OpenSSL is free security protocols and implementation library provided by Free Software community. OpenSSL libraries are used by a lot of enterprises in their systems and products. OpenSSL libraries and algorithms can be used with openssl command. In this tutorial we will look different use cases for openssl command.

Private Key

Private keys should kept secret. Private keys generally used to decrypt data.

Public Key

Public keys are provided every one and it not secret. Public keys generally used to encrypt data.

Certificate

Certificates holds keys and related information. Certificates generally holds public keys.

Generate Private Key and Certificate Signing Request

We can generate a private key with a Certificate Signing Request. We can send generated CertificateSigningRequest.csr to the Certificate Authority for approvel and then we can use privateKey.key

$ openssl req -out CertificateSigningRequest.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key

Generate Self-Signed Certificate

If we will use certificate in our local environment and systems we do not need to sign it by Global Certificate Authority. So we can generate a self signed certificate with the following command.

$ openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt

Generate Certificate Signing Request (CSR) with Existing Certificate

If we have all ready a certificate but we need to approve it by Global Certificate Authorities we need to generate Certificate Signing Request with the following command.

$ openssl req -out CSR.csr -key privateKey.key -new

Remove Passphrase From Private Key

Private Keys generally stored as encrypted to make it more secure. But every time we want to use Private Key we have to decrypt it. To make it more practical we can extract Private Key and store as unencrypted.

$ openssl rsa -in privateKey.pem -out newPrivateKey.pem

Check and Print Certificate Signing Request (CSR)

We can print every information provided by a Certificate Signing Request on the shell. We will use following command for this.

$ openssl req -text -noout -verify -in CertificateSigningRequest.csr

Check and Print Private Key

We can print and check a private key with the following command. This will print key information.

$ openssl rsa -in privateKey.key -check

Check and Print Certificate

We can print certificate information and related parts with the following command.

$ openssl x509 -in certificate.crt -text -noout

Check and Print PKCS#12 Certificate (.pfx , .p12)

We can check and print PKCS#12 certificates with the following command.

$ openssl pkcs12 -info -in keyStore.p12

Check SSL Connection and Certificates

OpenSSL provides a web client which can connect web servers with SSL/TLS and print SSL/TLS certificate information.

$ openssl s_client -connect poftut.com:443

Convert DER (.crt .cer .der) To PEM

Certificates can be stored in different formats. DER and PEM are two popular format used to store certificates. We can convert DER to PEM with the following command.

$ openssl x509 -inform der -in certificate.cer -out certificate.pem

Convert PEM To DER

The reverse conversation from PEM to DER can be done with the following.

$ openssl x509 -outform der -in certificate.pem -out certificate.der

Convert PKCS#12 (.pfx .p12) To PEM

We can convert PKCS#12 format files to the PEM files with the following command.

$ openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes

Convert PEM To PKCS#12 (.pfx .p12)

We can convert PEM format to the PKCS#12 format with the following command.

$ openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt