A few frequently used OpenSSL commands

generate a new private key and matching Certificate Signing Request (eg to send to a commercial CA)

openssl req -out MYCSR.csr -pubkey -new -keyout MYKEY.key 

add -nodes to create an unencrypted private key
add -config <openssl.cnf> if your config file has not been set in the environment 

 

decrypt private key

openssl rsa -in MYKEY.key >> MYKEY-NOCRYPT.key 

generate a certificate siging request for an existing private key

openssl req -out MYCSR.csr -key MYKEY.key -new 

generate a certificate signing request based on an existing x509 certificate

openssl x509 -x509toreq -in MYCRT.crt -out MYCSR.csr -signkey MYKEY.key 

create self-signed certificate (can be used to sign other certificates)

openssl req -x509 -new -out MYCERT.crt -keyout MYKEY.key -days 365 

sign a Certificate Signing Request

openssl x509 -req -in MYCSR.csr -CA MY-CA-CERT.crt -CAkey MY-CA-KEY.key -CAcreateserial -out MYCERT.crt -days 365

-days has to be less than the validity of the CA certificate 

convert DER (.crt .cer .der) to PEM

openssl x509 -inform der -in MYCERT.cer -out MYCERT.pem 

convert PEM to DER

openssl x509 -outform der -in MYCERT.pem -out MYCERT.der 

convert PKCS#12 (.pfx .p12) to PEM containing both private key and certificates

openssl pkcs12 -in KEYSTORE.pfx -out KEYSTORE.pem -nodes

add -nocerts for private key only; add -nokeys for certificates only 

 

convert (add) a seperate key and certificate to a new keystore of type PKCS#12

openssl pkcs12 -export -in MYCERT.crt -inkey MYKEY.key -out KEYSTORE.p12 -name "tomcat" 

convert (add) a seperate key and certificate to a new keystore of type PKCS#12 for use with a server that should send the chain too (eg Tomcat)

 

openssl pkcs12 -export -in MYCERT.crt -inkey MYKEY.key -out KEYSTORE.p12 -name "tomcat" -CAfile MY-CA-CERT.crt -caname myCA -chain

you can repeat the combination of "-CAfile" and "-caname" for each intermediate certificate

check a private key

openssl rsa -in MYKEY.key -check

add -noout to not disclose the key 

 

check a Certificate Signing Request

openssl req -text -noout -verify -in MYCSR.csr 

check a certificate

openssl x509 -in MYCERT.crt -text -noout 

check a PKCS#12 keystore

openssl pkcs12 -info -in KEYSTORE.p12 

check a trust chain of a certificate

openssl verify -CAfile MYCHAINFILE.pem -verbose MYCERT.crt

trust chain is in directory (hash format): replace -CAfile with -CApath /path/to/CAchainDir/
to check for server usage: -purpose sslserver
to check for client usage: -purpose sslient

debug an SSL connection [server doesn't require certificate authentication]

openssl s_client -connect idp.example.be:443

 

debug an SSL connection with mutual certificate authentication

openssl s_client -connect idp.example.be:8443 -CAfile MY-CA-CERT.crt -cert MYCERT.crt -key MYKEY.key

trust chain is in directory (hash format): replace -CAfile with -CApath /path/to/CAchainDir/
send the starttls command (smtp or pop3 style): -starttls smtp or -starttls pop3