Table of contents

File extensions

If you need a format other than Base64 encoded X.509 for your certificate, you can convert it to the desired format with a corresponding tool, such as the open source tool OpenSSL (Details about OpenSSL). The format that your certificate must have depends on the server on which it is to be installed.


ExtensionContentFormat  Encoding

.pem

Certificates or private keys. Several sections can be combined in one file.

DER or Base64

.req

RFC2986 PKCS #10: Certification Request Syntax Specification Version 1.7

DER or Base64

.cer

Contains the certificate consisting of the data (name, validity period, issuing CA, fingerprint etc.)

X509
DER or Base64

.crt

Binary certificate

X.509
binary

.pfx, .p12

Password protected PKCS#12 container contains certificates and private keys


.pzb, .p7c

PKCS#7 May contain the certificates, Revocation List (CRL) etc. RFC 2315 PKCS 7: Cryptographic Message Syntax Version 1.5


.crl

Contains the list of withdrawn certificates

RFC3280 Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) profiles


.sstMicrosoft proprietary storage format for certificates

General OpenSSL commands

Commands for generating CSRs, Certificates, Private Keys and removing a passprase from a private key

Generating a new private key and CSR

openssl req -new -nodes -keyout privatekey.key -out csr.csr -newkey rsa:2048

Generating a CSR for an existing private key

openssl req -out CSR.csr -key privatekey.key -new

Generating a certificate signing request based on an existing certificate

openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privatekey.key

Removing a passphrase from a private key

openssl rsa -in privateKey.pem -out newprivatekey.pem

Commands to read out information

Checking a Certificate Signing Request

openssl req -text -noout -verify -in CSR.csr

Reading out CSR

openssl req -in request.pem -noout -text


Checking a private key

openssl rsa -in privatekey.key -check

Checking a certificate

openssl x509 -in certificate.crt -text -noout

Checking a PKCS#12 file (.pfx or .p12)

openssl pkcs12 -info -in keyStore.p12

Reading out information from a .pem file

openssl x509 -noout -text -in cert.pem

Reading out Publickey from .pem file

openssl x509 -in cert.pem -pubkey

Reading out information from a .p12 file


openssl pkcs12 -info -in cert.p12

Reading out certificate from a .p12 file

openssl pkcs12 -in keystore.p12 -clcerts | openssl x509 -text

Reading out serial from .p12 file

openssl pkcs12 -in keystore.p12 -clcerts | openssl x509 -serial -noout

Reading out end date from .pkcs12 file 

openssl pkcs12 -in cert.p12 -nodes | openssl x509 -noout -enddate

Displaying md5 fingerprint 

openssl x509 -fingerprint -noout -md5 -in test.pem

Displaying SHA1 fingerprint

openssl x509 -fingerprint -noout -sha1 -in test.pem

Extracting information from .p12 keystore

Extracting private key and certificate from a PKCS#12 file (.pfx .p12)

openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes

Do private key, CSR and the certificate match?

Checking an MD5 hash of the public key to ensure that it matches what is contained in a CSR or private key

openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in privatekey.key | openssl md5
openssl req -noout -modulus -in CSR.csr | openssl md5

Checking an SSL connection. All certificates including the intermediates should be displayed

openssl s_client -connect www.example.com:443

Converting certificate files

If the certificate is required in an alternative format, this can be converted using the open source tool OpenSSL: OPEN SSL Converting Certificate Files

The required format depends on the server on which it is to be installed.

Certificate files

The PEM format is the most commonly used format for certificates. Extensions for PEM certificates are .cer, .crt and .pem. These are Base64 encoded ASCII files.

DER format is the binary form of the certificate. DER formatted certificates do not contain the "BEGIN CERTIFICATE/END CERTIFICATE" statements. DER formatted certificates most often use the .der extension.

 .cer to .pem

openssl x509 -in cert.cer -outform PEM -out cert.pem

 .pem to .der

openssl x509 -outform der -in cert.pem -out cert.der

  .pem to .p7b

openssl crl2pkcs7 -nocrl -certfile cert.pem -out cert.p7b -certfile intermediate.cer

The certificate (CRT) and the intermediate (CA CRT) are required to generate a .p7b file. The certificate is available in PEM format in the certificate details under CRT. The intermediate is displayed under CA CRT. Copy CRT and CA CRT (Intermediate) into a text editor and save the file as e.g. "Cert.pem".

.p7b to .pem

openssl pkcs7 -print_certs -in certificatename.p7b -out certificatename.pem

.pfx to .pem

It is highly recommended to convert to and from .pfx files on your own machine so you can keep the private key there.

openssl pkcs12 -in certificatename.pfx -out certificatename.pem

.pem to .pfx / .p12

openssl pkcs12 -export -out cert.pfx -inkey key.pem -in cert.pem -certfile intermediate.pem

The private key, the certificate (CRT) and the intermediate (CA CRT) are required to generate a PFX/PKCS#12 file. The certificate is available in PEM. format in the certificate details under CRT. The intermediate is displayed under CA CRT.

Copy the data under CRT into a text editor and save the file as e.g. "cert.pem". Repeat the process with the CA CRT (Intermediate) and save it as e.g. "intermediate.pem".

Create a file with the private key in the same directory and save it as e.g. "key.pem".

Open your terminal and execute the OpenSSL command in the folder in which the files are located.

As .pfx / .p12 contains the private key, a password must be entered for the conversion. This is required again if, for example, the private key is to be extracted from the PFX file.


s_client commands

-showcerts

Add the -showcerts parameter to this command to print all certificates in the certificate chain submitted by the SSL service. This may help to troubleshoot missing intermediate CA certificate problems.

openssl s_client -connect <hostname>:<port> -showcerts

-ssl2

Add this parameter to force OpenSSL to use SSLv2 only. This option is useful to test supported SSL protocol versions. For example, you can use this command to test whether SSLv2 is enabled or not. 

openssl s_client -connect <hostname>:<port> -ssl2

-ssl3,-tls1,-dtls1

Similar to -ssl2 switch -ssl3, -tls1 and -dtls1 force SSLv3, TLSv1 and DTLSv1 respectively. 

openssl s_client -connect <hostname>:<port> -ssl3
openssl s_client -connect <hostname>:<port> -tls1
openssl s_client -connect <hostname>:<port> -dtls1

-cipher 

With this parameter you can force a specific cipher. This option is useful for testing enabled SSL ciphers. For example, after disabling weak ciphers, you can test the connection with a disabled cipher to ensure that it was successfully disabled.
You can use the "openssl ciphers" command to display a list of the ciphers available for OpenSSL.
Using a cypher not supported by the server will result in an error similar to the following.

openssl s_client -connect <hostname>:<port> -cipher DHE-RSA-AES256-SHA

openssl s_client -connect example.com:443 -cipher EXP-RC4-MD5
CONNECTED(00000003)
42792:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:/SourceCache/OpenSSL098/OpenSSL098-47.1/src/ssl/s23_clnt.c:602