OpenSSL Commands.. | KingOfPeace

Here the list of openssl commands for SSL to create, convert, manage the SSL Certificates.

* Create new Private Key and Certificate Signing Request

openssl req -out sslcert.csr -newkey rsa:2048 -nodes -keyout sslcert.key

Above command will generate CSR and 2048-bit RSA key file. If you intend to use this certificate in Apache or Nginx, then you need to send this CSR file to certificate issuer authority, and they will give you signed certificate mostly in der or pem format which you need to configure in Apache or Nginx web server.

* Create a Self-Signed Certificate

openssl req -x509 -sha256 -nodes -newkey rsa:2048 -keyout selfsigned.key -out sslcert.pem

Above command will generate a self-signed certificate and key file with 2048-bit RSA. I have also included sha256 as it’s considered most secure at the moment.

Tip: by default, it will generate self-signed certificate valid for only one month so you may consider defining –days parameter to extend the validity.

Ex: to have self-signed valid for two years.

openssl req -x509 -sha256 -nodes -days 730 -newkey rsa:2048 -keyout selfsigned.key -out sslcert.pem

* Verify CSR file

openssl req -noout -text -in sslcert.csr

Verification is essential to ensure you are sending CSR to issuer authority with required details.

* Create RSA Private Key

openssl genrsa -out private.key 2048

If you just need to generate RSA private key, you can use the above command. I have included 2048 for stronger encryption.

* Remove Passphrase from Key

openssl rsa -in certkey.key -out nopassphrase.key

If you are using passphrase in key file and using Apache then every time you start, you have to enter the password. If you are annoyed with entering a password, then you can use above openssl rsa -in geekflare.key -check to remove the passphrase key from an existing key.

* Verify Private Key

openssl rsa -in certkey.key –check

If you doubt on your key file, you can use the above command to check.

* Verify Certificate File

openssl x509 -in certfile.pem -text –noout

If you would like to validate certificate data like CN, OU, etc. then you can use an above command which will give you certificate details.

* Verify the Certificate Signer Authority

openssl x509 -in certfile.pem -noout -issuer -issuer_hash

Certificate issuer authority signs every certificate and in case you need to check them.

* Check Hash Value of A Certificate

openssl x509 -noout -hash -in sslcert.pem

* Convert DER to PEM format

openssl x509 –inform der –in sslcert.der –out sslcert.pem

Usually, certificate authority will give you SSL cert in .der format, and if you need to use them in apache or .pem format then the above command will help you.

Convert PEM to DER format

openssl x509 –outform der –in sslcert.pem –out sslcert.der

In case you need to change .pem format to .der

*Convert Certificate and Private Key to PKCS#12 format

openssl pkcs12 –export –out sslcert.pfx –inkey key.pem –in sslcert.pem

If you need to use a cert with the java application or with any other who accept only PKCS#12 format, you can use the above command, which will generate single pfx containing certificate & key file.

Tip: you can also include chain certificate by passing –chain as below.

openssl pkcs12 –export –out sslcert.pfx –inkey key.pem –in sslcert.pem -chain cacert.pem

* Create CSR using an existing private key

openssl req –out certificate.csr –key existing.key –new