Openssl commands

General OpenSSL commands

The following commands allow you to generate CSRs, Certificates, Private Keys and other tasks.

Generate a new private key and matching certificate signing request (Unix) 

Generate a new private key and matching certificate signing request (Windows)

Generate a certificate signing request for an existing private key

Generate a certificate signing request based on an existing x509 certificate

Decrypt private key

Remove a passphrase from a private key


Checking commands

Use the following commands to check the information within a Certificate, CSR or Private Key. You can also check CSRs and certificates using our online tools.

Check a certificate signing request

Check a private key

Check a certificate

Check a PKCS#12 keystore


Debugging commands

If you are receiving certificate errors, try one of the following commands to debug a SSL connection. Use our Site Check as well to check the certificate.

Check the MD5 hash of the public key

Check an SSL connection. All certificates (also intermediates) should be shown


Converting commands

Use the following commands to convert certificates and keys to different formats to make them compatible with specific types of servers or software. For example, convert a normal PEM file that would work with Apache to a PFX (PKCS#12) file for use with Tomcat or IIS.

Convert DER (.crt .cer .der) to PEM


Convert PEM to DER

Convert PKCS#12 (.pfx .p12) to PEM containing both private key and certificates

Convert (add) a seperate key and certificate to a new keystore of type PKCS#12

Pkcs7 Certificates from Verisign

I got from a client a file in pkcs7 format which seems to be common for Verisign. Although they offer x.509 certificates too the file that I had contained fields PKCS #7 SIGNED DATA field. I order to get passed that I had to edit the file and instead of :

—–BEGIN PKCS #7 SIGNED DATA—–
I used
—–BEGIN CERTIFICATE—–

And instead of :

—–END PKCS #7 SIGNED DATA—–
I used:
—–END CERTIFICATE—–

Note that its important to have 5 (-).

In the end I ran:

openssl pkcs7 -in mynew_file.crt -print_certs -out verisign.cert

Now in verisign.cert should contain the certificate for your website and probably the intermediate chain cert.