OpenSSL Cheat Sheet
Categories:
Certificate types
X509
PEM
PEM (originally “Privacy Enhanced Mail”) is the most common format for X.509 certificates, CSRs, and cryptographic keys. A PEM file is a text file containing one or more items in Base64 ASCII encoding, each with plain-text headers and footers (e.g. -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----). A single PEM file could contain an end-entity certificate, a private key, or multiple certificates forming a complete chain of trust.
(Source: SSL.com)
Common file extensions are .crt, .cer, .pem, .key, ca-bundle.
View contents of the certificate in CERTIFICATE_FILE:
openssl x509 -in CERTIFICATE_FILE -text -noout
Convert PEM to DER:
openssl x509 -outform der -in PEM_FILE -out DER_FILE
Convert PEM to PKCS#7:
openssl crl2pkcs7 -nocrl -certfile CERTIFICATE_PEM_FILE -certfile CA_CHAIN_PEM_FILE -out OUTPUT_FILE
Convert PEM to PKCS#12:
openssl pkcs12 -export -out CERTIFICATE_FILE -inkey PRIVATE_KEY_FILE -in CERTIFICATE -certfile CA_CHAIN
DER
DER (Distinguished Encoding Rules) is a binary encoding for X.509 certificates and private keys. Unlike PEM, DER-encoded files do not contain plain text statements such as -----BEGIN CERTIFICATE-----. DER files are most commonly seen in Java contexts.
(Source: SSL.com)
Common file extensions are .der and .cer.
View contents of CERTIFICATE_DER_FILE:
openssl x509 -inform der -in CERTIFICATE_DER_FILE -text -noout
Convert CERTIFICATE_DER_FILE to a PEM:
openssl x509 -inform der -in CERTIFICATE_DER_FILE -out CERTIFICATE_PEM_FILE
Certificate container formats
PKCS#7
PKCS#7 (also known as P7B) is a container format for digital certificates that is most often found in Windows and Java server contexts, and usually has the extension .p7b. PKCS#7 files are not used to store private keys.
PKCS#12
PKCS#12 (also known as PKCS12 or PFX) is a common binary format for storing a certificate chain and private key in a single, encryptable file, and usually have the filename extensions .p12 or .pfx.
Convert PKCS to x509
Extract the private key:
openssl pkcs12 -in P12_CERT_FILE -out X509_KEY_FILE -nocerts -nodes
Extra the certificate alone:
openssl pkcs12 -in P12_CERT_FILE -out X509_CERT_FILE -nokeys -nodes -clcerts
Extract the certificate and the CA chain:
openssl pkcs12 -in P12_CERT_FILE -out X509_CERT_FILE -nokeys -nodes
Extract the CA chain:
openssl pkcs12 -in P12_CERT_FILE -out X509_CA_CHAIN_FILE -nokeys -cacerts -chain
Handy commands
Misc commands
Get an x509 secret from Kubernetes and output details:
kubectl get secret SECRET_NAME -ojson | jq -r '.data."KEY"' | base64 -d | openssl x509 -text
Create a self signed X.509 certificate:
openssl req -x509 -nodes -newkey rsa:4096 -keyout "PRIVATE_KEY_FILE" -out "PUBLIC_KEY_FILE" -subj "SUBJECT"
Extract the client key and pass to AWK to remove all newline characters:
openssl pkcs12 -in PKCS12_FILE -clcerts -nokeys -password pass:PASSWORD | awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}'| option | arg | explanation |
|---|---|---|
| -in | file | Input file to read from. STDIN if not provided |
| -clcerts | Only output client certificates (not CA certs) | |
| -nokeys | Do not output private keys | |
| -password | not found in linux or mac openssl | |
| pass:password | Where password is the password |