# Create Private Key * PEM output ```bash openssl genrsa -out priv.key 2048 ``` # Get Key / Certificate Info ## Key ```bash openssl rsa -text -in priv.key -noout ``` ## Certificate Info ### PEM ```bash openssl x509 -text -in cert.crt -noout ``` # Check for Value Certificate/Key Pair ## Get Key SHA ```bash openssl pkey -pubout -in private.key | openssl sha256 ``` ## Get Certificate SHA ```bash openssl x509 -pubkey -in certificate.crt -noout | openssl sha256 ``` ## Get CSR SHA ```bash openssl req -pubkey -in request.csr -noout | openssl sha256 ``` # Certificate Signing Requests ## Get CSR Info ```bash openssl req -text -in request.csr -noout -verify ``` ## Create CSR * For example "server_cert.cnf" ```ini [ req ] default_bits = 4096 default_md = sha512 default_keyfile = domain.com.key prompt = no encrypt_key = no distinguished_name = req_distinguished_name req_extensions     = req_ext [ req_distinguished_name ] countryName = "AU" localityName = "Perth" organizationName = "Company" organizationalUnitName = "Dept" commonName = "domain1.com" emailAddress = "[email protected]" [ req_ext ] subjectAltName = @alt_names basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment [alt_names] DNS.1 = domain2.com DNS.2 = domain3.com DNS.3 = domain4.com IP.1 = 10.0.0.1 IP.2 = 10.0.0.2 ``` ```bash openssl req -new -key previously_created.key -out resultant.csr -config server_cert.cnf ``` ## Self-signed from CSR ```bash openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out server.crt ``` # Removing Passwords ## Extract Certificates from PFX/PKCS12 if Required ### Certificates ```bash openssl pkcs12 -clcerts -nokeys -in file.pfx -out certificate.crt ``` ### CA Key if Required ```bash openssl pkcs12 -cacerts -nokeys -nocerts -in file.pfx -nodes -out ca-cert.ca ``` ### Private Key ```bash openssl pkcs12 -nocerts -in file.pfx -out private.key -nodes ``` | Format | Extensions | Contents | Encoding | Where | | ------ | ------------------------- | ------------------------------- | --------- | --------------------------- | | PEM | .pem, .crt, .cer, or .key | Single and/or Chain, and/or Key | b64 ASCII | Mostly Linux but Everywhere | | PKCS7 | p7b, or p7c | Certificate(s) only | b64 ASCII | Mostly Windows | | DER | .der or .cer | Certificate only | Binary | Java | | PKCS12 | .pfx or .p12 | Certificate(s) and key | | Mostly Windows | | | | | | | | Name | Synonym | | ------ | ------- | | PKCS12 | PFX | | PFX | PKCS12 | | | | | From | To | Command | | ----- | ----- | ----------------------------------------------------------------------------------------------------------------------------------------- | | x509 | PEM | ```openssl x509 -in certificatename.cer -outform PEM -out certificatename.pem``` | | PEM | DER | ```openssl x509 -outform der -in certificatename.pem -out certificatename.der``` | | DER | PEM | ```openssl x509 -inform der -in certificatename.der -out certificatename.pem``` | | PEM | P7B | ```openssl crl2pkcs7 -nocrl -certfile certificatename.pem -out certificatename.p7b -certfile CACert.cer``` | | PKCS7 | PEM | ```openssl pkcs7 -print_certs -in certificatename.p7b -out certificatename.pem``` | | PFX | PEM | ```openssl pkcs12 -in certificatename.pfx -out certificatename.pem``` | | PFX | PKCS8 | 1. PFX->PEM```openssl pkcs12 -in certificatename.pfx -nocerts -nodes -out certificatename.pem``` | | | | 2. PEM->PKCS8 ```openSSL pkcs8 -in certificatename.pem -topk8 -nocrypt -out certificatename.pk8``` | | P7B | PFX | 1. P7B->PFX ```openssl pkcs7 -print_certs -in certificatename.p7b -out certificatename.cer``` | | | | 2. CER+KEY->PFX ```openssl pkcs12 -export -in certificatename.cer -inkey privateKey.key -out certificatename.pfx -certfile  cacert.cer``` | | | | |