| UBC Physics & Astronomy
SSL Cheat Sheet |
OpenSSL is commonly used to create the CSR and private key for many different platforms, including Apache. However, it also has hundreds of different functions that allow you to view the details of a CSR or certificate, compare an MD5 hash of the certificate and private key (to make sure they match), verify that a certificate is installed properly on any website, and convert the certificate to a different format.
If you don't want to bother with OpenSSL, you can do many of the same things with some tools available on the web - SSL Certificate Tools. Listed below are the most common OpenSSL commands and their usage:
These commands allow you to generate CSRs, Certificates, Private Keys and do other miscellaneous tasks.
openssl req -out CSR.csr -pubkey -new -keyout privateKey.key
openssl req -out CSR.csr -key privateKey.key -new
openssl x509 -x509toreq -in MYCRT.crt -out CSR.csr -signkey privateKey.key
openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout privateKey.key -out certificate.crt
openssl rsa -in privateKey.pem -out newPrivateKey.pem
If you need to check the information within a Certificate, CSR or Private Key, use these commands. You can also check CSRs and check certificates using our online tools.
openssl req -text -noout -verify -in CSR.csr
openssl rsa -in privateKey.key -check
openssl x509 -in certificate.crt -text -noout
openssl pkcs12 -info -in keyStore.p12
If you are receiving an error that the private doesn't match the certificate or that a certificate that you installed to a site is not trusted, try one of these commands. If you are trying to verify that an SSL certificate is installed correctly, be sure to check out the SSL Checker.
openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in privateKey.key | openssl md5
openssl req -noout -modulus -in CSR.csr | openssl md5
openssl s_client -connect https://www.paypal.com:443
You can check whether a certificate matches private key, or a CSR matches a certificate on your own computer by using the OpenSSL commands below:
openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in privateKey.key | openssl md5
openssl req -noout -modulus -in CSR.csr | openssl md5
These commands allow you to convert certificates and keys to different formats to make them compatible with specific types of servers or software. For example, you can convert a normal PEM file that would work with Apache to a PFX (PKCS#12) file and use it with Tomcat or IIS.
openssl x509 -inform der -in certificate.cer -out certificate.pem
openssl x509 -outform der -in certificate.pem -out certificate.der
openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes
You can add -nocerts to only output the private key or add -nokeys to only output the certificates.
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
Author: Gregory Neil Shapiro
To make certificate authority:
mkdir CA cd CA mkdir certs crl newcerts private echo "01" > serial cp /dev/null index.txt cp /usr/local/openssl/openssl.cnf.sample openssl.cnf vi openssl.cnf (set values) openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 365 -config openssl.cnfTo make a new certificate:
cd CA (same directory created above) openssl req -nodes -new -x509 -keyout newreq.pem -out newreq.pem -days 365 -config openssl.cnf(certificate and private key in file newreq.pem) To sign new certificate with certificate authority:
cd CA (same directory created above) openssl x509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem openssl ca -config openssl.cnf -policy policy_anything -out newcert.pem -infiles tmp.pem rm -f tmp.pem(newcert.pem contains signed certificate, newreq.pem still contains unsigned certificate and private key)