General OpenSSL Commands<\/p>\n
These commands allow you to generate CSRs, Certificates, Private Keys and do other miscellaneous tasks.<\/p>\n
\u00a0\u00a0\u00a0 Generate a new private key and Certificate Signing Request<\/p>\n
\u00a0\u00a0\u00a0 openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key<\/p>\n
\u00a0\u00a0\u00a0 Generate a self-signed certificate (see How to Create and Install an Apache Self Signed Certificate for more info)<\/p>\n
\u00a0\u00a0\u00a0 openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt<\/p>\n
\u00a0\u00a0\u00a0 Generate a certificate signing request (CSR) for an existing private key<\/p>\n
\u00a0\u00a0\u00a0 openssl req -out CSR.csr -key privateKey.key -new<\/p>\n
\u00a0\u00a0\u00a0 Generate a certificate signing request based on an existing certificate<\/p>\n
\u00a0\u00a0\u00a0 openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key<\/p>\n
\u00a0\u00a0\u00a0 Remove a passphrase from a private key<\/p>\n
\u00a0\u00a0\u00a0 openssl rsa -in privateKey.pem -out newPrivateKey.pem<\/p>\n
Checking Using OpenSSL<\/p>\n
If you need to check the information within a Certificate, CSR or Private Key, use these commands.<\/p>\n
You can also check CSRs and check certificates using our online tools.<\/p>\n
Check a Certificate Signing Request (CSR)<\/p>\n
\u00a0 openssl req -text -noout -verify -in CSR.csr<\/p>\n
\u00a0Check a private key<\/p>\n
openssl rsa -in privateKey.key -check<\/p>\n
Check a certificate<\/p>\n
openssl x509 -in certificate.crt -text -noout<\/p>\n
Check a PKCS#12 file (.pfx or .p12)<\/p>\n
openssl pkcs12 -info -in keyStore.p12<\/p>\n
Debugging Using OpenSSL<\/p>\n
If you are receiving an error that the private doesn’t match the certificate or that a certificate that you installed to a site is not trusted, try one of these commands. If you are trying to verify that an SSL certificate is installed correctly, be sure to check out the SSL Checker.<\/p>\n
Check an MD5 hash of the public key to ensure that it matches with what is in a CSR or private key<\/p>\n
openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in privateKey.key | openssl md5
openssl req -noout -modulus -in CSR.csr | openssl md5<\/p>\n
Check an SSL connection. All the certificates (including Intermediates) should be displayed<\/p>\n
openssl s_client -connect www.paypal.com:443<\/p>\n
Converting Using OpenSSL<\/p>\n
These commands allow you to convert certificates and keys to different formats to make them compatible with specific types of servers or software.<\/p>\n
For example, you can convert a normal PEM file that would work with Apache to a PFX (PKCS#12) file and use it with Tomcat or IIS. Use our SSL Converter to convert certificates without messing with OpenSSL.<\/p>\n
Convert a DER file (.crt .cer .der) to PEM<\/p>\n
openssl x509 -inform der -in certificate.cer -out certificate.pem<\/p>\n
Convert a PEM file to DER<\/p>\n
openssl x509 -outform der -in certificate.pem -out certificate.der<\/p>\n
Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM<\/p>\n
openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes<\/p>\n
You can add -nocerts to only output the private key or add -nokeys to only output the certificates.<\/p>\n
Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)<\/p>\n
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt<\/p>\n
The following commands allow you to generate CSRs, Certificates, Private Keys and other tasks.<\/p>\n
Generate a new private key and matching certificate signing request (Unix)<\/p>\n
openssl req -out CSR.csr -pubkey -new -keyout privateKey.key<\/p>\n
Generate a new private key and matching certificate signing request (Windows)<\/p>\n
openssl req -out CSR.csr -pubkey -new -keyout privateKey.key -config .\\share\\openssl.cmf<\/p>\n
Generate a certificate signing request for an existing private key<\/p>\n
openssl req -out CSR.csr -key privateKey.key -new<\/p>\n
Generate a certificate signing request based on an existing x509 certificate<\/p>\n
openssl x509 -x509toreq -in MYCRT.crt -out CSR.csr -signkey privateKey.key<\/p>\n
Decrypt private key<\/p>\n
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt<\/p>\n
Remove a passphrase from a private key<\/p>\n
openssl rsa -in privateKey.pem -out newPrivateKey.pem<\/p>\n
Checking commands<\/p>\n
Use the following commands to check the information within a Certificate, CSR or Private Key. You can also check CSRs and certificates using our online tools.<\/p>\n
Check a certificate signing request<\/p>\n
openssl req -text -noout -verify -in CSR.csr<\/p>\n
Check a private key<\/p>\n
openssl rsa -in privateKey.key -check<\/p>\n
Check a certificate<\/p>\n
openssl x509 -in certificate.crt -text -noout<\/p>\n
Check a PKCS#12 keystore<\/p>\n
openssl pkcs12 -info -in keyStore.p12<\/p>\n
Debugging commands<\/p>\n
If you are receiving certificate errors, try one of the following commands to debug a SSL connection. Use our Site Check as well to check the certificate.<\/p>\n
Check the MD5 hash of the public key<\/p>\n
openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in privateKey.key | openssl md5
openssl req -noout -modulus -in CSR.csr | openssl md5<\/p>\n
Check an SSL connection. All certificates (also intermediates) should be shown<\/p>\n
openssl s_client -connect https:\/\/www.paypal.com:443<\/p>\n
Converting commands<\/p>\n
Use the following commands to convert certificates and keys to different formats to make them compatible with specific types of servers or software. For example, convert a normal PEM file that would work with Apache to a PFX (PKCS#12) file for use with Tomcat or IIS.<\/p>\n
Convert DER (.crt .cer .der) to PEM<\/p>\n
openssl x509 -inform der -in certificate.cer -out certificate.pem<\/p>\n
Convert PEM to DER<\/p>\n
openssl x509 -outform der -in certificate.pem -out certificate.der<\/p>\n
Convert PKCS#12 (.pfx .p12) to PEM containing both private key and certificates<\/p>\n
openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes
\u00a0\u00a0\u00a0 add -nocerts for private key only; add -nokeys for certificates only<\/p>\n
Convert (add) a seperate key and certificate to a new keystore of type PKCS#12<\/p>\n
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt<\/p>\n","protected":false},"excerpt":{"rendered":"
General OpenSSL Commands<\/p>\n
These commands allow you to generate CSRs, Certificates, Private Keys and do other miscellaneous tasks.<\/p>\n
Generate a new private key and Certificate Signing Request<\/p>\n
openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key<\/p>\n
Generate a self-signed certificate (see How to Create and Install an Apache Self Signed Certificate […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[12,19],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/1790"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1790"}],"version-history":[{"count":4,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/1790\/revisions"}],"predecessor-version":[{"id":1793,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/1790\/revisions\/1793"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1790"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1790"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1790"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}