====== OpenSSL ====== Using OpenSSL to check and manipulate certs. ===== Certificate Formats ===== TODO: Add a note here about which format is which. The following is an attempt that's on-the-fly and largely deductive. * PFX is binary and contains cert and key. * PEM is ASCII HEX with cert (.crt or .pem) and key (.key) in separate files. * DER is binary (usually .der but sometimes .crt) ===== Convert PFX to PEM ===== Extract the key, then the cert, from the PFX. You'll be prompted for password. openssl pkcs12 -in MY_CERT_AND_KEY.pfx -nocerts -out MY_CERT.key openssl pkcs12 -in MY_CERT_AND_KEY.pfx -clcerts -nokeys -out MY_CERT.crt ===== Convert PEM to PFX ===== Convert PEM cert and key into a PFX file. openssl pkcs12 -export -in MY_CERT.crt -inkey MY_CERT.key -out MY_CERT.pfx ===== Convert DER to PEM ===== Convert DER cert a PEM cert. openssl x509 -inform der -in MY_CERT.der -out MY_CERT.pem ===== Validate that Cert and Key Match ===== If the cert and key are a pair they should generate the same hash. openssl rsa -noout -modulus -in MY_CERT.key | openssl md5 openssl x509 -noout -modulus -in MY_CERT.crt | openssl md5 ===== Check a certificate ===== Check a certificate and return information about it (signing authority, expiration date, etc.): openssl x509 -text -noout -in MY_CERT.crt If you specifically want SAN's then: openssl x509 -noout -text -in MY_CERT.crt | grep -A1 "Subject Alternative Name" ===== Check a key ===== Check the SSL key and verify the consistency: openssl rsa -in MY_CERT.key -check ===== Check a PFX ===== Check a pfx file and return information about it (signing authority, expiration date, etc.): openssl pkcs12 -info -in MY_CERT.pfx ===== Check a CSR ===== Verify the CSR and print CSR data filled in when generating the CSR: openssl req -text -noout -verify -in MY_CERT.csr ===== Remove Passphrase from a Key ===== openssl rsa -in MY_CERT.key -out NO_PWD_CERT.key ===== Determine the Format of a Certificate File ===== This seems to be a matter of just running commands against the file until one spits out the expected results. This one gets info for a DER certificate. openssl x509 -inform der -text -noout -in MY_CERT.crt