openssl, ssl, tls


Released in 1998, OpenSSL is a cryptography library available for Linux, Windows, BSD and Mac OS systems. The library allows users to do a variety of tasks such as but not limited to creating CSR’s / private keys, convert certificates to different formats and validiate existing certificates.

Over the years I’ve written down commands to manipulate OpenSSL to do what I want and now want to share what I have to the world – enjoy 🙂


Install on Debian/Ubuntu

apt update
apt install openssl


Create CSR and Private Key

openssl req -new -newkey rsa:2048 -nodes -keyout privatekey.key -out csr.csr

Create CSR from existing Private Key

openssl req -out CSR.csr -key existingprivatekey.key -new

Create CSR from existing Certificate

openssl x509 -x509toreq -in existingcertificate.crt -out CSR.csr -signkey privatekey.key

Generate Self-Signed Certificate

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privatekey.key -out certificate.crt


Convert PKCS12 (P12) to PEM

openssl pkcs12 -in cerrtificate.pfx -out certificate.pem -nodes

Convert PEM to DER

openssl x509 -outform der -in certificate.pem -out certificate.der

Convert PEM to P7B

openssl crl2pkcs7 -nocrl -certfile certificate.pem -out certificate.p7b -certfile cacert.cer

Convert P7B to PEM

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.pem

Convert PEM to PKCS12 (P12)

openssl pkcs12 -export -out certificate.pfx -inkey privatekey.key -in certificate.crt -certfile cacert.crt


SSL Labs

I check my SSL certificates using this website:

Check PEM Certificate

openssl x509 -noout -in certificate.pem

Check PKCS12/PFX

openssl pkcs12 -info -in certificate.p12

Check Certificate

openssl x509 -in certificste.crt -text -noout

Check Private Key

openssl rsa -in privatekey.key -check

Check CSR

openssl req -text -noout -verify -in CSR.csr


Remove a Passphrase from a Private Key

openssl rsa -in privatekey.pem -out newPrivateKey.pem

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.