5/27/09

Useful OPENSSL Commands

Below are some of very usefull OPENSSL Commands.

Generate a certificate signing request based on an existing x509 certificate
openssl x509 -x509toreq -in MYCRT.crt -out MYCSR.csr -signkey MYKEY.key

Generate a certificate siging request for an existing private key
openssl req -out MYCSR.csr -key MYKEY.key -new

Create self-signed certificate (can be used to sign other certificates)
openssl req -x509 -new -out MYCERT.crt -keyout MYKEY.key -days 365

Generate a new private key and matching Certificate Signing Request (eg to send to a commercial CA)
openssl req -out MYCSR.csr -pubkey -new -keyout MYKEY.key
add -nodes to create an unencrypted private key
add -config <//openssl.cnf><//openssl.cnf></ openssl.cnf=""><//><//openssl.cnf></ openssl.cnf=""><//></ openssl.cnf=""><//></><//><//openssl.cnf></ openssl.cnf=""><//></ openssl.cnf=""><//></><//></ openssl.cnf=""><//></><//></><//></><//>if your config file has not been set in the environment

Decrypt private key
openssl rsa -in MYKEY.key >> MYKEY-NOCRYPT.key

Sign a Certificate Signing Request
openssl x509 -req -in MYCSR.csr -CA MY-CA-CERT.crt -CAkey MY-CA-KEY.key -CAcreateserial -out MYCERT.crt -days 365
-days has to be less than the validity of the CA certificate

Convert DER (.crt .cer .der) to PEM
openssl x509 -inform der -in MYCERT.cer -out MYCERT.pem

Convert PEM to DER
openssl x509 -outform der -in MYCERT.pem -out MYCERT.der

Convert PKCS#12 (.pfx .p12) to PEM containing both private key and certificates
openssl pkcs12 -in KEYSTORE.pfx -out KEYSTORE.pem -nodes
add -nocerts for private key only; add -nokeys for certificates only

Convert (add) a seperate key and certificate to a new keystore of type PKCS#12
openssl pkcs12 -export -in MYCERT.crt -inkey MYKEY.key -out KEYSTORE.p12 -name "tomcat"

Convert (add) a seperate key and certificate to a new keystore of type PKCS#12 for use with a server that should send the chain too (eg Tomcat)
openssl pkcs12 -export -in MYCERT.crt -inkey MYKEY.key -out KEYSTORE.p12 -name "tomcat" -CAfile MY-CA-CERT.crt -caname myCA -chain
you can repeat the combination of "-CAfile" and "-caname" for each intermediate certificate

Extracting Certificate and Private Key Files from a .pfx File

Run the following command to export the private key:
openssl pkcs12 -in certname.pfx -nocerts -out key.pem -nodes
Run the following command to export the certificate:
openssl pkcs12 -in certname.pfx -nokeys -out cert.pem
Run the following command to remove the passphrase from the private key:
openssl rsa -in key.pem -out server.key  


Check a private key
openssl rsa -in MYKEY.key -check
add -noout to not disclose the key

Check a Certificate Signing Request
openssl req -text -noout -verify -in MYCSR.csr

Check a certificate
openssl x509 -in MYCERT.crt -text -noout

Check a PKCS#12 keystore
openssl pkcs12 -info -in KEYSTORE.p12

Check a trust chain of a certificate
openssl verify -CAfile MYCHAINFILE.pem -verbose MYCERT.crt
trust chain is in directory (hash format): replace -CAfile with -CApath /path/to/CAchainDir/
to check for server usage: -purpose sslserver
to check for client usage: -purpose sslient

How to Change JKS KeyStore Private Key Password

Use following keytool command to change the key store password >keytool  -storepasswd  -new [new password ]  -keystore  [path to key stor...