Skip to content

Instantly share code, notes, and snippets.

@jdnichollsc

jdnichollsc/Convert Certificates.md

Last active April 24, 2018 03:18
Show Gist options
  • Save jdnichollsc/1b2795f1e59b91779365e2d084970a0f to your computer and use it in GitHub Desktop.
Save jdnichollsc/1b2795f1e59b91779365e2d084970a0f to your computer and use it in GitHub Desktop.
Download ZIP
Playing with Certificates and OpenSSL
Raw
Convert Certificates.md

Convert .PEM to .PFX

openssl pkcs12 -export -out myCert.pfx -inkey myPrivateKey.key -in certificate.crt -certfile CACert.crt

Convert .PFX to .PEM

openssl pkcs12 -in myCert.pfx -out myCert.pem -nodes

Convert .CER to .PEM

openssl x509 -inform der -in myCert.cer -out myCert.pem
Raw
Debugging certificates.md

Check an SSL connection

openssl s_client -connect www.paypal.com:443

Check a Certificate Signing Request

openssl req -text -noout -verify -in myCSR.csr

Check a private key

openssl rsa -in myPrivateKey.key -check

Check a certificate

openssl x509 -in certificate.crt -text -noout

Check a PKCS#12 file (.pfx or .p12)

openssl pkcs12 -info -in keyStore.p12

Getting the serial number of a certificate stored .p12

openssl pkcs12 -in <container>.p12 -clcerts -passout pass:"" | openssl x509 -serial -noout

Getting the fingerprint number of a certificate .p12

openssl pkcs12 -in <container>.p12 -clcerts -passout pass:"" | openssl x509 -fingerprint -noout
Raw
Generate Certificates.md

INTRO

OpenSSL is a free and open-source cryptographic library that provides several command-line tools for handling digital certificates. A certificate authority (CA) is an entity that signs digital certificates. Many websites need to let their customers know that the connection is secure, so they pay an internationally trusted CA (eg, VeriSign, DigiCert) to sign a certificate for their domain

Generate a key

openssl genrsa -des3 -out myPrivateKey.key 2048

Create a Certificate Authority (CA)

openssl req -x509 -sha256 -new -key myPrivateKey.key -out myCA.cer -days 730 -subj /CN=“My CA"

Create a .CER Certificate

openssl req -new -out myCert.req -key myPrivateKey.key -subj /CN=*.mydomain.com
openssl x509 -req -sha256 -in myCert.req -out myCert.cer -CAkey myPrivateKey.key -CA myCA.cer -days 365 -CAcreateserial -CAserial serial

Create a .PFX

openssl pkcs12 -export -out myCert.pfx -inkey myPrivateKey.key -in myCert.cer

Generate a certificate signing request (CSR)

openssl req -out myCSR.csr -key myPrivateKey.key -new

Generate a new private key and Certificate Signing Request at the same time

openssl req -out myCSR.csr -new -newkey rsa:2048 -nodes -keyout myPrivateKey.key

Generate a self-signed certificate

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout myPrivateKey.key -out myCert.crt

Generate a certificate signing request based on an existing certificate

openssl x509 -x509toreq -in myCert.crt -out myCSR.csr -signkey myPrivateKey.key

Extracting private and public keys from a p12 file

openssl pkcs12 -in my.p12 -nocerts -out myPrivateKey.key
openssl pkcs12 -in my.p12 -clcerts -nokeys -out myCert.crt
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment