I can make net work

User Tools

Site Tools



Using OpenSSL to check and manipulate certs.

Certificate Formats

TODO: Add a note here about which format is which. The following is an attempt that's on-the-fly and largely deductive.

  • PFX is binary and contains cert and key.
  • PEM is ASCII HEX with cert (.crt or .pem) and key (.key) in separate files.
  • DER is binary (usually .der but sometimes .crt)

Convert PFX to PEM

Extract the key, then the cert, from the PFX. You'll be prompted for password.

openssl pkcs12 -in MY_CERT_AND_KEY.pfx -nocerts -out MY_CERT.key
openssl pkcs12 -in MY_CERT_AND_KEY.pfx -clcerts -nokeys -out MY_CERT.crt

Convert PEM to PFX

Convert PEM cert and key into a PFX file.

openssl pkcs12 -export -in MY_CERT.crt -inkey MY_CERT.key -out MY_CERT.pfx

Convert DER to PEM

Convert DER cert a PEM cert.

openssl x509 -inform der -in MY_CERT.der -out MY_CERT.pem

Validate that Cert and Key Match

If the cert and key are a pair they should generate the same hash.

openssl rsa  -noout -modulus -in MY_CERT.key | openssl md5
openssl x509 -noout -modulus -in MY_CERT.crt | openssl md5

Check a certificate

Check a certificate and return information about it (signing authority, expiration date, etc.):

openssl x509 -text -noout -in MY_CERT.crt 

If you specifically want SAN's then:

openssl x509 -noout -text -in MY_CERT.crt | grep -A1 "Subject Alternative Name"

Check a key

Check the SSL key and verify the consistency:

openssl rsa -in MY_CERT.key -check

Check a PFX

Check a pfx file and return information about it (signing authority, expiration date, etc.):

openssl pkcs12 -info -in MY_CERT.pfx

Check a CSR

Verify the CSR and print CSR data filled in when generating the CSR:

openssl req -text -noout -verify -in MY_CERT.csr

Remove Passphrase from a Key

openssl rsa -in MY_CERT.key -out NO_PWD_CERT.key

Determine the Format of a Certificate File

This seems to be a matter of just running commands against the file until one spits out the expected results.

This one gets info for a DER certificate.

openssl x509 -inform der -text -noout -in MY_CERT.crt
software/openssl.txt · Last modified: 2023-08-26 18:07 by dave

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki