pem -out mycert.pem -subj "/CN=My Cert Name"
openssl pkcs12 -export -out mycert.pfx -inkey mycert.pem -in mycert.pem
openssl x509 -inform pem -in mycert.pem -outform der -out mycert.cer
# show thumbprint (perhaps to match it with Windows Azure portal)
openssl x509 -in mycert.pem -noout -fingerprint
# credit: http://stackoverflow.com/a/15520543/306430
openssl pkcs12 -in mycert.pfx -nodes | openssl x509 -noout -fingerprint
# show CN Subject (perhaps to match it with NAME displayed in Windows Azure Portal)
openssl x509 -in mycert.pem -noout -subject
# show key length (1024, 2048, etc.) (perhaps to make sure it is strong, but not too strong - 1024 good?)
openssl x509 -in mycert.pem -noout -text | grep "RSA Public Key"
## create Windows Azure Management Certificate
# - create pem file for use on Mac or Linux
openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout mycert.key -out mycert.pem
# - same as above, but also assign the Subject Name, which is used as cert name in Windows Azure Portal
openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout mycert.key -out mycert.pem -subj "/O=My Cert Name"
# - same as above, except set Common Name rather than Organization
openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout mycert.key -out mycert.pem -subj "/CN=My Cert Name"
# - same as above, but BOTH -keyout and -out are directed at same file
openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout mycert.pem -out mycert.pem -subj "/O=My Cert Name"
# - derive cer file for upload to Windows Azure
openssl x509 -inform pem -in mycert.pem -outform der -out mycert.cer
## credit: http://stackoverflow.com/questions/15413646/converting-pfx-to-pem-using-openssl
# PEM => PFX
openssl pkcs12 -export -out mycert.pfx -inkey mycert.pem -in mycert.pem
# PFX => PEM (keep cert chain)
openssl pkcs12 -in file.pfx -out file.pem -nodes
## SSL
pkcs12 -in client_ssl.pfx -out client_ssl.pem -clcerts
pkcs12 -in client_ssl.pfx -out root.pem -cacerts
# - or - (via Tim L - save private key to text file with .key extension)
openssl pkcs12 –export –in foo.crt –inkey foo.key –out foo.pfx
@4c74356b41

This comment has been minimized.

Copy link

@4c74356b41 4c74356b41 commented Aug 6, 2017

thanks, a life saver!

@jimsander

This comment has been minimized.

Copy link

@jimsander jimsander commented Jan 11, 2018

Very good stuff. helps when having to work with windows services from a *nix env

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment