List of Various OpenSSL Commands and KeyTool that are used to check/generate CSR, Self Sign Certificate, Private key, convert CSR, convert certificate, etc...

1. Various Types of OpenSSL
Commands and Keytool

2. Understanding the OpenSSL
Open SSL is normally used to generate a Certificate
Signing Request (CSR) and private key for different
platforms.
OpenSSL is an open-source implementation of
SSL/TLS protocols and is considered to be one of
the most versatile SSL tools. It’s a library written in
C programming language that implements the
basic cryptographic functions. OpenSSL has
different versions for most Unix-like operating
systems, which include Mac OC X, Linux, and
Microsoft Windows etc.

3. Functions of OpenSSL
» View details about a CSR or a certificate
» Compare MD5 hash of a certificate and private key to ensure they match
» Verify proper installation of the certificate on a website
» Convert the certificate format

4. Most of the functions mentioned in this slide can also be
performed without involving OpenSSL by using these
convenient SSL Tools.
In this Slide Document, we have put together few of the
most common OpenSSL commands.

5. General OpenSSL Commands
These are the set of commands that allow the users to generate CSRs, Certificates, Private Keys and many other
miscellaneous tasks. Here, we have listed few such commands:
1.

6. “Purpose: Generate a Certificate Signing Request (CSR) and
new private key
OpenSSL Command:
openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key

7. “Purpose: Generate a self-signed certificate
OpenSSL Command:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out
certificate.crt

8. “
Purpose: Create CSR based on an existing private key
OpenSSL Command:
openssl req -out CSR.csr -key privateKey.key –new

9. “
Purpose: Create CSR based on an existing certificate
OpenSSL Command:
openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key

10. “
Purpose: Passphrase removal from a private key
OpenSSL Command:
openssl rsa -in privateKey.pem -out newPrivateKey.pem

11. SSL Check Commands
These commands are very helpful if the user wants to check the information within an SSL certificate, a Private
Key, and CSR. Few online tools can also help you check CSRs and check SSL certificates.
2.

12. “
Purpose: Certificate Signing Request (CSR)
OpenSSL Command:
openssl req -text -noout -verify -in CSR.csr

13. “
Purpose: Private Key
OpenSSL Command:
openssl rsa -in privateKey.key –check

14. “
Purpose: SSL Certificate
OpenSSL Command:
openssl x509 -in certificate.crt -text –noout

15. “
Purpose: PKCS#12 File (.pfx or .p12)
OpenSSL Command:
openssl rsa -in privateKey.pem -out newPrivateKey.pem

16. Convert Commands
As per the title, these commands help convert the certificates and keys into different formats to impart them the
compatibility with specific servers types. For example, a PEM file, compatible with Apache server, can be
converted to PFX (PKCS#12), after which it would be possible for it to work with Tomcat or IIS.
However, you can also use the SSL Converter to change the format, without having to involve OpenSSL.
3.

17. “
Purpose: Convert DER Files (.crt, .cer, .der) to PEM
OpenSSL Command:
openssl x509 -inform der -in certificate.cer -out certificate.pem

18. “
Purpose: Convert PEM to DER
OpenSSL Command:
openssl x509 -outform der -in certificate.pem -out certificate.der

19. “Purpose: Convert PKCS #12 File (.pfx, .p12) Containing a
Private Key and Certificate to PEM
OpenSSL Command:
openssl pkcs12 -in keyStore.pfx -out keyStore.pem –nodes
Note: To output only the private key, users can add –nocerts or –nokeys to output only the certificates.

20. “Purpose: Convert PEM Certificate (File and a Private Key) to
PKCS # 12 (.pfx #12)
OpenSSL Command:
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile
CACert.crt

21. Debugging Using OpenSSL Commands
If there are error messages popping up about your private key not matching the certificate or that the newly-
installed certificate is not trusted, you can rely on one of the comments mentioned below.
You can also use the SSL certificate checker tool for verifying the correct installation of an SSL certificate.
4.

