OpenSSL - Mangling Certificates

This is my cheat sheet. There are many like it, but this one is mine.

Mangling certificates is a part of my daily work. I’ve automated most of the work but somehow I always encounter the one appliance of piece or software that won’t play nice. Manual labor is needed here. For those situations I collected these snippets to form this openssl cheat sheet. All examples are properly copied and pasted from all over the internet. I just put them together to as a personal reference sheet.

Create csr and private key

openssl req \
       -new -sha256 -nodes \
       -out [host].[domain].[tld].csr \
       -newkey rsa:4096 \
       -keyout [host].[domain].[tld].key \
       -config <(

cat << EOF
[ req ]
default_bits = 4096
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
emailAddress=[email address]
CN = [host].[domain].[tld]

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = [host].[domain].[tld]
DNS.2 = [nohost].[domain].[tld]
DNS.3 = [whathost].[domain].[tld]
DNS.4 = [thishost].[domain].[tld]


Add password to key

openssl rsa \
       -aes256 \
       -in [host].[domain].[tld].key \
       -out [host].[domain].[tld].encrypted.key

Remove password from key

openssl rsa \
       -in [file.crypted.key] \
       -out [file.key]

Convert p7b (bundled)

openssl pkcs7 \
       -inform PEM -outform PEM \
       -in [host].[domain].[tld].p7b \
       -print_certs > [host].[domain].[tld]_bundle.cer

Create pfx

openssl pkcs12 \
       -export \
       -out [host].[domain].[tld].pfx \
       -inkey [host].[domain].[tld].key \
       -in [host].[domain].[tld].crt \
       -certfile more.crt

Convert p7b to pfx

openssl pkcs7 \
       -print_certs -in [host].[domain].[tld].p7b \
       -out [host].[domain].[tld].cer

Convert pkcs12 to pfx

openssl pkcs12 \
       -export -in [host].[domain].[tld].cer \
       -inkey [host].[domain].[tld].key \
       -out [host].[domain].[tld].pfx

Check certificate signing request

openssl req \
       -in [host].[domain].[tld].csr \
       -noout \

Convert a DER file (.crt .cer .der) to .pem

openssl x509 -inform der -in [host].[domain].[tld].cer \
-out [host].[domain].[tld].pem

Generate a CSR from an Existing Certificate and Private Key

Use this method if you want to renew an existing certificate but you or your CA do not have the original CSR for some reason. It basically saves you the trouble of re-entering the CSR information, as it extracts that information from the existing certificate.

This command creates a new CSR (domain.csr) based on an existing certificate (domain.crt) and private key (domain.key):

openssl x509 \
       -in [domain].crt \
       -signkey [domain].key \
       -x509toreq -out [domain].csr

Export the private key from PFX

openssl pkcs12 \
	-in [certname].pfx \
	-nocerts -out \
	[key].pem -nodes

Export the certificate from PFX

openssl pkcs12 \
	-in [certname].pfx \
	-nokeys -out [cert].pem

Remove the passphrase from the private key

openssl rsa \
	-in [key].pem \
	-out [server].key

File extentions

Encodings (also used as extensions)

.DER = The DER extension is used for binary DER encoded certificates. These files may also bear the CER or the CRT extension. Proper English usage would be “I have a DER encoded certificate” not “I have a DER certificate”. .PEM = The PEM extension is used for different types of X.509v3 files which contain ASCII (Base64) armored data prefixed with a “—– BEGIN …” line.

Common Extensions

.CRT = The CRT extension is used for certificates. The certificates may be encoded as binary DER or as ASCII PEM. The CER and CRT extensions are nearly synonymous. Most common among *nix systems CER = alternate form of .crt (Microsoft Convention) You can use MS to convert .crt to .cer (.both DER encoded .cer, or base64[PEM] encoded .cer) The .cer file extension is also recognized by IE as a command to run a MS cryptoAPI command (specifically rundll32.exe cryptext.dll,CryptExtOpenCER) which displays a dialogue for importing and/or viewing certificate contents. .KEY = The KEY extension is used both for public and private PKCS#8 keys. The keys may be encoded as binary DER or as ASCII PEM.

The only time CRT and CER can safely be interchanged is when the encoding type can be identical. (ie PEM encoded CRT = PEM encoded CER)