OpenSSL is an useful utility for dealing with certificates and RSA keys. I frequently use it to generate & verify SSL certificates, generate public/private key pairs. This article provides some commonly used OpenSSL commands.

Generate RSA Key Pair

This command generates a 2048 bits private key.

openssl genrsa -out example.key 2048

Verify private and public key by comparing the output of the following 2 commands

ssh-keygen -yef id_rsa
ssh-keygen -yef

Generate Certificate Signing Request (CSR)

CSR is generated from your private key. Make sure you keep your private key well.

openssl req -out example.csr -key example.key -new

Check Certificate Signing Request (CSR) Info

openssl req -in example.csr -noout -text

Generate Self-signed SSL Cert

Both private key and CSR are needed to generate SSL cert. Choose an appropriate expiry date for your cert.

openssl x509 -req -days 3650 -in example.csr -signkey example.key -out example.crt

Generate PKCS12 Cert From PEM Cert And Private Key

Note that the CA bundle file is needed for the certfile switch. certfile switch is optional.

openssl pkcs12 -export -out example.pfx -inkey example.key -in example.crt -certfile CACert.crt

Generate PKCS7 Cert To PEM Cert

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.pem

Check Certificate Information

This is referring to x509 certs, which is used by Apache for SSL.

openssl x509 -in example.crt  -text

View a certificate encoded in PKCS#7 format

openssl pkcs7 -print_certs -in example.p7b

View a certificate and key pair encoded in PKCS#12 format

openssl pkcs12 -info -in example.pfx

Verifying By Comparing Modulus

1 private key is used to generate both CSR and SSL cert. Therefore the private key, CSR, and SSL cert must use the same modulus. You can verify if a SSL cert is generated by a private key by comparing modulus.

Get hashed modulus of private key

openssl rsa -in example.key -noout -modulus | md5

Get hashed modulus of CSR

openssl req -in example.csr -noout -modulus | md5

Get hashed modulus of cert

openssl x509 -in example.crt -noout -modulus | md5