After you applied for a personal or a host certificate, you may need to export the bundle from your browser and convert them into a different format to be able to use them in tools like GSI-SSH in order to authenticate yourself to the grid, and also to be able to install your host certificate into the host which you will be administering.

You will need to use openssl commands after you export your personal/host certificate bundle from your browser to convert them into different formats like “.pem” files.

Here are some useful openssl commands for managing certificates using the OpenSSL toolkit which is available on most platforms.Windows version of OpenSSL is also available

 

Converting a p12 / pfx bundle to a user certificate and private key file e.g. after exporting from a browser or the CertWizard

$> openssl pkcs12 -clcerts -nokeys -out usercert.pem -in cert.p12

$> openssl pkcs12 -nocerts -out userkey.pem -in cert.p12

Please remember after doing this to protect your keys by running chmod 644 usercert.pem and chmod 400 userkey.pem.

Converting a p12 / pfx bundle to a server/service certificate and private key file e.g. after exporting from a browser

$> openssl pkcs12 -clcerts -nokeys -out hostcert.pem -in cert.p12

$> openssl pkcs12 -nocerts -nodes -out hostkey.pem -in cert.p12

Please remember after doing this to protect your keys by running chmod 644 hostcert.pem and chmod 400 hostkey.pem

Convert a certificate and private key file into a p12 bundle e.g. for importing into a browser

$> openssl pkcs12 -export -in usercert.pem -inkey userkey.pem -out cert.p12 -name "name for certificate"

Passphrase management

To remove the passphrase of a server/service private key in PEM format (note that this should only be done on server/service certificates – user certificates must always be protected by a passphrase)

$> openssl rsa -in hostkey.pem -out hostkey.pem.new
Enter pass phrase for userkey.pem: ****************
writing RSA key
$> mv hostkey.pem.new hostkey.pem

Checking whether a certificate is valid

If you have the certificate loaded into a browser, you can go to the CA Portal’s Login page and it will show the status of your certificate (if valid).

Alternatively, if you are on a system with the an up-to-date installation of the CA information in (typically) /etc/grid-security/certificates, you can test your certificate like this:

$> openssl verify -CApath /etc/grid-security/certificates usercert.pem

Extracting information from a certificate

Display the Distinguished Name (DN) from a public key in PEM format

$> openssl x509 -in usercert.pem -noout -subject | sed 's/subject= //'

Display the contents of a private key in PEM format

$> openssl des -in userkey.pem -noout -text

Display the Distinguished Name (DN) of a p12 file

$> openssl pkcs12 -in cert.p12 -nokeys -clcerts | openssl x509 -noout -subject | sed 's/subject= //'

Extracting information from other objects

Display the contents of a Certificate Revocation List (CRL) in DER format

$>  openssl crl -inform der -noout -text < importCRL

Remove a passphrase from a host private key

To remove a passphrase from the private key of a host certificate

$> openssl rsa -in hostkey.pem -out hostkey.pem

Add a passphrase to a host private key

To add a passphrase to the private key of a host certificate

$> openssl rsa -in hostkey.pem -out hostkey.pem -des3

 Check whether a certificate and a private key match

Perhaps surprisingly, the private key contains the public key, as does the certificate. This example shows a host certificate but of course it works for all certificates:

$> openssl rsa -in hostkey.pem -pubout

$> openssl x509 -in hostcert.pem -pubkey -noout

Now compare the public key blocks printed – do they look the same? In more advanced Unix shells like bash and zsh, you can do it in one line:

$> diff -qs <(openssl rsa -in hostkey.pem -pubout) <(openssl x509 -in hostcert.pem -pubkey -noout)