From WikiWiki
Jump to navigation Jump to search

Some usefull Openssl commands

Comment Command
Convert pem (base64 certfiles) to pfx openssl pkcs12 -inkey privatekey.pem -in publiccert.pem -export -out output.pfx
remove passphrase from private key file openssl rsa -in EncryptedPrivateKey.pem -out PrivateKey.pem
convert private key to aes192 encrypted private key openssl rsa -in file.key -out aes192.key -aes192
match public and private key

openssl x509 -in cert.crt -text -noout -modulus

openssl rsa -in file.key -check -modulus

manually match moduli

read and verify private key openssl rsa -in file.key -text -check
use openssl as client and print all certificates received from server openssl s_client -connect -showcerts


View PEM encoded certificate

Use the command that has the extension of your certificate replacing with the name of your certificate

openssl x509 -in cert.pem -text -noout
openssl x509 -in cert.cer -text -noout
openssl x509 -in cert.crt -text -noout

If you get the folowing error it means that you are trying to view a DER encoded certifciate and need to use the commands in the “View DER encoded certificate below”

unable to load certificate
12626:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE

View DER encoded Certificate

openssl x509 -in certificate.der -inform der -text -noout

If you get the following error it means that you are trying to view a PEM encoded certificate with a command meant for DER encoded certs. Use a command in the “View PEM encoded certificate above

unable to load certificate
13978:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1306:
13978:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:380:Type=X509



Transforms can take one type of encoded certificate to another. (ie. PEM To DER conversion)


openssl x509 -in cert.crt -outform der -out cert.der


openssl x509 -in cert.crt -inform der -outform pem -out cert.pem


#create directories
sudo mkdir /etc/ssl/private
sudo chmod 700 /etc/ssl/private
#generate selfsigned root
sudo openssl req -sha256 -x509 -nodes -days 365 -newkey rsa:2048 -key /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt

#new DH group
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

encrypt arbitrary files

openssl enc -aes-256-cbc -salt -md sha256 -pbkdf2 -iter 500000 -in plaintext.txt -out encrypted.enc
openssl enc -d -aes-256-cbc -salt -md sha256 -pbkdf2 -iter 500000 -in encrypted.enc -out plaintext_out.txt