Most useful OpenSSL commands taken from various places

OpenSSL site:

Free book about SSL

Generate a certificate request

openssl req -new -newkey rsa:1024 -nodes -keyout key.pem -out req.pem
  • req activates the part of openssl that deals with certificate requests signing
  • -new generate a new request
  • -newkey generate a new private key
  • rsa:1024 1024 is the bit length of the private key. Alternative you can use 2048 and 512, for larger or smaller keys but, please note that the strength of the key should match the type of service your certificate authority is providing to you.
  • -nodes no des, stores the private key without protecting it with a passphrase. While this is not considered to be best practice, many people do not set a passphrase or later remove it, since services with pass phrase protected keys can not be auto-restarted without typing in the passphrase
  • -keyout key.pem store the private key in a file called key.pem
  • -out req.pem store the certificate request in a file called req.pem

Convert a DER file (.crt .cer .der) to PEM

openssl x509 -inform der -in certificate.cer -out certificate.pem

Convert a PEM file to DER

openssl x509 -outform der -in certificate.pem -out certificate.der

Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM

openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes

You can add -nocerts to only output the private key or add -nokeys to only output the certificates.

Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

Generate a self-signed key

openssl req -x509 -days 365 -nodes -newkey rsa:2048 \ -keyout key.pem -out cert.pem

Testing SSL servers

openssl s_client -connect -showcerts

View PEM encoded certificate 

openssl x509 -in cert.pem -text -noout
openssl x509 -in cert.cer -text -noout
openssl x509 -in cert.crt -text -noout

Add Key and to certificate to import into Windows Machine and export as pem for HaProxy

 openssl pkcs12 -export -clcerts -inkey myKefFile.pem -in MyCertFile.cer -out MyPKCS12.p12 -name "My Certificate"

then import into Windows using mmc console
then export as pfx including the key
and change to a pem to use with HaProxy for example

openssl pkcs12 -in MyExportedCertWithKey.pfx -out SSLwithKeyToUseForHaProxy.pem -nodes



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s