Quick Note: How to convert certificates with OpenSSL

openssl

One of the things I google so many times is, how to convert different certificate format. 

this blog post covers the commands i use the most.

Full disclaimer: I generated the output with ChatGPT because I’m Lazy 

 

Create a new private key with openssl which has 2048 bit

openssl genrsa -out private.key 2048

This will generate a new private key file called private.key that has a length of 2048 bits.

 

now create a new CSR which uses the private key. the CSR should include the SAN option

openssl req -new -key private.key -out csr.pem -subj "/CN=example.com" -addext "subjectAltName=DNS:example.com,DNS:www.example.com"

This will generate a new CSR file called csr.pem that includes the common name (CN) example.com and the subject alternative names (SANs) example.com and www.example.com. The CSR is signed using the private key private.key.

 

add a passphrase „pass1234“ to the private.key

openssl rsa -des3 -in private.key -out private_encrypted.key

This will prompt you to enter a passphrase. Enter the passphrase of your choice (e.g., „pass1234“) and press Enter. The command will then create a new private key file called private_encrypted.key that is encrypted with the passphrase you provided.

 

convert a PEM certificate called „certificate.crt“ to PKCS12 format, include the private.key

openssl pkcs12 -export -in certificate.crt -inkey private.key -out certificate.p12

This will create a new PKCS12 file called certificate.p12 that includes the certificate and private key.

You will be prompted to enter an export password for the PKCS12 file. This password is used to protect the file and ensure that only authorized users can access the certificate and private key. Make sure to choose a strong password and keep it secure.

 

convert a PEM certificate called „certificate.crt“ to PKCS12 format, include the private.key and also add ca CA bundle certificates called „ca-bundle.crt“

openssl pkcs12 -export -in certificate.crt -inkey private.key -certfile ca-bundle.crt -out certificate.p12

This will create a new PKCS12 file called certificate.p12 that includes the certificate, private key, and CA bundle certificates.

 

extract the private key from certificate.p12

openssl pkcs12 -in certificate.p12 -nocerts -out private.key

This will extract the private key from the PKCS12 file and save it to a new file called private.key.

You will be prompted to enter the import password for the PKCS12 file. This is the password you specified when you created the PKCS12 file. Enter the correct password and press Enter to proceed.

 

extract the certificate from certificate.p12

openssl pkcs12 -in certificate.p12 -clcerts -nokeys -out certificate.crt

This will extract the certificate from the PKCS12 file and save it to a new file called certificate.crt.

You will be prompted to enter the import password for the PKCS12 file. This is the password you specified when you created the PKCS12 file

 

display content of the certificate.crt

openssl x509 -in certificate.crt -text -noout

sample output:

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
01:01:01:01:01:01:01:01:01:01:01:01:01:01:01:01
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=California, L=San Francisco, O=Example Inc., CN=Example CA
Validity
Not Before: Jan 1 00:00:00 2020 GMT
Not After : Dec 31 23:59:59 2020 GMT
Subject: C=US, ST=California, L=San Francisco, O=Example Inc., CN=example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:a1:b2:c3:d4:e5:f6:...
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
...

 

display content of the certificate.p12

openssl pkcs12 -in certificate.p12 -info -noout

sample output:

Enter Import Password:
PKCS12:
MAC Iteration 2048
MAC verified OK
Bag Attributes
friendlyName: example.com
localKeyID: 54 69 6D 65 20 31 35 38 38 36 36 34 39 37 37 33 33
subject=/C=US/ST=California/L=San Francisco/O=Example Inc./CN=example.com
issuer=/C=US/ST=California/L=San Francisco/O=Example Inc./CN=Example CA
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
Bag Attributes:
friendlyName: example.com
localKeyID: 54 69 6D 65 20 31 35 38 38 36 36 34 39 37 37 33 33
subject=
issuer=
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----

 

Samuel Heinrich
Senior Network Engineer at Selution AG (Switzerland)
Arbeitet in Raum Basel (Switzerland) als Senior Network Engineer mit über 15 Jahren Erfahrung im Bereich Netzwerk

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.