Converting SSL certificates and other nice to know openssl commands

OpenSSL is one of the most versatile programs that are in use for SSL certificates, and can be used for converting between different formats. This guide will show you the commands for doing so, and also some other nice to know command lines.

Converting between different format

Converting PFX/PKCS12 to PEM format

These two commands will convert an *.pfx (default Windows format) file to a PEM format file (default Linux format, and also different network switches and Open Source Software), and split it with one PEM file for the public certificate, and one PEM file for the private key.

openssl pkcs12 -in example.techie.cloud.pfx -out example.techie.cloud.cert -nokeys -clcerts
openssl pkcs12 -in example.techie.cloud.pfx -out example.techie.cloud.key -nodes -nocerts
To successfully convert this you'll need to provbide the current password phrase of the PFX/PKCS12 exported file.

If you want both the public certificate and the private key in the same file, you could instead use

openssl pkcs12 -in example.techie.cloud.pfx -out example.techie.cloud.cert -nodes -clcerts
To successfully convert this you'll need to provbide the current password phrase of the PFX/PKCS12 exported file.

These will both save the private key without password. If you want to save the private key with a password phrase, then remove the “-nodes” part from the commands.

Converting PEM to PFX/PKCS12 format

openssl pkcs12 -export -in example.techie.cloud.cert -inkey example.techie.cloud.key -out example.tech.cloud.pfx -certfile root-intermediate.cert

Converting PEM to DER

openssl x509 -outform der -in example.techie.cloud.cert -out example.techie.cloud.der

Converting PEM to PKCS7

This format will not contain the private key.

openssl crl2pkcs7 -nocrl -certfile example.techie.cloud.cert -out example.techie.cloud.p7b -certfile root-intermediate.cert

Other nice to know commands

Removing a password phrase from the private key

If you want to remove the password phrase from a private key the command is

openssl rsa -in example.techie.cloud.key -out example.techie.cloud.key
To complete this you'll be asked the current password phrase of the key.

Convert from a private key to a private rsa key file

Sometimes you'll have a key file that contains the text “—–BEGIN PRIVATE KEY—–", and you'll get an error about it when importing it with the certificate on different platforms. That is due to this being and PKCS8 file, and you want this file to contain “—–BEGIN RSA PRIVATE KEY—–” which is a standard PEM/PKCS1 format. Then you'll need to convert the file by running the following command.

openssl rsa -in example.techie.cloud.key -out example.techie.cloud.key


comments powered by Disqus