OpenSSL Cheat Sheet

If you have any reason at all to work (or play) with digital certificates, one of the most useful tools you will find anywhere is OpenSSL. It can do pretty much anything you could wish to do when it comes to displaying certificate contents, converting from one format to another or even issuing and signing your own certificates (you can operate your own CA with it !).

This page contains a handy list of OpenSSL commands I've found useful from time to time.

Viewing Certificate Contents

X.509 certificates are usually stored in one of two formats:

DER which is raw binary data. This is the format Microsoft (and most other applications) understands
PEM which is a text-encoded format based on the Privacy-Enhanced Mail standard (see RFC1421). PEM-format certificates look something like this:-
-----BEGIN CERTIFICATE----- MIIBrjCCAWwCAQswCQYFKw4DAhsFADBTMQswCQYDVQQGEwJBVTETMBEGA1UECBMK U29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMQww : : MQAwLgIVAJ4wtQsANPxHo7Q4IQZYsL12SKdbAhUAjJ9n38zxT+iai2164xS+LIfa C1Q= -----END CERTIFICATE-----

OpenSSL uses the PEM format by default, but you can tell it to process DER format certificates...you just need to know which you are dealing with.

The command to view an X.509 certificate is:

openssl x509 -in filename.cer -inform der -text

You can specifiy -inform pem if you want to look at a PEM-format certificate

Convert Between Formats

If you have a PEM-format certificate which you want to convert into DER-format (so that you can import it into Microsoft), you can use the command:

openssl x509 -in filename.pem -inform pem -out filename.cer -outform der

Viewing PKCS12 Keystore Contents

This standard specifies a portable format for storing or transporting a user's private keys, certificates, miscellaneous secrets, etc. You can have a look into a PKCS12 file using the command

openssl pkcs12 -in filename.p12 -info

Constructing PKCS12 from PEM Certificate & Private Key

If you have two separate files containing your certificate and private key, both in PEM format, you can combine these into a single PKCS12 file (suitable for importing into Windows) using the command:-

openssl pkcs12 -in cert.pem -inkey key.pem -export -out filename.p12

Links & References

http://www.openssl.org - The OpenSSL project home page
http://www.rsasecurity.com/rsalabs/pkcs/ - RSA Security's page describing the different PKIX file formats
RFC2459 - Internet X.509 Public Key Infrastructure,Certificate and CRL Profile.