.pem
=> Privacy Enhancement Mail Certificate.key
extension => is a PEM file containing just the private-key.pkcs
|.pfx
|.p12
=> is a fully encrypted passworded container format that contains both pubkic and private certificate pairs.cert
|.cer
|.crt
=> is a public .pem formatted file with diffrent extenssions for windows
*.private.pem
=*.key.pem
=*.key
*.public.pem
=*.crt.pem
=*.crt
=*.cer.pem
=*.cer
- passworded(
*.key
+*.cer
) =*.pkcs
|*.pfx
|*.p12
*.key.pem
+*.crt.pem
in one file =>*.keycer.pem
Start Script
SET "domainname=*.techiesonapps.net"
SET "domain=%domainname:**.=%"
SET "crtname=%domainname:.=_%"
SET "crtname=%crtname:**=star%"
SET dirc=\usr\d\%crtname%\
mkdir %dirc%
(
echo [req]
echo default_bits = 2048
echo prompt = no
echo default_md = sha256
echo x509_extensions = v3_req
echo distinguished_name = dn
echo:
echo [dn]
echo C = AE
echo ST = DUBAI
echo L = Dubai
echo O = TechiesOn
echo OU = IT
echo CN = %domainname%
echo:
echo [v3_req]
echo subjectAltName = @alt_names
echo:
echo [alt_names]
echo DNS.1=%domainname%
echo DNS.2=%domain%
echo DNS.3=localhost
) > %dirc%%crtname%.cnf
Run After 5 sec fo that certificate is created
openssl req ^
-new -x509 ^
-newkey rsa:2048 -sha256 ^
-nodes -days 3560 ^
-keyout %dirc%%crtname%.key ^
-out %dirc%%crtname%.crt ^
-config %dirc%%crtname%.cnf
Run After 5 sec fo that certificate is created
openssl pkcs12 ^
-name %crtname% ^
-inkey %dirc%%crtname%.key ^
-in %dirc%%crtname%.crt ^
-export -out %dirc%%crtname%.pfx ^
-password pass:Pa$$w0rd
End Script
Thanks to
- Server / Primary Certificate = your_domain_com.crt
- Intermediate Certificate = CA.crt
- Root Certificate = /RootCA.crt
openssl pkcs12 ^ -inkey your_domain_local.key.pem ^ -in your_domain_local.crt ^ -export -out your_domain_local.pfx
openssl pkcs12 ^ -in your_domain_local.pfx ^ -nodes -clcerts ^ -out your_domain_local.keycer.pem
openssl x509 ^ -outform der ^ -in your_domain_local.keycer.pem ^ -out your_domain_local.crt
openssl x509 ^ -inform DER ^ -outform PEM ^ -in your_domain_local.crt ^ -out your_domain_local.crt.pem
openssl rsa ^ -in your_domain_local.privatepublic.pem ^ -text > your_domain_local.key.pem
cat your_domain_local.crt.pem your_domain_local.key.pem > your_domain_local.keycer.pem
-
These commands allow you to convert certificates and keys to different formats to make them compatible with specific types of servers or software.
-
Convert a DER file (.crt .cer .der) to PEM
openssl x509 -inform der -in certificate.cer -out certificate.pem
-
Convert a PEM file to DER
openssl x509 -outform der -in certificate.pem -out certificate.crt
openssl x509 -outform der -in certificate.pem -out certificate.der
-
Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM
openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes
You can add -nocerts to only output the private key or add -nokeys to only output the certificates.
-
Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
-
Convert PEM to CRT (.CRT file)
openssl x509 -outform der -in certificate.pem -out certificate.crt
-
-
-
Convert PEM to DER
openssl x509 -outform der -in certificate.pem -out certificate.der
-
Convert PEM to P7B
openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cer
-
Convert PEM to PFX
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
-
-
-
Convert DER to PEM
openssl x509 -inform der -in certificate.cer -out certificate.pem
-
-
-
Convert P7B to PEM
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
-
Convert P7B to PFX
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.cer
-
-
-
Convert PFX to PEM
openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes
-
-
General OpenSSL Commands
These commands allow you to generate CSRs, Certificates, Private Keys and do other miscellaneous tasks.
-
Generate a new private key and Certificate Signing Request
openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
-
Generate a self-signed certificate (see How to Create and Install an Apache Self Signed Certificate for more info)
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
-
Generate a certificate signing request (CSR) for an existing private key
openssl req -out CSR.csr -key privateKey.key -new
-
Generate a certificate signing request based on an existing certificate
openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key
-
Remove a passphrase from a private key
openssl rsa -in privateKey.pem -out newPrivateKey.pem
-
-
Checking Using OpenSSL
If you need to check the information within a Certificate, CSR or Private Key, use these commands. You can also check CSRs and check certificates using our online tools.
-
Check a Certificate Signing Request (CSR)
openssl req -text -noout -verify -in CSR.csr
-
Check a private key
openssl rsa -in privateKey.key -check
-
Check a certificate
openssl x509 -in certificate.crt -text -noout
-
Check a PKCS#12 file (.pfx or .p12)
openssl pkcs12 -info -in keyStore.p12
-
-
Debugging Using OpenSSL
If you are receiving an error that the private doesn't match the certificate or that a certificate that you installed to a site is not trusted, try one of these commands. If you are trying to verify that an SSL certificate is installed correctly, be sure to check out the SSL Checker.
-
Check an MD5 hash of the public key to ensure that it matches with what is in a CSR or private key
openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in privateKey.key | openssl md5
openssl req -noout -modulus -in CSR.csr | openssl md5
-
Check an SSL connection. All the certificates (including Intermediates) should be displayed
openssl s_client -connect www.paypal.com:443
-
-
Converting Using OpenSSL
These commands allow you to convert certificates and keys to different formats to make them compatible with specific types of servers or software. For example, you can convert a normal PEM file that would work with Apache to a PFX (PKCS#12) file and use it with Tomcat or IIS. Use our SSL Converter to convert certificates without messing with OpenSSL.
