Digital Certificates Cheatsheet - Generate, convert, etc

If you have ever played with Digital Certificates before, you must have ran across file extentions such as PFX, PEM, DER, CSR and other short hand names like CA. If you haven't, then I'll guarantee that you will in the first 5 minutes.

Here we have compiled a list of the OpenSSL commands you are most likely to need while working with certificates.

To get OpenSSL, please check references at the end of this post.

Understanding Extentions

CA: Stands for Certificate Authority, which is an entity that issues certificates.
PEM: This is a container format (meaning it can contain certificates, keys, etc). It is readable to some degree using text editors.
PFX: This is also a container format. It is different from the PEM format in that this container is encrypted. PFX extention is the same as P12, for pkcs12... which stands for Public-Key Cryptography Standards version 12.
DER: Same as PEM but in binary format instead of Base64.
CSR: stands for Certificate Signing Request, and is normally used to generate Certificates by CAs. (For more details on this, check the references at the bottom)
CRT, KEY, CERT: These extentions are usually just a PEM, or very very rarely a DER.

Creating Private Key

openssl genrsa -out private_key.pem 2048

Example usage:

rui@dev1 ~/certs $ openssl genrsa -out private_key.pem 2048
Generating RSA private key, 2048 bit long modulus
...............................................+++
................+++
e is 65537 (0x10001)
rui@dev1 ~/certs $

Creating CSR

openssl req -new -sha256 -key private_key.pem -out certificate_request.csr

Example usage:

rui@dev1 ~/certs $ openssl req -new -sha256 -key private_key.pem -out certificate_request.csr
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:PT
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:Lisbon
Organization Name (eg, company) [Internet Widgits Pty Ltd]:JBay Solutions Lda 
Organizational Unit Name (eg, section) []:R&D
Common Name (e.g. server FQDN or YOUR name)[]:jbaysolutions.com
Email Address []:info(a)jbaysolutions.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
rui@dev1 ~/certs $

Creating Certificate with CSR

openssl x509 -req -days 365 -in certificate_request.csr -signkey private_key.pem -out certificate.pem

Example usage:

rui@dev1 ~/certs $ openssl x509 -req -days 365 -in certificate_request.csr -signkey private_key.pem -out certificate.pem
Signature ok
subject=/C=PT/ST=Some-State/L=Lisbon/O=JBay Solutions Lda/OU=R&D/CN=jbaysolutions.com/emailAddress=info(a)jbaysolutions.com
Getting Private key
rui@dev1 ~/certs $

Creating Certificate without CSR and without Key

openssl req -x509 -days 365 -newkey rsa:2048 -keyout private_key.pem -out certificate.pem

Example usage:

rui@dev1 ~/certs $ openssl req -x509 -days 365 -newkey rsa:2048 -keyout private_key.pem -out certificate.pem 
Generating a 2048 bit RSA private key
.....................................................................+++
..........+++
writing new private key to 'private_key.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:PT
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:Lisbon
Organization Name (eg, company) [Internet Widgits Pty Ltd]:JBay
Organizational Unit Name (eg, section) []:RD
Common Name (e.g. server FQDN or YOUR name) []:jbaysolutions.com
Email Address []:info(a)jbaysolutions.com
rui@dev1 ~/certs $

Creating CSR and Private Key at the same time

openssl req -out certificate_request.csr -pubkey -new -keyout private_key.pem

Example usage:

rui@dev1 ~/certs $ openssl req -out certificate_request.csr -pubkey -new -keyout private_key.pem
Generating a 2048 bit RSA private key
...................................................................................+++
.......+++
writing new private key to 'private_key.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:PT
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:Lisbon
Organization Name (eg, company) [Internet Widgits Pty Ltd]:JBay
Organizational Unit Name (eg, section) []:RD
Common Name (e.g. server FQDN or YOUR name) []:jbaysolutions.com
Email Address []:info(a)jbaysolutions.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
rui@dev1 ~/certs $

Converting PEM to PFX

openssl pkcs12 -inkey private_key.pem -in certificate.pem -export -out converted_certificate.pfx

Example usage:

rui@dev1 ~/certs $ openssl pkcs12 -inkey private_key.pem -in certificate.pem -export -out converted_certificate.pfx
Enter pass phrase for private_key.pem:
Enter Export Password:
Verifying - Enter Export Password:
rui@dev1 ~/certs $

Converting PFX to PEM

openssl pkcs12 -in certificate.pfx -out converted_certificate.pem -nodes

Example usage:

rui@dev1 ~/certs $ openssl pkcs12 -in certificate.pfx -out converted_certificate.pem -nodes
Enter Import Password:
MAC verified OK
rui@dev1 ~/certs $

Converting DER to PEM

openssl x509 -inform der -in certificate.der -out converted_certificate.pem

Example usage:

rui@dev1 ~/certs $ openssl x509 -inform der -in certificate.der -out converted_certificate.pem
rui@dev1 ~/certs $

Converting PEM to DER

openssl x509 -outform der -in certificate.pem -out converted_certificate.der

Example usage:

rui@dev1 ~/certs $ openssl x509 -outform der -in certificate.pem -out converted_certificate.der
rui@dev1 ~/certs $

Removing Passphrase from Private Key

openssl rsa -in protected_key.pem -out unprotected_key.pem

Example usage:

rui@dev1 ~/certs $ openssl rsa -in protected_key.pem -out unprotected_key.pem
Enter pass phrase for protected_key.pem:
writing RSA key
rui@dev1 ~/certs $rui@devil ~/temp $

Verifying CSR

openssl req -noout -text -in certificate_request.csr

Listing contents of PEM

openssl x509 -in certificate.pem -text

Listing contents of DER

openssl x509 -in certificate.der -inform der -text

Listing contents of PFX

openssl pkcs12 -in certificate.pfx  -info

Generate CSR based of existing Certificate

openssl x509 -x509toreq -in certificate.pem -out certificate_request.csr -signkey private_key.pem

Adding Certificate and CACerts to PFX

openssl pkcs12 -export -out certificate.pfx -inkey private_key.key -in certificate.pem -certfile cacert.pem

Understanding Extentions

Creating Private Key

Creating CSR

Creating Certificate with CSR

Creating Certificate without CSR and without Key

Creating CSR and Private Key at the same time

Converting PEM to PFX

Converting PFX to PEM

Converting DER to PEM

Converting PEM to DER

Removing Passphrase from Private Key

Verifying CSR

Listing contents of PEM

Listing contents of DER

Listing contents of PFX

Generate CSR based of existing Certificate

Adding Certificate and CACerts to PFX

References