Using OpenSSL

OpenSSL is a very mighty and complex tool. This page describes only few situations where this software can help requesting and using certificates.

On Linux and Macintosh computers the OpenSSL software should always be installed. Owners of Windows computers can download the software from www.openssl.org and install it.

OpenSSL does not have a graphical user interface but is used by typing commands.

This guide describes different scenarios:

All OpenSSL commands know the option -help and display a short help message

Create key pair and certificate request

To create a certificate request, first use a simple text editor to create the following configuration file in xxx.cnf. You may well change the details in the lines „organizationalUnitName_default“ and “emailAddress_default” or increase the key size from 2048 up to 4096 bits:

[ req ]
default_bits                   = 2048
default_keyfile                = private.pem
distinguished_name             = req_dn
[ req_dn ]
countryName                    = Country Code
countryName_value              = DE
stateOrProvinceName            = State or Province
stateOrProvinceName_value      = Nordrhein-Westfalen
localityName                   = Locality
localityName_value             = Muenster
organizationName               = Organization Name
organizationName_value         = Westfaelische Wilhelms-Universitaet Muenster
organizationalUnitName         = Organizational Unit Name (eg, section)
organizationalUnitName_max     = 64
organizationalUnitName_default = Institut fuer Physikalische Theologie
commonName                     = Server Name (eg, www.uni-muenster.de)
commonName_min                 = 6
commonName_max                 = 64
commonName_default             = xxx.uni-muenster.de
emailAddress                   = Email Address
emailAddress_max               = 64
emailAddress_default           = xxx@uni-muenster.de

To create a 2048 bit RSA key pair you can use this command:

openssl genrsa -out xxx.key

With this command the private key is written unprotected into the file xxx.key. If you want to protect the private key encrypted with a password, use this command instead:

openssl genrsa -des3 -out xxx.key

(The Triple DES encryption is old but portable and for this purpose more than safe enough.)

Please consider: If you use an encrypted private key with a server, you will have to enter the key password each time when the server is started.

To create a certificate request xxx.req for the existing key pair with the private key in xxx.key you can then use this command:

openssl req -config xxx.cnf -new -key xxx.key -out xxx.req

If the private key had been saved encrypted you are asked for the password.

To create both a new key pair with the private key in xxx.key and a certificate request xxx.req for this key pair you can use this command:

openssl req -config xxx.cnf -new -nodes -keyout xxx.key -out xxx.req

Or without own configuration file:

openssl req -new -newkey rsa:2048 -nodes -keyout xxx.key -out xxx.req

To save the private key encrypted with Triple DES please omit the option -nodes.

Assemble a digital ID (PKCS#12 file)

A complete digital ID contains the following components:

  1. the private key

    This key can be taken from the file xxx.key above.

  2. the corresponding certificate with the public key

    Ths certificate is sent to you by email from the certification authority. You can save the attachment as xxx.crt.

  3. the certificates of the intermediate certification authorities

    These certificates can be found either following the corresponding link in this email or simplier on the page CA certificates in the table column “X.509 chain”. You can save the file “Text (without root)” as xxx.chain.

To assemble these parts to a PKCS#12 file use this command (type everything in one line):

openssl pkcs12 -export
  -inkey xxx.key
  -in xxx.crt
  -certfile xxx.chain
  -name "New digital ID"
  -out xxx.p12

In place of New digital ID you should give name and date or similar details. Many programs use this name when displaying a list of digital IDs.

A PKCS#12 is always encrypted with a password. So you are asked both for the password of the private key file and twice for a new password for the digital ID.

If you are not sure which intermediate certificates you need, you can let them pick automatically. Save this file as all-ca.pem and use this command (type everything in one line):

openssl pkcs12 -export
  -inkey xxx.key
  -in xxx.crt
  -chain -CAfile all-ca.pem
  -name "New digital ID"
  -out xxx.p12

Disassemble a digital ID (PKCS#12 file)

To disassemble a PKCS#12 file use this command (type everything in one line):

openssl pkcs12
  -in xxx.p12
  -out xxx.pem

To extract only individual parts and to split them into individual files you can specify additional options:

  • Private Key only:

    openssl pkcs12
      -in xxx.p12
      -nocerts
      -out xxx.key

  • Own certificate only:

    openssl pkcs12
      -in xxx.p12
      -nokeys -clcerts
      -out xxx.crt

  • Certificates of the intermediate certification authorities only:

    openssl pkcs12
      -in xxx.p12
      -nokeys -cacerts
      -out xxx.chain

You will be prompted for the password for the Digital ID and, if the private key is exported, twice for a new password to encrypt the private key in the PEM file.

Save private key in different formats

Different software may need the private key in different formats:

Unencrypted DER file:

openssl rsa
  -inform pem -in xxx.key
  -outform der -out yyy.der

Unencrypted PEM file:

openssl rsa
  -inform pem -in xxx.key
  -outform pem -out yyy.pem

Encrypted PEM file:

openssl rsa
  -inform pem -in xxx.key
  -aes256
  -outform pem -out yyy.pem

Encrypted PEM file in PKCS#8 format:

openssl pkcs8
  -inform pem -in xxx.key
  -topk8
  -outform pem -out yyy.pem

Save certificate in different formats

Different software may need the certificate in different formats:

Unencrypted DER file (can contain only one certificate, not several):

openssl x509
  -inform pem -in xxx.crt
  -outform der -out yyy.der

For PKCS#12 files see above.

The contents of a certificate can be displayed this way:

openssl x509
  -inform pem -in xxx.crt
  -text
  -noout

Unencrypted PKCS#7 file (can contain multiple certificates):

openssl crl2pkcs7 -nocrl -outform DER
  -certfile xxx.crt
  -out yyy.p7b

The PEM file xxx.crt may contain multiple certificates and the option -certfile xxx.crt may be given multiple times. Often, an entire certificate chain including the root certificate is combined into one file this way.

Check TLS connection and certificates presented by server

openssl s_client
  -connect hostname.domain:portnumber
  -showcerts

For connections working with STARTTLS the corresponding protocol must be given, e.g. for an SMTP server:

openssl s_client
  -connect mailhostname.domain:portnumber
  -starttls smtp
  -showcerts