OpenSSL Commands for Certificate Management
- X509 Certificate
- Certificate Private Key or PKCS #8
- PFX or PKCS #12
- CSR (Certificate Signing Request)
- References
The following are commands for dealing with SSL/TLS certificates using openssl I found useful. Categorized in X509 Certificate, Certificate Private Key or PKCS #8, PFX or PKCS #12, and CSR.
X509 Certificate
Inspect Certificate
# List all info about the certificate
openssl x509 -in cert.pem -noout -text
# Serial number
openssl x509 -in cert.pem -noout -serial
# Start Date (Not Before)
openssl x509 -in cert.pem -noout -startdate
# End Date (Not After)
openssl x509 -in cert.pem -noout -enddate
# Subject
openssl x509 -in cert.pem -noout -subject
# Subject Alternative Name (SAN)
openssl x509 -in cert.pem -noout -text | grep DNS
# OCSP URI
openssl x509 -in cert.pem -noout -ocsp_uri
Check Certificate Revocation
ocsp_uri=$(openssl x509 -in cert.pem -noout -ocsp_uri)
openssl ocsp -issuer chain.pem -cert cert.pem -url $ocsp_uri -text
Certificate Private Key or PKCS #8
Remove Private Key Password (Decrypt)
openssl pkcs8 -in encrypted-privkey.pem -out privkey.pem -passin pass:YourPasswordString
# or
openssl pkcs8 -in encrypted-privkey.pem -out privkey.pem -passin env:YourPasswordEnvVar
Add a Password to Private Key (Encrypt)
openssl pkcs8 -in privkey.pem -topk8 -passout pass:YourPasswordString
# or
openssl pkcs8 -in privkey.pem -topk8 -passout env:YourPasswordEnvVar
Match Certificate and Private Key
Online Tool: https://decoder.link/matcher
Or use openssl command:
openssl x509 -noout -modulus -in cert.pem > cert.modulus
openssl rsa -noout -modulus -in privkey.pem > key.modulus
diff -s cert.modulus key.modulus
If your private key is password protected, add -passin pass:YourPasswordString or -passin env:YourPasswordEnvVar.
PFX or PKCS #12
Combine certificate (chain) and key files into a single pfx file
openssl pkcs12 -in fullchain.pem -inkey privkey.pem -export -out fullchain.pfx -password pass:YourPasswordString
# or
openssl pkcs12 -in fullchain.pem -inkey privkey.pem -export -out fullchain.pfx -password env:YourPasswordEnvVar
Split pfx file into certs and key
# Get Certificates (Full Chain)
openssl pkcs12 -in fullchain.pfx -passin pass:YourPasswordString -nokeys -out fullchain.pem
# Get Client Certificate Only
openssl pkcs12 -in fullchain.pfx -passin pass:YourPasswordString -nokeys -clcerts -out cert.pem
# Get CA/Intermediate Certificate Only
openssl pkcs12 -in fullchain.pfx -passin pass:YourPasswordString -nokeys -cacerts -out chain.pem
# Get Private Key
openssl pkcs12 -in fullchain.pfx -passin pass:YourPasswordString -nocerts -nodes -out privkey.pem
CSR (Certificate Signing Request)
CSR Generation with config file
# example.com.cnf
[ req ]
default_bits = 2048
default_md = sha256
prompt = no
encrypt_key = no
distinguished_name = dn
req_extensions = req_ext
[ dn ]
CN = *.example.com
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = *.example.com
DNS.2 = example.com
openssl req -new -config example.com.cnf -keyout example.com.key -out example.com.csr
CSR Generation without config file
openssl req -subj /CN=*.example.com -newkey rsa:2048 -nodes -keyout example.com.key -out example.com.csr
Note: It's not easy to create CSR with Subject Alternative Name (SAN) without using a config file. Click for more info.
CSR Inspection
openssl req -in example.com.csr -noout -text
Generate a Self-Signed Certificate
openssl x509 -req -days 366 -in example.com.csr -signkey example.com.key -out example.com.crt
Match CSR and Private Key
Online Tool: https://decoder.link/matcher
Or use openssl command:
openssl req -noout -modulus -in example.com.csr > csr.modulus
openssl rsa -noout -modulus -in example.com.key > key.modulus
diff -s csr.modulus key.modulus
If your private key is password protected, add -passin pass:YourPasswordString or -passin env:YourPasswordEnvVar.