Convert File Formats, Using OpenSSL
From RZWiki
Contents |
From PEM To...
DER
openssl x509 -inform pem -outform der -in MYCERT.pem -out MYCERT.der
openssl dsa -inform pem -outform der -in MYCERT.pem -out MYCERT.der
openssl rsa -inform pem -outform der -in MYCERT.pem -out MYCERT.der
PKCS12
openssl pkcs12 -export -in pem-certificate-and-key-file -out pkcs-12-certificate-and-key-file
openssl pkcs12 -export -in pem-certificate-file -inkey pem-key-file -out pkcs-12-certificate-and-key-file
openssl pkcs12 -export -in pem-certificate-file -nokeys -nodes -out pkcs-12-certificate-file
From NET To...
PEM
openssl pkcs8 -nocrypt -in file.ick -informat NET -out key.pem -outformat PEM
From DER To...
PEM
openssl x509 -outform pem -inform der -in MYCERT.cer -out MYCERT.pem
openssl dsa -outform pem -inform der -in MYCERT.cer -out MYCERT.pem
openssl rsa -outform pem -inform der -in MYCERT.cer -out MYCERT.pem
From PKCS#7 To...
These files frequently have a .p7b extension.
font color=redPKCS#7 Files normally contain both the actual certificate and a CA intermediate certificate combined. Both the commands below will split the original combined certificate into it's two constituant parts, but still in one file so in most cases you will still need to edit the output file in order to install and use the actual certificate./font
PEM
openssl pkcs7 -in test-certs.p7b -print_certs -out test-certs.pem
DER
openssl pkcs7 -in test-certs.p7b -print_certs -outform DER -out test-certs.der
From PKCS#12 To...
These files frequently have a PFX pr P12 extension.
PEM
openssl pkcs12 -in networkstuff.eu.pfx -out networkstuff.eu.pem -nodes -nocerts
openssl pkcs12 -in pkcs-12-certificate-file -out pem-certificate-file
openssl pkcs12 -in pkcs-12-certificate-and-key-file -out pem-certificate-and-key-file
create self-signed certificate (can be used to sign other certificates)
openssl req -x509 -new -out MYCERT.crt -keyout MYKEY.key -days 365
sign a Certificate Signing Request
openssl x509 -req -in MYCSR.csr -CA MY-CA-CERT.crt -CAkey MY-CA-KEY.key -CAcreateserial -out MYCERT.crt -days 365 -days has to be less than the validity of the CA certificate
convert (add) a seperate key and certificate to a new keystore of type PKCS#12
openssl pkcs12 -export -in MYCERT.crt -inkey MYKEY.key -out KEYSTORE.p12 -name tomcat
convert (add) a seperate key and certificate to a new keystore of type PKCS#12 for use with a server that should send the chain too (eg Tomcat)
openssl pkcs12 -export -in MYCERT.crt -inkey MYKEY.key -out KEYSTORE.p12 -name tomcat -CAfile MY-CA-CERT.crt -caname myCA -chain you can repeat the combination of -CAfile and -caname for each intermediate certificate
check a trust chain of a certificate
openssl verify -CAfile MYCHAINFILE.pem -verbose MYCERT.crt trust chain is in directory (hash format): replace -CAfile with -CApath /path/to/CAchainDir/ to check for server usage: -purpose sslserver to check for client usage: -purpose sslient
debug an SSL connection [server doesn't require certificate authentication]
openssl s_client -connect idp.example.be:443
debug an SSL connection with mutual certificate authentication
openssl s_client -connect idp.example.be:8443 -CAfile MY-CA-CERT.crt -cert MYCERT.crt -key MYKEY.key trust chain is in directory (hash format): replace -CAfile with -CApath /path/to/CAchainDir/ send the starttls command (smtp or pop3 style): -starttls smtp or -starttls pop3
Related Articles
Confirm Key File Formats, Using OpenSSL or Check Key File, Using OpenSSL
Our other OpenSSL articles
Information on OpenSSL Commands
 We really do appreciate all feedback so please do send your comments, suggestions or corrections to sjiveson#routerzone.eu
(replacing the # with an @) |
