Openssl

    Remove a passphrase from a private key
 
    openssl rsa -in privateKey.pem -out newPrivateKey.pem
 
Checking Using OpenSSL
 
If you need to check the information within a Certificate, CSR or Private Key, use these commands. You can also check CSRs and check certificates using our online tools.
 
    Check a Certificate Signing Request (CSR)
 
    openssl req -text -noout -verify -in CSR.csr
 
    Check a private key
 
    openssl rsa -in privateKey.key -check
 
    Check a certificate
 
    openssl x509 -in certificate.crt -text -noout
 
    Check a PKCS#12 file (.pfx or .p12)
 
    openssl pkcs12 -info -in keyStore.p12
 
Debugging Using OpenSSL
 
If you are receiving an error that the private doesn't match the certificate or that a certificate that you installed to a site is not trusted, try one of these commands. If you are trying to verify that an SSL certificate is installed correctly, be sure to check out the SSL Checker.
 
    Check an MD5 hash of the public key to ensure that it matches with what is in a CSR or private key
 
    openssl x509 -noout -modulus -in certificate.crt | openssl md5
    openssl rsa -noout -modulus -in privateKey.key | openssl md5
    openssl req -noout -modulus -in CSR.csr | openssl md5
 
    Check an SSL connection. All the certificates (including Intermediates) should be displayed
 
    openssl s_client -connect www.paypal.com:443
 
Converting Using OpenSSL
 
These commands allow you to convert certificates and keys to different formats to make them compatible with specific types of servers or software. For example, you can convert a normal PEM file that would work with Apache to a PFX (PKCS#12) file and use it with Tomcat or IIS. Use our SSL Converter to convert certificates without messing with OpenSSL.
 
    Convert a DER file (.crt .cer .der) to PEM
 
    openssl x509 -inform der -in certificate.cer -out certificate.pem
 
    Convert a PEM file to DER
 
    openssl x509 -outform der -in certificate.pem -out certificate.der
 
    Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM
 
    openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes
 
    You can add -nocerts to only output the private key or add -nokeys to only output the certificates.
    Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)
 
    openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

When testing, beware that most modern browsers will automatically download intermediate certificates if your server fails to supply
 them so it can be difficult to tell if you have got things right for any that won't. One way to double-check
 is to use the 'openssl s_client' command to inspect the certificates being returned by a web server:
 
openssl s_client -connect <server>:<port> -showcerts
 
Replacing <server> and <port> appropriately (<port> probably needs to be 443). This actually establishes a connection to the server - 
you can terminate it by typing ctrl-d or similar. The message "unable to get local issuer certificate" just means that your local
 OpenSSL doesn't have, or hasn't been configured to find, an appropriate root certificate for the chain presented.
 This isn't necessarily a problem with the server - if you care, research s_client's -CApath and -CAfile options.
 What is important is that your certificate and the appropriate two chaining certificates appear in the output.
 
Last updated: October 2014