-
Convert a DER file (.crt .cer .der) to PEM
openssl x509 -inform der -in certificate.cer -out certificate.pem
-
Convert a PEM file to DER
openssl x509 -outform der -in certificate.pem -out certificate.der
-
Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM
openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes
You can add -nocerts to only output the private key or add -nokeys to only output the certificates.`
-
Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
-
- Generating a New CSR and Key
When generating (or regenerating) a SSL certificate, the first step is to create a new CSR (certificate signing request) with a new public/private key pair:
openssl req ^
-nodes -new ^
-newkey rsa:4096 ^
-out www.example.com.csr ^
-keyout www.example.com.key
-
Generating a New CSR from Existing Key
If the private key already exists, it can be used to generate a new CSR also:
openssl req -nodes -new -key www.example.com.old.key -out www.example.com.new.csr
-
Generating a New CSR from Existing CRT and Key
If there is an existing certificate and an existing key, a new CSR with the same information (organizational information, FQDN, etc.) can be easily generated:
openssl x509 -x509toreq -in www.example.com.old.crt -signkey www.example.com.key -out www.example.com.csr
-
Generating a CSR with SANs
SANs (subject alternative names) allow a single CRT to refer to multiple FQDNs. This differs from a wildcard certificate, which refers to all sub-domains of a given domain. The SANs can refer to wildly different domains, like www.example.com and www.example.net.
Generating a CSR with SANs requires using a separate configuration file to list the SANs. The file contains the following default openssl template, plus an additional section for subjectAltNames:
#
# your_domain_local.cnf
#
[ req ]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = AU
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Some-State
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Internet Widgits Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = www.example.net
DNS.2 = www.example.org
This file is then passed into the openssl command when generating the new CSR:
# Existing Key
openssl req ^
-x509 ^
-sha256 ^
-nodes ^
-days 365 ^
-config \usr\d\6\openssl6.conf ^
-in \usr\d\6\www.example.com.key ^
-out \usr\d\6\www.example.com.1.crt
or
# New Key
openssl req ^
-x509 ^
-sha256 ^
-nodes ^
-days 365 ^
-new -newkey rsa:4096 ^
-config \usr\d\6\openssl6.conf ^
-keyout \usr\d\6\www.example.com.3.key ^
-out \usr\d\6\www.example.com.3.crt
-
Reading a CSR
Sometimes, it’s helpful to examine an existing CSR to determine what information it contains (such as organizational information, FQDN, etc.):
openssl req -text -noout -in www.example.com.csr
-
Generate a Self-Signed Certificate from an Existing Private Key and CSR
Use this method if you already have a private key and CSR, and you want to generate a self-signed certificate with them.
This command creates a self-signed certificate (domain.crt) from an existing private key (domain.key) and (domain.csr):
The -days 365 option specifies that the certificate will be valid for 365 days.
openssl x509 -signkey domain.key -in domain.csr -req -days 365 -out domain.crt
-
Reading a CRT
After a CSR has been sent to the CA (certificate authority) to be digitally signed, a certificate is issued and returned. It is often helpful to examine a certificate to verify dates of validity, and match it with organizational information.
openssl x509 -text -noout -in www.example.com.crt
-
Verifying a CRT Matches a Private Key
Updating the private keys and certificates on server can get confusing, especially if poorly named files for previous years exist. If the private key and certificate do not match, web servers usually fail to start, or will not start with SSL. This can lead to all sorts of bad things (like outages). Fortunately, it is easy to sanity check that a key and certificate are matched by comparing their moduli. (The modulus is a component shared between the public key in the CRT and the private key). If the modulus from the CRT and private key match, it is likely that the public and private key are paired.
openssl rsa -noout -modulus -in www.example.com.key
openssl x509 -noout -modulus -in www.example.com.crt
The moduli can be visually compared, or can be compared programmatically:
#!/bin/bash
test `openssl rsa -noout -modulus -in $1.key` = \
`openssl x509 -noout -modulus -in $1.crt`
if [ $? = 0 ]
then echo "Match!"
else
echo "Not a match!"
fi
-
Fingerprinting a CRT
It can be helpful to compare a certificate’s digital fingerprint with what it is expected to be (either from records, or published statements). For instance, if a new SSL certificate is added to a server, a client might receive a message about an unrecognized or untrusted certificate, along with the certificate’s fingerprint. The user can independently verify the validity of the certificate by comparing the provided fingerprint with the known fingerprint (which should be determined and published beforehand).
openssl x509 -fingerprint -noout -in www.example.com.crt
The digest algorithm for the fingerprint can be specified as well:
openssl x509 -noout -fingerprint -in www.example.com.crt -md5
openssl x509 -noout -fingerprint -in www.example.com.crt -sha1
-
Making it Automated
It is possible to add all necessary information for a CSR to a configuration file so that it can be read in by openssl instead of using prompts. The following is an example of a file that contains all the necessary information to generate a new CSR:
[ req ]
prompt = no
default_bits = 2048
default_keyfile = www.example.com.key
encrypt_key = no
distinguished_name = req_distinguished_name
string_mask = utf8only
req_extensions = v3_req
[ req_distinguished_name ]
O=Internet Widgits Pty Ltd
L=Grand Rapids
ST=Michigan
C=US
CN=www.example.com
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
> Now, a new CSR can be created with: openssl req -new -config <filename of config file> -out <filename of csr>
openssl req -new -config openssl.conf -out www.example.com.csr