22. 1. Check SSL Connection (All certificates, including Intermediates, are to be displayed)
Here, all the certificates should be displayed, including the Intermediates as well.
openssl s_client -connect www.paypal.com:443

23. 2. Check MD5 Hash of Public Key
This is to ensure that the public key matches with the CSR or the private key.
openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in privateKey.key | openssl md5
openssl req -noout -modulus -in CSR.csr | openssl md5

24. SSL Keytool List
Whoa! That’s a big number, aren’t you proud?

25. Every certificate in Java Keystore has a unique
pseudonym/alias. For creating a ‘Java Keystore’, you
need to first create the .jks file containing only the
private key in the beginning. After that, you need to
generate a Certificate Signing Request (CSR) and
generate a certificate from it. After this, import the
certificate to the Keystore including any root
certificates
The ‘Java Keytool’ basically contains several other
functions that help the users export a certificate or to
view the certificate details or the list of certificates in
Keystore.
Java Keytool is a key and certificate management utility
that allows the users to cache the certificate and
manage their own private or public key pairs and
certificates. Java Keytool stores all the keys and
certificates in a ‘KeyStore’, which is, by default,
implemented as a file. It contains private keys and
certificates that are essential for establishing the
reliability of the primary certificate and completing a
chain of trust.

26. Here are the SSL Keytool
For Checking
For Creating and
Importing
Other Java
Keytool
Commands
26

27. For Creating and Importing
These Keytool commands allow users to create a new Java Keytool Keystore, generate a Certificate Signing
Request (CSR) and import certificates. Before you import the primary certificate for your domain, you need to first
import any root or intermediate certificates.
1.

28. “Purpose: Import a root or intermediate CA certificate to an
existing Java keystore
OpenSSL Command:
keytool -import -trustcacerts -alias root -file Thawte.crt -keystore keystore.jks

29. “Purpose: Import a signed primary certificate to an existing
Java keystore
OpenSSL Command:
keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore keystore.jks

30. “Purpose: Generate a keystore and self-signed certificate
OpenSSL Command:
keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -
validity 360 -keysize 2048

31. “
Purpose: Generate Key Pair & Java Keystore
OpenSSL Command:
keytool -genkey -alias mydomain -keyalg RSA -keystore keystore.jks -keysize 2048

32. “
Purpose: Generate CSR for existing Java Keystore
OpenSSL Command:
keytool -certreq -alias mydomain -keystore keystore.jks -file mydomain.csr

33. For Checking
Users can check the information within a certificate or Java KeyStore by using the following commands:
2.

34. “
Purpose: Check an individual certificate
OpenSSL Command:
keytool -printcert -v -file mydomain.crt

35. “
Purpose: Check certificates in Java KeyStore
OpenSSL Command:
keytool -list -v -keystore keystore.jks

36. “
Purpose: Check specific KeyStore entry using an alias
OpenSSL Command:
keytool -list -v -keystore keystore.jks -alias mydomain

37. Other Java Keytool Commands
3.

38. “
Purpose: Delete a certificate from Java Keystore keystore
OpenSSL Command:
keytool -delete -alias mydomain -keystore keystore.jks

39. “
Purpose: Change the password in Java keystore / Change a
Java keystore password
OpenSSL Command:
keytool -storepasswd -new new_storepass -keystore keystore.jks

40. “
Purpose: Export certificate from Java keystore
OpenSSL Command:
keytool -export -alias mydomain -file mydomain.crt -keystore keystore.jks

41. “
Purpose: List the trusted CA Certificate
OpenSSL Command:
keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts

42. “
Purpose: Import new CA into Trusted Certs
OpenSSL Command:
keytool -import -trustcacerts -file /path/to/ca/ca.pem -alias CA_ALIAS -keystore
$JAVA_HOME/jre/lib/security/cacerts

43. Thanks for Reading
Any questions? You can find us at.
» https://cheapsslsecurity.com/blog/
» https://twitter.com/sslsecurity
» https://www.facebook.com/CheapSSLSecurities
» https://plus.google.com/+Cheapsslsecurity

44. SlidesCarnival icons are editable shapes.
This means that you can:
● Resize them without losing quality.
● Change fill color and opacity.
● Change line color, width and style.
Isn’t that nice? :)
Examples:
44

45. Now you can use any emoji as an icon!
And of course it resizes without losing quality and you can change the color.
How? Follow Google instructions
https://twitter.com/googledocs/status/730087240156643328
✋👆👉👍👤👦👧👨👩👪💃🏃💑❤😂
😉😋😒😭👶😸🐟🍒🍔💣📌📖🔨🎃🎈
🎨🏈🏰🌏🔌🔑and many more...
😉
45